[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006

To: Francis Dupont <Francis.Dupont@point6.net>
Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
Date: Mon, 31 Jul 2006 10:06:47 +0300
Cc: Iljitsch van Beijnum <iljitsch@muada.com>, shim6-wg <shim6@psg.com>
In-reply-to: <200607310609.k6V69AR2088255@givry.rennes.enst-bretagne.fr>
References: <200607310609.k6V69AR2088255@givry.rennes.enst-bretagne.fr>


El 31/07/2006, a las 9:09, Francis Dupont escribió:

 In your previous mail you wrote:

   The fact that there are no secrets is exactly the beauty of HBA. You
   can easily determine what the real user's prefixes are, and also the
   extra index or whatever it's called, and then you can compute the
   hash. But that doesn't buy you anything: in order to redirect
   traffic, you need to find an alternative prefix+index set that
                                ^^^^^^^^^^^

=> this issue is this word "alternative": an attack is to use the
same set, i.e., HBAs just extend the steal of address to the steal
of address set. It does not matter for multi-homing but only for
multi-homing.

so for multihoming purposes, which is the scope of this working group,the security of the shim6 protocol provided by HBA and CGA are exactlyequivalent right?

 This is why I say HBA+CGA is a strictly stronger
mechanism than HBA.

   resolves to the same hash. This requires 2^58 tries on average
   without using sec.

=> as 2^(20*sec+58) is greater the hash extension is or will be
a necessary addition.


yes, buy again this is exactly the same for HBA and for CGAs

   CGA is exactly the same, except that here, you don't put in a prefix
set of your own, but a public key for which you have the privatekey.
=> no, CGA has the RSA part too.
=> no, either the attacker has to find a key pair giving the same hash
or to inverse the public key into the private one. Both problems are
harder than for HBAs.
CGA and HBA use the same hash, you can break CGA by breaking thehashand substituting your own keys, rather than break the public keycrypto.
=> I am afraid you believe any bit string is a valid public key, thisis
not the case for RSA. It does not matter for real brute force attacks
(the modifier is long enough) but should matter for more sophisticate
attacks using some vulnerabilities in the hash function.

but this is exactly why the modifier is included in the initial part ofthe string, in order to prevent other type of attacks (i.e. the partthat is easy to change is at the begining, so the attacker cannotbenefit from precomputed parts of the hash)


Regards, marcelo


Regards

Francis.Dupont@point6.net

Follow-Ups:
- Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
  - From: Francis Dupont <Francis.Dupont@point6.net>

References:
- Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
  - From: Francis Dupont <Francis.Dupont@point6.net>

Prev by Date: Re: IPsec !?, was: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Next by Date: Re: Security Module for shim6 or hip really
Previous by thread: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Next by thread: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
Index(es):
- Date
- Thread