SeND Hash Threat Analysis

CSI WG

Ana Kukec, Suresh Krishnan, Sheng Jiang

2 / 10

Recent Attacks on Hash Functions• Hash algorithm properties: one-way and collision-free

– Attacks against one-way property are not feasible yet.

– Collision free property is becoming weaker for currently popular hash algorithms.

• Researchers demonstrated attacks against MD5, SHA-1 and a special construction of PKIX certificates with MD5 signature– Attacks against SHA-1 are not feasible with today's computers,

but will be if attacks are improved or Moore's Law continues to make computing power cheaper

• The conservative security approach is to change hash algorithms or enable hash agility

3 / 10

Impact of These Attacks on SeND• We analyze the impact of these attacks on

SEND case by case• Stateless autoconfiguration (CGAs)

– RFC 4982 has analyzed the impact of these attacks on CGA and enabled CGA to support hash agility

• CGAs don't deal with non-repudiation.

• CGAs cannot verify the identity of the owner

• CGAs only provide proof-of-ownership of the private key corresponding to the public key used to generate CGA

• SeND specification does not require for key pair to be

– The node that signes the message creates the message and associated hash

– Hence, CGA-based protocols, including SeND, are not affected by collision attacks

4 / 10

Impact of These Attacks on SeND (2)

• Router authorization (Authorization Delegation Discovery process)– The attacker could generate a false Router Authorization

certificate or a false middle certificate with the similar certificate, if he could predict the certificate data.

– The most attractive is attack against middle certificates; attacker changes a single certificate and launches attack on a set of routers

5 / 10

– Attacker could produce a false certificate with the same signature, but different public keys

• We are at least safe from attacks against TA certificate

• Certificate profile is not yet completely defined, there might be more certificate extensions that are not human readable

– Although there have not been performed a demonstrable real-world collision attacks on certificates, such attacks are theoretically possible - future improved attacks could succeed.

Impact of These Attacks on SeND (3)

6 / 10

Impact of These Attacks on SeND (4)

• Digital Signature in the RSA Signature option– The possible attack on explicit digital signature is non-

repudiation attack.• Attacker could generate a false message with the same hash

and sign that false hashed message with authorized private key.

– Hard prediction of the useful input data minimizes the possibility to perform a real-world collision attack.

– However, a variant of SHA-1 is already affected with recent collision attacks. Future attacks will be improved.

7 / 10

Impact of These Attacks on SeND (5)

• Key Hash in the RSA Signature option– The message to be hashed is the public key

authorized through CGAs or through certification path. • Receiver has to verify that the hashed public key (Key Hash)

is the same as the public key in the CGA option.• Additionally, if receiver has configured Trust Anchors, he

would have to verify the certificate path between the Trust Anchor and sender.

– Collision attacks against Key Hash do not result in new vulnerabilities

• Changed key pair used in RSA Signature option will be detected in the process of CGA verification

8 / 10

Summary on the Hash Threat on SeND• Hash functions used by SeND:

– Collision attacks do not result in new vulnerabilities (in case of CGAs and Key Hash from the RSA Signature option)

– or it is difficult (but theretically possible!) to predict input data for hash function, and therefore, to perform a useful real-world collision-attack (in case of Digital Signature in the RSA Signature option and PKIX certificates in ADD process)

• However, we cannot guarantee the future security of SeND– Recent attacks indicate the possibility of future real-world

attacks, particularly in case of Digital Signature in the RSA Signature option and PKIX certificates in ADD process

– “Attacks always get better; they never get worse.”

9 / 10

Support for Hash Agility on SeND

• Migrating to a new hash algorithm, such as SHA-256, may only solve the problem for a while

• We are now analyzing how to provide hash agility on SeND– Issues such as backwards compatibility, downgrade

protection, etc., are taken into account– We probably need a new ND option

• In such a way we can not avoid the downgrade attack completely but an attacker would have to break both the hash and signature (ND option is under Digital Signature protection)

10 / 10

Conclusions

• Attacks are theoretically possible on SeND on both the hash algorithm and the signature algorithm

• We need hash and signature algorithm agility

• This needs to be addressed when we update or enhance SeND

• We will still be vulnerable to bidding-down attacks

11 / 10

Thanks!

Questions?