Security Area Response to Hash Function "Breaks"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Below is a summary of the discussion that occurred at the SAAG session during IETF 64. When MD5 or SHA-1 is used to support digital signatures or used by itself, recent cryptographic research findings indicate the need for a transition. Therefore, I encourage all IETF WGs to follow the lead of the Security Area in transition away from MD5 and SHA-1 toward SHA-256.

TCP-MD5 is one example where a transition is needed. In this case, a transition to HMAC-SHA-1 or HMAC-SHA-256 seems like a reasonable move.

Russ Housley
Security Area Director

= = = = = = = = = =

During IETF 64, the Security Area Advisors Group (SAAG) session was dedicated to the discussion of hash function "breaks" and the appropriate IETF response to this situation.

Eric Rescorla from gave a presentation on deploying a new hash function. The presentation is based on a paper that Eric co-authored with Steve Bellovin. All of the IETF security protocols that were analyzed required work in order to support transition to new hash functions. The paper is available at http://www.cs.columbia.edu/~smb/papers/new-hash.pdf

Russ Housley gave a presentation on the Security Area response to these hash function "breaks." We should "walk, not run." This is not a problem yet, but as the attacks are improved it will become a problem. Russ shared his conclusions from the NIST Hash Workshop held on October 31st and November 1st.
  * SHA-1 should be reach its "end of life" digital
    signatures by 2010;
  * The IETF cannot expect any new standard hash functions
    before 2010;
  * The security ADs have decided that we need to transition
    to SHA-256 now; and
  * There will probably be another transition once a new hash
    function is available.

The IETF needs to become good at transitions as we have at least two. Within the Security Area, protocols with active WGs will be analyzed within those WGs; others will be handled in SAAG. The following directive to WG Chairs in the Security Area was given:
  * Perform Bellovin-Rescorla analysis on every protocol in
    the WG by IETF 65; and
  * Start standards work on transition to SHA-256, but plan
    for future transitions.

In some cases it may be appropriate to transition away from hash functions, perhaps to a message authentication code.


_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]