On Jun 3, 2011, at 7:15 PM, Uma Chunduri wrote: > exactly how is MD5 the weakest link here? some particular words about the > threat model + ability to subvert a running session which ships a few > megabytes/minute around would be in order here. > > [Uma] > > 1. Wang, X., H. Yu, "How to break MD5 and other hash > functions", Proc. IACR Eurocrypt 2005, Denmark > 2. RFC 4270
Wearing my co-author-of-4270 hat, let me state forcefully: invoking RFC 4270 or *any* current published work on MD5 does not answer the question of how MD5 is the weakest link here. Those are *unrelated* to an attack on the integrity of communication in draft-sidr-rpki-rtr. Collision attacks on MD5 and SHA-1 are, to date, unrelated to preimage attacks, and it is preimage attacks that you care about. On Jun 4, 2011, at 9:38 AM, Stephen Farrell wrote: > Trying to catch up with you all here. > >> From reading the mail thread it seems to me that: > > - tcp-md5 is available but undesirable > - tcp-ao is desirable but unavailable so far > - ssh is available and slightly undesirable for > performance reasons but desirable in > security terms > > That would imply that an answer might be: > > MUST implement SSH; SHOULD implement TCP-AO and > MUST/SHOULD prefer TCP-AO over SSH if both > available > > Would that garner (rough) consensus? Another proposal that might be more likely to garner rough consensus would be: MUST implement TCP-MD5 [RFC2385]; SHOULD implement TCP-AO [RFC5925] (the official successor to TCP-MD5) as soon as possible; if both parties in the protocol support TCP-AO, they SHOULD use TCP-AO and SHOULD NOT use TCP-MD5. After we believe that there is lots of TCP-AO adoption, we revise the document and remove TCP-MD5 as an option. > We really do want to deprecate tcp-md5. We already have: RFC 5925 obsoletes RFC 2385. The question is whether we want to prevent new protocols from using it and instead force them to use something else that doesn't work as well operationally while TCP-MD5 is still considered safe. Saying "MUST implement SSH" is tantamount to saying "many systems will run unprotected", which might be acceptable until TCP-AO is deployed. However, using TCP-MD5, but only until TCP-AO is deployed, seems like a better idea. --Paul Hoffman _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
