[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006



 In your previous mail you wrote:

   
   but in this attack, the attacker is not changing the prefix set right?
   
=> yes, it keeps the parameters as they are.

   so basically the attacker is not attacking the shim6 signalling,

=> no, it is just an impersonization attack.

   is just located in every path,

=> at least one path.

   so the attacker can do exactly the same if 
   the shim6 protocol is secured using CGA (since the attacker is not 
   really changing the locator set), right?
   
=> not if the protection includes a signature check (not necessary for
shim6 signaling but as one has it there is no reason to skip it).

   so from the shim6 signalling perspective, the security achieved against 
   this attack is exactly the same wether you use CGA or HBA
   
=> only from the shim6 signaling perspective.

   Of course i agree that you could use CGA to protect data packets but 
   this wouldn't be shim6 signalling protection but data packets 
   protection, and this is out of the scope of the shim6 protocol
   
=> IMHO you don't put the things in the right order: when you have a
protection mechanism, you verify it provides enough, you apply it
and you drop all invalid packets. You don't try to just pick up the
sercurity service you need. So when shim6 is protected by a CGA and
not a HBA only (i.e., P flag is set) the hashes and the signature will
be checked, this provides strictly stronger security (or if you prefer
unnecessary defense for other than shim6 protocols).

   > => CGA has a RSA key pair too...
   
   yes, but the resulting security is the security of the weakest link, 
   so, even if you add a very long/strong key pair, the easier attack 
   would be the attack on the hash
   
=> the theorical complexity of the attack against RSA is very low...
Your assymption can become false one day. And BTW the functions of
the hash and the key pairs are not the same.

   > => no, either the attacker has to find a key pair giving the same hash
   > or to inverse the public key into the private one. Both problems are
   > harder than for HBAs.
   
   not really
   
=> the first one is in addition of the HBA one (find a collision),
the second is similar to the HBA theft with the addition of the
inversion of the public key.

   In the CGA case, the attacker needs to find an alternative CGA 
   parameter data structure with an alternative public key (the attacker's 
   public key).

=> perhaps also other values for some other fields.

   > => and ther is nothing private too. This is enough for multi-homing
   > where the property we're looking for is weaker than ownership.
   
   agree
   
   would you agree with the following:
   
   from the persepctive of the shim6 protocol, HBAs and CGAs provide the 
   same protection. i.e. the shim6 protocol security is the same when HBA 
   and CGA are used to protect it
   
=> yes.

   > => no, the properties have different strength: this is not directly
   > related to the complexity of theorical attacks.
   
   i guess is both things
   
=> you don't want to understand: a 58 bit authentication is stronger
even if it is easier to attack by brute force.

Regards
   
Francis.Dupont@point6.net