Re: DHCID and the use of MD5 [Re: Last Call: 'Resolution of FQDN Conflicts among DHCP Clients' to Proposed Standard]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sunday 27 November 2005 15:21, Sam Hartman wrote:
> Actually, no, it's worse than that.  A preimage attack is sufficient
> to break this.  However you cannot reduce a break of this system to a
> preimage attack.  

It's always inspiring to meet someone who knows a lot about a complex topic 
like hash algorithms.

> I am not happy with a protocol whose security depends on treating md5
> as a random oracle.

Again, very inspiring to meet someone who knows about md5, random oracles, et 
cetera.   However, this protocol's security does not rely in any way on md5 
or any other hash.   The hash is present as a privacy mask.   It has limited 
value since the thing being protected is broadcast over the wire on a regular 
basis, but we put it in because we were asked to.   The security of the 
protocol rests on the security of the DNS update mechanism; if you are 
concerned about DNS update security with your DHCP server, I suggest using 
some kind of cryptographic authentication.   I use TSIG, and am reasonably 
happy with it.

In order for the DHCID hash to be a security issue, it has to be the case that 
you have more than one DHCP server that is permitted to update the same zone 
in the DNS, and yet have no trust relationship between these DHCP servers.   
This is a contradiction in terms - if you don't have a trust relationship 
between two updaters of the same zone, you don't have any update security at 
all for that zone.

I would really encourage people who are commenting on this to please, please 
read the drafts for detailed comprehension, not just for keywords.   I get 
the impression that a lot of keyword triggering is going off here, and it's 
really not constructive.

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]