Internet Engineering Task Force (IETF) A. Kukec
Request for Comments: 6273 University of Zagreb
Category: Informational S. Krishnan
ISSN: 2070-1721 Ericsson
S. Jiang
Huawei Technologies Co., Ltd
June 2011
Internet Engineering Task Force (IETF) A. Kukec
Request for Comments: 6273 University of Zagreb
Category: Informational S. Krishnan
ISSN: 2070-1721 Ericsson
S. Jiang
Huawei Technologies Co., Ltd
June 2011
The Secure Neighbor Discovery (SEND) Hash Threat Analysis
安全邻居发现(SEND)散列威胁分析
Abstract
摘要
This document analyzes the use of hashes in Secure Neighbor Discovery (SEND), the possible threats to these hashes and the impact of recent attacks on hash functions used by SEND. The SEND specification currently uses the SHA-1 hash algorithm and PKIX certificates and does not provide support for hash algorithm agility. This document provides an analysis of possible threats to the hash algorithms used in SEND.
本文档分析了安全邻居发现(SEND)中哈希的使用、这些哈希可能面临的威胁以及最近的攻击对SEND使用的哈希函数的影响。SEND规范目前使用SHA-1哈希算法和PKIX证书,不支持哈希算法的灵活性。本文档分析了SEND中使用的哈希算法可能面临的威胁。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6273.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6273.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Impact of Collision Attacks on SEND . . . . . . . . . . . . . . 3
2.1. Attacks against CGAs Used in SEND . . . . . . . . . . . . . 3
2.2. Attacks against PKIX Certificates in Authorization
Delegation Discovery Process . . . . . . . . . . . . . . . 3
2.3. Attacks against the Digital Signature in the SEND RSA
Signature Option . . . . . . . . . . . . . . . . . . . . . 4
2.4. Attacks against the Key Hash Field of the SEND RSA
Signature Option . . . . . . . . . . . . . . . . . . . . . 4
3. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . . 4
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 5
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5
6.1. Normative References . . . . . . . . . . . . . . . . . . . 5
6.2. Informative References . . . . . . . . . . . . . . . . . . 5
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Impact of Collision Attacks on SEND . . . . . . . . . . . . . . 3
2.1. Attacks against CGAs Used in SEND . . . . . . . . . . . . . 3
2.2. Attacks against PKIX Certificates in Authorization
Delegation Discovery Process . . . . . . . . . . . . . . . 3
2.3. Attacks against the Digital Signature in the SEND RSA
Signature Option . . . . . . . . . . . . . . . . . . . . . 4
2.4. Attacks against the Key Hash Field of the SEND RSA
Signature Option . . . . . . . . . . . . . . . . . . . . . 4
3. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . . 4
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 5
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5
6.1. Normative References . . . . . . . . . . . . . . . . . . . 5
6.2. Informative References . . . . . . . . . . . . . . . . . . 5
SEND [RFC3971] uses the SHA-1 hash algorithm [SHA1] to generate the contents of the Key Hash field and the Digital Signature field of the RSA Signature option. It also indirectly uses a hash algorithm (SHA-1, MD5, etc.) in the PKIX certificates [RFC5280] used for router authorization in the Authorization Delegation Discovery (ADD) process. Recently there have been demonstrated attacks against the collision free property of such hash functions [SHA1-COLL] and attacks on the PKIX X.509 certificates that use the MD5 hash algorithm [X509-COLL]. The document analyzes the impacts of these attacks on SEND and it recommends mechanisms to make SEND resistant to such attacks.
SEND[RFC3971]使用SHA-1哈希算法[SHA1]生成RSA签名选项的密钥哈希字段和数字签名字段的内容。它还在PKIX证书[RFC5280]中间接使用哈希算法(SHA-1、MD5等),用于授权委托发现(ADD)过程中的路由器授权。最近,已证明存在针对此类散列函数[SHA1-COLL]的无冲突属性的攻击,以及对使用MD5散列算法[X509-COLL]的PKIX X.509证书的攻击。该文档分析了这些攻击对SEND的影响,并推荐了使SEND抵御此类攻击的机制。
[RFC4270] summarizes a study that assesses the threat of the aforementioned attacks on the use of cryptographic hashes in Internet protocols. This document analyzes the hash usage in SEND following the approach recommended by [RFC4270] and [NEW-HASHES].
[RFC4270]总结了一项评估上述攻击对互联网协议中使用加密哈希的威胁的研究。本文档按照[RFC4270]和[NEW-HASHES]推荐的方法分析SEND中的哈希用法。
The following sections discuss the various aspects of hash usage in SEND and determine whether they are affected by the attacks on the underlying hash functions.
以下各节讨论SEND中哈希使用的各个方面,并确定它们是否受到对底层哈希函数的攻击的影响。
Cryptographically Generated Addresses (CGAs) are defined in [RFC3972] and are used to securely associate a cryptographic public key with an IPv6 address in the SEND protocol. Impacts of collision attacks on current uses of CGAs are analyzed in [RFC4982]. The basic idea behind collision attacks, as described in Section 4 of [RFC4270], is on the non-repudiation feature of hash algorithms. However, CGAs do not provide non-repudiation features. Therefore, as [RFC4982] points out CGA-based protocols, including SEND, are not affected by collision attacks on hash functions. If pre-image attacks were to become feasible, an attacker can find new CGA Parameters that can generate the same CGA as the victim. This class of attacks could be potentially dangerous since the security of SEND messages relies on the strength of the CGA.
[RFC3972]中定义了加密生成地址(CGA),用于将加密公钥与发送协议中的IPv6地址安全关联。[RFC4982]分析了碰撞攻击对CGA当前使用的影响。如[RFC4270]第4节所述,冲突攻击背后的基本思想是哈希算法的不可否认性。但是,CGA不提供不可抵赖特性。因此,正如[RFC4982]指出的,基于CGA的协议(包括SEND)不受哈希函数冲突攻击的影响。如果预映像攻击变得可行,攻击者可以找到新的CGA参数,这些参数可以生成与受害者相同的CGA。这类攻击可能具有潜在危险,因为发送消息的安全性依赖于CGA的强度。
2.2. Attacks against PKIX Certificates in Authorization Delegation Discovery Process
2.2. 授权委托发现过程中对PKIX证书的攻击
To protect Router Discovery, SEND requires that routers be authorized to act as routers. Routers are authorized by provisioning them with certificates from a trust anchor, and the hosts are configured with the trust anchor(s) used to authorize routers. Researchers demonstrated attacks against PKIX certificates with MD5 signatures in 2005 [NEW-HASHES], in 2007 [X509-COLL] [STEV2007] [SLdeW2007], and in 2009 [SSALMOdeW2009] [SLdeW2009]. An attacker can take advantage of these vulnerabilities to obtain a certificate with a different identity and use the certificate to impersonate a router. For this attack to succeed, the attacker needs to predict the content of all fields (some of them are human-readable) appearing before the public key, including the serial number and validity periods. Even though a relying party cannot verify the content of these fields, the CA can identify the forged certificate, if necessary.
为了保护路由器发现,SEND要求授权路由器充当路由器。通过使用来自信任锚的证书对路由器进行授权,并使用用于授权路由器的信任锚对主机进行配置。研究人员在2005年[NEW-HASHES]、2007年[X509-COLL][STEV2007][SLdeW2007]和2009年[SSALMOdeW2009][SLdeW2009]展示了针对具有MD5签名的PKIX证书的攻击。攻击者可以利用这些漏洞获取具有不同身份的证书,并使用该证书模拟路由器。要使此攻击成功,攻击者需要预测公钥之前出现的所有字段(其中一些字段是人类可读的)的内容,包括序列号和有效期。即使依赖方无法验证这些字段的内容,CA也可以在必要时识别伪造的证书。
2.3. Attacks against the Digital Signature in the SEND RSA Signature Option
2.3. 针对发送RSA签名选项中的数字签名的攻击
The digital signature in the RSA Signature option is produced by signing, with the sender's private key, the SHA-1 hash over certain fields in the Neighbor Discovery message as described in Section 5.2 of [RFC3971]. It is possible for an attacker to come up with two different Neighbor Discovery messages m and m' that result in the same value in the Digital Signature field. Since the structure of the Neighbor Discovery messages is well defined, it is not practical to use this vulnerability in real world attacks.
如[RFC3971]第5.2节所述,RSA签名选项中的数字签名是通过使用发送方的私钥对邻居发现消息中的某些字段进行SHA-1哈希签名而产生的。攻击者可能会产生两条不同的邻居发现消息m和m',这两条消息在数字签名字段中产生相同的值。由于邻居发现消息的结构定义良好,因此在实际攻击中使用此漏洞是不切实际的。
2.4. Attacks against the Key Hash Field of the SEND RSA Signature Option
2.4. 针对发送RSA签名选项的密钥散列字段的攻击
The SEND RSA signature option described in Section 5.2 of [RFC3971] defines a Key Hash field. This field contains a SHA-1 hash of the public key that was used to generate the CGA. To use a collision attack on this field, the attacker needs to come up with another public key (k') that produces the same hash as the real key (k). But the real key (k) is already authorized through a parallel mechanism (either CGAs or router certificates). Hence, collision attacks are not possible on the Key Hash field. Pre-image attacks on the Key Hash field are not useful for the same reason (any other key that hashes into the same Key Hash value will be detected due to a mismatch with the CGA or the router certificate).
[RFC3971]第5.2节中描述的发送RSA签名选项定义了密钥散列字段。此字段包含用于生成CGA的公钥的SHA-1哈希。要在此字段上使用冲突攻击,攻击者需要提出另一个公钥(k'),该公钥产生与实际密钥(k)相同的哈希值。但真正的密钥(k)已经通过并行机制(CGA或路由器证书)进行授权。因此,密钥散列字段上不可能发生冲突攻击。出于同样的原因,对密钥散列字段的预映像攻击没有用处(由于与CGA或路由器证书不匹配,将检测到散列为相同密钥散列值的任何其他密钥)。
Current attacks on hash functions do not constitute any practical threat to the digital signatures used in SEND (both in the RSA signature option and in the X.509 certificates). Attacks on CGAs, as described in [RFC4982], will compromise the security of SEND and they need to be addressed by encoding the hash algorithm information into the CGA as specified in [RFC4982].
当前对散列函数的攻击不会对SEND中使用的数字签名(RSA签名选项和X.509证书中的数字签名)构成任何实际威胁。如[RFC4982]中所述,对CGA的攻击将危及发送的安全性,需要按照[RFC4982]中的规定,通过将哈希算法信息编码到CGA中来解决这些攻击。
This document analyzes the impact that the attacks against hash functions have on SEND. It concludes that the only practical attack on SEND stems from a successful attack on an underlying CGA. It does not add any new vulnerabilities to SEND.
本文分析了针对散列函数的攻击对发送的影响。它的结论是,对SEND的唯一实际攻击源于对底层CGA的成功攻击。它不会添加任何要发送的新漏洞。
The authors would like to thank Lars Eggert, Pete McCann, Julien Laganier, Jari Arkko, Paul Hoffman, Pasi Eronen, Adrian Farrel, Dan Romascanu, Tim Polk, Richard Woundy, Marcelo Bagnulo, and Barry Leiba for reviewing earlier versions of this document and providing comments to make it better.
作者要感谢Lars Eggert、Pete McCann、Julien Laganier、Jari Arkko、Paul Hoffman、Pasi Eronen、Adrian Farrel、Dan Romascanu、Tim Polk、Richard Woundy、Marcelo Bagnulo和Barry Leiba审查了本文件的早期版本并提供了改进意见。
[NEW-HASHES] Bellovin, S. and E. Rescorla, "Deploying a New Hash Algorithm", November 2005.
[新哈希]Bellovin,S.和E.Rescorla,“部署新哈希算法”,2005年11月。
[RFC4270] Hoffman, P. and B. Schneier, "Attacks on Cryptographic Hashes in Internet Protocols", RFC 4270, November 2005.
[RFC4270]Hoffman,P.和B.Schneier,“对互联网协议中加密哈希的攻击”,RFC 42702005年11月。
[RFC4982] Bagnulo, M. and J. Arkko, "Support for Multiple Hash Algorithms in Cryptographically Generated Addresses (CGAs)", RFC 4982, July 2007.
[RFC4982]Bagnulo,M.和J.Arkko,“在加密生成地址(CGA)中支持多散列算法”,RFC 4982,2007年7月。
[RFC3971] Arkko, J., Ed., Kempf, J., Zill, B., and P. Nikander, "SEcure Neighbor Discovery (SEND)", RFC 3971, March 2005.
[RFC3971]Arkko,J.,Ed.,Kempf,J.,Zill,B.,和P.Nikander,“安全邻居发现(SEND)”,RFC 39712005年3月。
[RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)", RFC 3972, March 2005.
[RFC3972]Aura,T.,“加密生成地址(CGA)”,RFC 39722005年3月。
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008.
[RFC5280]Cooper,D.,Santesson,S.,Farrell,S.,Boeyen,S.,Housley,R.,和W.Polk,“Internet X.509公钥基础设施证书和证书撤销列表(CRL)配置文件”,RFC 52802008年5月。
[SHA1] NIST, FIPS PUB 180-1, "Secure Hash Standard", April 1995.
[SHA1]NIST,FIPS PUB 180-1,“安全哈希标准”,1995年4月。
[SHA1-COLL] Wang, X., Yin, L., and H. Yu, "Finding Collisions in the Full SHA-1. CRYPTO 2005: 17-36", 2005.
[SHA1-COLL]Wang,X.,Yin,L.,和H.Yu,“在完整的SHA-1中发现碰撞。加密2005:17-36”,2005年。
[SLdeW2007] Stevens, M., Lenstra, A., de Weger, B., "Chosen-prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities". EuroCrypt 2007.
[SLdeW2007]Stevens,M.,Lenstra,A.,de Weger,B.,“MD5的选择前缀冲突和不同身份的冲突X.509证书”。欧洲密码2007。
[SLdeW2009] Stevens, M., Lenstra, A., de Weger, B., "Chosen-prefix Collisions for MD5 and Applications, Journal of Cryptology", 2009, <http://deweger.xs4all.nl/ papers/%5B42%5DStLedW-MD5-JCryp%5B2009%5D.pdf>.
[SLdeW2009]Stevens,M.,Lenstra,A.,de Weger,B.,“MD5和应用程序的选择前缀冲突,密码学杂志”,2009年<http://deweger.xs4all.nl/ 论文/%5B42%5DStLedW-MD5-JCryp%5B2009%5D.pdf>。
[SSALMOdeW2009] Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D., and B. de Weger., "Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate, Crypto 2009", 2009.
[SSALMOdeW2009]Stevens,M.,Sotirov,A.,Appelbaum,J.,Lenstra,A.,Molnar,D.,Osvik,D.,和B.de Weger.,“MD5的短前缀冲突和恶意CA证书的创建,Crypto 2009”,2009年。
[STEV2007] Stevens, M., "On Collisions for MD5", <http://www.win.tue.nl/hashclash/ On%20Collisions%20for%20MD5%20-%20M.M.J.%20Stevens.pdf>.
[STEV2007]Stevens,M.,“关于MD5的碰撞”<http://www.win.tue.nl/hashclash/ 对于%20MD5%20-%20M.M.J.%20Stevens.pdf>,在%20碰撞%20上。
[X509-COLL] Stevens, M., Lenstra, A., and B. Weger, "Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities. EUROCRYPT 2007: 1-22", 2007.
[X509-COLL]Stevens,M.,Lenstra,A.,和B.Weger,“MD5的选择前缀冲突和不同身份的冲突X.509证书。EUROCRYPT 2007:1-22”,2007年。
Authors' Addresses
作者地址
Ana Kukec University of Zagreb Unska 3 Zagreb Croatia
安娜库科克萨格勒布大学UNSKA 3萨格勒布克罗地亚
EMail: ana.kukec@fer.hr
EMail: ana.kukec@fer.hr
Suresh Krishnan Ericsson 8400 Decarie Blvd. Town of Mount Royal, QC Canada
苏雷什·克里希南·爱立信德卡里大道8400号。加拿大皇家山镇
EMail: suresh.krishnan@ericsson.com
EMail: suresh.krishnan@ericsson.com
Sheng Jiang Huawei Technologies Co., Ltd Huawei Building, No.3 Xinxi Rd., Shang-Di Information Industry Base, Hai-Dian District, Beijing P.R. China
盛江华为技术有限公司中国北京市海淀区上地信息产业基地新西路3号华为大厦
EMail: jiangsheng@huawei.com
EMail: jiangsheng@huawei.com