Re: draft paper: Deploying a New Hash Algorithm
From: Steven M. Bellovin [EMAIL PROTECTED] Sent: Aug 5, 2005 12:04 PM To: Steve Furlong [EMAIL PROTECTED] Cc: cryptography@metzdowd.com .Subject: Re: draft paper: Deploying a New Hash Algorithm ... I'd have phrased it differently than Perry did. I'd say that the attackers are often cleverer *about security* than protocol designers, because insecurity is their specialty. Ordinary protocol desingers are good at designing those protocols, but they haven't been trained to think about security. Yes! I've noticed that it's really common for me to work on a project for a very short time (like an hour or two), and start noticing all kinds of security holes, including a lot of stuff with nothing to do with cryptography. I'll still be asking very basic questions of the other people on the project about how things are *supposed* to work, but be pointing out attacks they never thought of at the same time. I think this is just a different way of thinking. Attackers and security people do this all the time. Most normal people never do--it's like once they've got the rules in their heads, that's what's possible, and they don't even think about it. How many times, working on security for some system, have you pointed out an attack, only to hear some variation on but who would think of that? And you can see the same thing happening in discussions of homeland security and counterterrorism stuff. It's like most people look at the national guardsmen in the airport, and say whew, I feel safer, rather than what the heck are those guys supposed to do to stop hijacked planes crashing into buildings? I like your starting points, but I think the real approach to thinking about this is a bit broader. It has to do with understanding the rules, and trying to ask, for each one, and what makes me obey that rule? or what would happen if I didn't do such and so? --Steven M. Bellovin, http://www.cs.columbia.edu/~smb --John Kelsey - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: draft paper: Deploying a New Hash Algorithm
In message [EMAIL PROTECTED], Steve Furlong writes: [Moderator's note: ... attackers are often cleverer than protocol designers. ... Is that true? Or is it a combination of (a) a hundred attackers for every designer, and (b) vastly disparate rewards: continued employment and maybe some kudos for a designer or implementer, access to $1,000,000,000 of bank accounts for an attacker I'd have phrased it differently than Perry did. I'd say that the attackers are often cleverer *about security* than protocol designers, because insecurity is their specialty. Ordinary protocol desingers are good at designing those protocols, but they haven't been trained to think about security. Here's how I put it in my talk at the IETF plenary last night: \ns{Patterns of Thought} \item Serial number 1 of any new device is delivered to your enemy. \item You hand your packets to your enemy for delivery. \item Your enemy is just as smart as you are. If we haven't seen a given class of attack yet, it's because it hasn't been necessary; simpler attacks have worked well enough. (Besides, how do you know if you'll actually notice it?) \endns --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: draft paper: Deploying a New Hash Algorithm
Steve, At 05:34 PM 7/29/2005 -0400, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], Alex Alten write s: At 08:12 AM 7/25/2005 -0400, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], Alex Alten write s: Steve, This also seems to be in conjunction with the potential switch over from RSA et al. to ECC for PKI, etc. Yes, Eric and I have been talking about that, and we'll add some discussion of that to the next version of the paper. Variable output is really needed too, say 16, 32, 64, 128, 256 and 512 bits. And on the wishful side, the ability to optimize compression across multiple CPUs. That's completely orthogoal to what the paper is about. We're talking about how to convert to *any* new hash algorithm; we're not concerned with which is chosen. (I confess, though, that hash outputs of less than 128 bits don't strike me as cryptographically useful except for HMAC and the like.) Sorry for going off on a tangent. Actually 32 (or even 16) bits is really useful for retrofitting old insecure protocols where you don't want to alter the header size, you only need access control, and the packets only exist for less than 100 msecs. - Alex -- - Alex Alten [Moderator's note: I have to strongly disagree. 16 bits is rarely, if ever, of any use in authentication in a modern system. Even if you think something can't live long enough to be spoofed, it usually can, and as it turns out, attackers are often cleverer than protocol designers. Crypto is too brittle to play such games with it. --Perry] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: draft paper: Deploying a New Hash Algorithm
[Moderator's note: ... attackers are often cleverer than protocol designers. ... Is that true? Or is it a combination of (a) a hundred attackers for every designer, and (b) vastly disparate rewards: continued employment and maybe some kudos for a designer or implementer, access to $1,000,000,000 of bank accounts for an attacker SRF -- There are no bad teachers, only defective children. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: draft paper: Deploying a New Hash Algorithm
In message [EMAIL PROTECTED], Alex Alten write s: Steve, This also seems to be in conjunction with the potential switch over from RSA et al. to ECC for PKI, etc. Yes, Eric and I have been talking about that, and we'll add some discussion of that to the next version of the paper. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
draft paper: Deploying a New Hash Algorithm
Eric Rescorla and I have written a paper Deploying a New Hash Algorithm. A draft is available at http://www.cs.columbia.edu/~smb/papers/new-hash.ps and http://www.cs.columbia.edu/~smb/papers/new-hash.pdf . Here's the abstract: As a result of recent discoveries, the strength of hash functions such as MD5 and SHA-1 have been called into question. Regardless of whether or not it is necessary to move away from those now, it is clear that it will be necessary to do so in the not-too-distant future. This poses a number of challenges, especially for certificate-based protocols. We analyze S/MIME, TLS, and IPsec. All three require protocol or implementation changes. We explain the necessary changes, show how the conversion can be done, and list what measures should be taken immediately. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]