Presentation is loading. Please wait.

Presentation is loading. Please wait.

SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.

Published byElijah Payne Modified over 10 years ago

Similar presentations

Presentation on theme: "SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang."— Presentation transcript:

1 SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang

2 2 / 10 Recent Attacks on Hash Functions Hash algorithm properties: one-way and collision-free –Attacks against one-way property are not feasible yet. –Collision free property is becoming weaker for currently popular hash algorithms. Researchers demonstrated attacks against MD5, SHA-1 and a special construction of PKIX certificates with MD5 signature –Attacks against SHA-1 are not feasible with today's computers, but will be if attacks are improved or Moore's Law continues to make computing power cheaper The conservative security approach is to change hash algorithms or enable hash agility

3 3 / 10 Impact of These Attacks on SeND We analyze the impact of these attacks on SEND case by case Stateless autoconfiguration (CGAs) –RFC 4982 has analyzed the impact of these attacks on CGA and enabled CGA to support hash agility CGAs don't deal with non-repudiation. CGAs cannot verify the identity of the owner CGAs only provide proof-of-ownership of the private key corresponding to the public key used to generate CGA SeND specification does not require for key pair to be –The node that signes the message creates the message and associated hash –Hence, CGA-based protocols, including SeND, are not affected by collision attacks

4 4 / 10 Impact of These Attacks on SeND (2) Router authorization (Authorization Delegation Discovery process) –The attacker could generate a false Router Authorization certificate or a false middle certificate with the similar certificate, if he could predict the certificate data. –The most attractive is attack against middle certificates; attacker changes a single certificate and launches attack on a set of routers

5 5 / 10 –Attacker could produce a false certificate with the same signature, but different public keys We are at least safe from attacks against TA certificate Certificate profile is not yet completely defined, there might be more certificate extensions that are not human readable –Although there have not been performed a demonstrable real-world collision attacks on certificates, such attacks are theoretically possible - future improved attacks could succeed. Impact of These Attacks on SeND (3)

6 6 / 10 Impact of These Attacks on SeND (4) Digital Signature in the RSA Signature option –The possible attack on explicit digital signature is non- repudiation attack. Attacker could generate a false message with the same hash and sign that false hashed message with authorized private key. –Hard prediction of the useful input data minimizes the possibility to perform a real-world collision attack. –However, a variant of SHA-1 is already affected with recent collision attacks. Future attacks will be improved.

7 7 / 10 Impact of These Attacks on SeND (5) Key Hash in the RSA Signature option –The message to be hashed is the public key authorized through CGAs or through certification path. Receiver has to verify that the hashed public key (Key Hash) is the same as the public key in the CGA option. Additionally, if receiver has configured Trust Anchors, he would have to verify the certificate path between the Trust Anchor and sender. –Collision attacks against Key Hash do not result in new vulnerabilities Changed key pair used in RSA Signature option will be detected in the process of CGA verification

8 8 / 10 Summary on the Hash Threat on SeND Hash functions used by SeND: –Collision attacks do not result in new vulnerabilities (in case of CGAs and Key Hash from the RSA Signature option) –or it is difficult (but theretically possible!) to predict input data for hash function, and therefore, to perform a useful real-world collision-attack (in case of Digital Signature in the RSA Signature option and PKIX certificates in ADD process) However, we cannot guarantee the future security of SeND –Recent attacks indicate the possibility of future real-world attacks, particularly in case of Digital Signature in the RSA Signature option and PKIX certificates in ADD process –Attacks always get better; they never get worse.

9 9 / 10 Support for Hash Agility on SeND Migrating to a new hash algorithm, such as SHA-256, may only solve the problem for a while We are now analyzing how to provide hash agility on SeND –Issues such as backwards compatibility, downgrade protection, etc., are taken into account –We probably need a new ND option In such a way we can not avoid the downgrade attack completely but an attacker would have to break both the hash and signature (ND option is under Digital Signature protection)

10 10 / 10 Conclusions Attacks are theoretically possible on SeND on both the hash algorithm and the signature algorithm We need hash and signature algorithm agility This needs to be addressed when we update or enhance SeND We will still be vulnerable to bidding-down attacks

11 11 / 10 Thanks! Questions?

Download ppt "SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang."

Similar presentations

Public Key Infrastructure and Applications

Public Key Infrastructure and Applications
A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Technical Presentation AIAC 2010-2011 Group 11. System Rationale System Architecture Secure Channel Establishment Username/Password Cartão Cidadão Digital.

Technical Presentation AIAC Group 11. System Rationale System Architecture Secure Channel Establishment Username/Password Cartão Cidadão Digital.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Chapter 4: Naming and addressing.

© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Chapter 4: Naming and addressing.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Lecture 5: Email security: PGP Anish Arora CIS694K Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
Chapter 3 Encryption Algorithms & Systems (Part C)

Chapter 3 Encryption Algorithms & Systems (Part C)
A Lightweight Hop-by-Hop Authentication Protocol For Ad- Hoc Networks Speaker: Hsien-Pang Tsai Teacher: Kai-Wei Ke Date:2005/01/20.

A Lightweight Hop-by-Hop Authentication Protocol For Ad- Hoc Networks Speaker: Hsien-Pang Tsai Teacher: Kai-Wei Ke Date:2005/01/20.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Similar presentations

Ads by Google