Last Call Review of draft-ietf-csi-hash-threat-
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.
This document analysis the use of hashes in SEND, possible threats
and the impact of recent attacks on hash functions used by SEND.
Current SEND specification [rfc3971] uses the SHA-1 [sha-1] hash
algorithm and X.509 certificates [rfc5280] and does not provide
support for the hash algorithm agility. The purpose of the document
is to provide analysis of possible hash threats and to decide how to
encode the hash agility support in SEND.
Summary: Most of the document tries to explains how an attack on a given property of a hash function does or does not translate into an attack on other hash-based cryptographic primitives (signature, certificate.) IMHO This document is not the right place to do so (these are documented elsewhere.) Moreover, the document fail to clearly articulate how attacks against these hash-based cryptographic primitives translates or does not translate into attacks against the SEND protocol itself. Thus I think the document in its current form is not ready for publication and requires more work.
- Section 3 explains what is a first-preimage attack, a second preimage attack, a collision attacks, etc. I do no think this document is the right place to do this. A simple reference to the definition of the attacks could be added if necessary, e.g. "For a definition of the various attacks against hash function properties, see [HAC] [...] [HAC] Handbook of Applied Cryptography, Alfred J. Menezes et al., 2001,
- Section 3.1. explains that the "impacts of collision attacks on current uses of CGAs and the CGA hash agility are analyzed in the update of the CGA specification [rfc4982]", yet it goes on with explaining what is the purpose of a CGA etc. If RFC4982 has done the analysis already, simply cite it, and state the result, e.g. "impacts of collision attacks on current uses of CGAs and the CGA hash agility are analyzed in the update of the CGA specification [rfc4982] which concludes that no current hash vulnerability impacts the security properties afforded by the use of CGAs".
- Section 3.2 similarly goes on musing on attacks against X.509 certificates. Again, I'd rather have the section refer to an analysis of the vulnerabilities introduced by the use of hashes by X.509 certificates, and simply state the conclusion of the analysis in this document. If no proper analysis has been done, then it could be done in this document, but this section as is doesn't seem to do that in an appropriate way.
- Section 3.3. has a similar problem as above. It muses on non-repudiation etc. but does not say what I'm interested in. If security of SEND does not rely on non-repudiation property of the signature, state it and explain why. I am not interested in how to attack the non-repudiation property of a signature using a hash vulnerability, I am interested in how can (or can't) I attack SEND using a non-repudiation vulnerability...
Editorial: the use of the English language could be improved.