On Sunday 27 November 2005 15:21, Sam Hartman wrote: > Actually, no, it's worse than that. A preimage attack is sufficient > to break this. However you cannot reduce a break of this system to a > preimage attack. It's always inspiring to meet someone who knows a lot about a complex topic like hash algorithms. > I am not happy with a protocol whose security depends on treating md5 > as a random oracle. Again, very inspiring to meet someone who knows about md5, random oracles, et cetera. However, this protocol's security does not rely in any way on md5 or any other hash. The hash is present as a privacy mask. It has limited value since the thing being protected is broadcast over the wire on a regular basis, but we put it in because we were asked to. The security of the protocol rests on the security of the DNS update mechanism; if you are concerned about DNS update security with your DHCP server, I suggest using some kind of cryptographic authentication. I use TSIG, and am reasonably happy with it. In order for the DHCID hash to be a security issue, it has to be the case that you have more than one DHCP server that is permitted to update the same zone in the DNS, and yet have no trust relationship between these DHCP servers. This is a contradiction in terms - if you don't have a trust relationship between two updaters of the same zone, you don't have any update security at all for that zone. I would really encourage people who are commenting on this to please, please read the drafts for detailed comprehension, not just for keywords. I get the impression that a lot of keyword triggering is going off here, and it's really not constructive. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf