Re: Crypto-based host identifiers

[Erik Nordmark <Erik.Nordmark@sun.com>]

> > If i understnd correctly, you need the new registry, because in order
> > to avoid collisions, right? But a collision means that someone else 
> > has the private key that matches the hash of someone else's public 
> > key. This situation by itself it is a vulnerability to the solution 
> > isn't it?, since if it has such a private key it can impersonate the 
> > original holder, right?
> 
> Yes. Fortunately it isn't as bad as it sounds. Suppose you're making a 
> 44 bit has and there are already 2^24 hashes in use. You then have a 1 
> in 2^20 chance of colliding with an existing hash. However, the chance 
> that you're going to collide with Google, Microsoft or the White House 
> is significantly smaller than the chance you're going to collide with a 
> grocery store in Milan, a home office in New Jersy or a cell phone in 
> Osaka, which aren't nearly as much fun to impersonate. Also, as soon as 
> you use your fake hash and someone detects it, you're found out and the 
> holder of the original hash is going to abandon it. So you have to make 
> the first time that you're going to abuse the colliding hash count real 
> good because it's likely it's your only chance.

Another mechanism to limit the exposure by short hashes is
that the first time a host performs the PK challenge with the peer
it records the actual public key.
Later if somebody tries to redirect the traffic it can verify not
only that the ID=hash matches, but also that it is the identical
public key.

This doesn't provide for strong "ownership" of the actual ID, but it
does prevent redirection attacks.

  Erik