Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006

[marcelo bagnulo braun <marcelo@it.uc3m.es>]

El 31/07/2006, a las 1:04, Francis Dupont escribió:

>  In your previous mail you wrote:
>
> > => HBAs are weaker than CGAs
>
>    DO you know any attack that is easier in HBAs than in CGAs? could 
> you
>    describe it?
>
> => easy, you simply steal the whole set. There is nothing to find
> because the victim can give you everything. This can't happen with
> CGA because you should not know the private key.

but in this attack, the attacker is not changing the prefix set right?

so basically the attacker is not attacking the shim6 signalling, is 
just located in every path, so the attacker can do exactly the same if 
the shim6 protocol is secured using CGA (since the attacker is not 
really changing the locator set), right?

so from the shim6 signalling perspective, the security achieved against 
this attack is exactly the same wether you use CGA or HBA

Of course i agree that you could use CGA to protect data packets but 
this wouldn't be shim6 signalling protection but data packets 
protection, and this is out of the scope of the shim6 protocol


>    imho HBA and CGA are exactly equally strong, since the weakest 
> point in
>    both schemes is determined by the number of hash bits contained in 
> the
>    iid of the IPv6 address.
>
> => CGA has a RSA key pair too...

yes, but the resulting security is the security of the weakest link, 
so, even if you add a very long/strong key pair, the easier attack 
would be the attack on the hash

of course having very short key pair could indeed result in having cga 
security weaker than the hash, making CGAs weaker than CGAs... but the 
point is that this doesn't help to achieve better security that HBAs

>    In both schemes, an attacker must perform o(2^59) attempts in order 
> to
>    find an alternative CGA parameter data strucutre (with an 
> alternative
>    PRefix set in the case of HBAs and with an alternative public key in
>    the case of CGA)
>
> => no, either the attacker has to find a key pair giving the same hash
> or to inverse the public key into the private one. Both problems are
> harder than for HBAs.

not really

we do agree that the attacker will do the easier attack, right?

so, let's assume that the key pair was selected in order to be stronger 
than the hash (if not the CGA security would be weaker)

so we can focus on the attack against the hash

In the CGA case, the attacker needs to find an alternative CGA 
parameter data structure with an alternative public key (the attacker's 
public key) In order to do that, the attacker will try with different 
modifier (it is easier than to try with different public keys), so the 
attacker needs to perform O(2^59) attempts to find the alternative CGA 
parameter data structure


In the HBA case, the attacker needs to find an alternative CGA 
parameter data structure that includes an alternative prefix set. In 
order to do that, the attacker will try with different modifiers,  so 
the attacker needs to perform O(2^59) attempts to find the alternative 
CGA parameter data structure

the difficulty of the attack, hence the resulting security is the same 
for HBA and for CGAs



>    moreover, imho CGAs are residually weaker than HBAs, since in CGAs 
> the
>    private key can be compromised while in HBAs there is no secret that
>    can be compromised
>
> => and ther is nothing private too. This is enough for multi-homing
> where the property we're looking for is weaker than ownership.

agree

would you agree with the following:

from the persepctive of the shim6 protocol, HBAs and CGAs provide the 
same protection. i.e. the shim6 protocol security is the same when HBA 
and CGA are used to protect it

> >  (which provide ownership using the signature),
> > and than standard strong authentication (using some kind of PKI).
>
>    agree that PKI is stronger, since the attacks may require more than
>    o(2^59) attempts
>
> => no, the properties have different strength: this is not directly
> related to the complexity of theorical attacks.

i guess is both things

you can achieve better protection because you can provide other 
security features (that are outside of the scope of the shim6 protocol 
protection) but if you use if for the shim6 protocol security, you 
could potetially achieve better protection because you don't have the 
limitation of the 59 bit long hash

> > Without the hash extension IMHO they would be too weak, now we have
> > to take advice from cryptographers to understand if/how to improve
> > them...
>
>    i am not sure what do you mean by hash extensions...
>
> => reread the RFC (:-).
>
>    but anyway, we can change the hash function in HBA/CGA and we have 
> the
>    Sec parameter... this should be  enough for a few decades i heard...
>
> => a better hash function should give nothing more: if you have an 
> ideal
> hash function giving 1000 bits and you take only 64 bits, the brute 
> force
> attack is still in 2^32 attempts for a collision between two values
> and 2^64 for a collision with a given value. So as soon as the hash
> function is not too bad it is enough.

so, this is enough protection for the shim6 protocol i guess

regards, marcelo


> Regards
>
> Francis.Dupont@point6.net