[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006



 In your previous mail you wrote:

   > => HBAs are weaker than CGAs
   
   DO you know any attack that is easier in HBAs than in CGAs? could you 
   describe it?
   
=> easy, you simply steal the whole set. There is nothing to find
because the victim can give you everything. This can't happen with
CGA because you should not know the private key.

   imho HBA and CGA are exactly equally strong, since the weakest point in 
   both schemes is determined by the number of hash bits contained in the 
   iid of the IPv6 address.

=> CGA has a RSA key pair too...

   In both schemes, an attacker must perform o(2^59) attempts in order to 
   find an alternative CGA parameter data strucutre (with an alternative 
   PRefix set in the case of HBAs and with an alternative public key in 
   the case of CGA)
   
=> no, either the attacker has to find a key pair giving the same hash
or to inverse the public key into the private one. Both problems are
harder than for HBAs.

   moreover, imho CGAs are residually weaker than HBAs, since in CGAs the 
   private key can be compromised while in HBAs there is no secret that 
   can be compromised
   
=> and ther is nothing private too. This is enough for multi-homing
where the property we're looking for is weaker than ownership.

   >  (which provide ownership using the signature),
   > and than standard strong authentication (using some kind of PKI).
   
   agree that PKI is stronger, since the attacks may require more than 
   o(2^59) attempts
   
=> no, the properties have different strength: this is not directly
related to the complexity of theorical attacks.

   > Without the hash extension IMHO they would be too weak, now we have
   > to take advice from cryptographers to understand if/how to improve 
   > them...
   
   i am not sure what do you mean by hash extensions...
   
=> reread the RFC (:-).

   but anyway, we can change the hash function in HBA/CGA and we have the 
   Sec parameter... this should be  enough for a few decades i heard...
   
=> a better hash function should give nothing more: if you have an ideal
hash function giving 1000 bits and you take only 64 bits, the brute force
attack is still in 2^32 attempts for a collision between two values
and 2^64 for a collision with a given value. So as soon as the hash
function is not too bad it is enough.
   
Regards   
   
Francis.Dupont@point6.net