[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DNSEXT WGLC: DS SHA-256
>>>>> On Wed, 21 Dec 2005 09:42:52 -0500, "Stuart E. Schechter" <ses@ll.mit.edu> said:
Stuart> As for whether a validator SHOULD or MUST ignore SHA1 digests
Stuart> when SHA-256 are present, perhaps the "security
Stuart> considerations" section could discuss the downgrade attack on
Stuart> validators that accept SHA1 digests when SHA-256 digests are
Stuart> present?
Something like the following would-be-new paragraph:?
If algorithms of different perceived strengths are both used, and
if validators allow for either to indicate that the child zone's
DNSKEY is the one being referred to then downgrade attacks are
possible. For example, if the following conditions are all true:
- Both SHA-1 and SHA-256 based digests are published in DS
records within a parent zone for a given child zone's DNSKEY.
- The DS record with the SHA-1 digest matches the digest
computed using the child zone's DNSKEY.
- The DS record with the SHA-256 digest fails to match the
signature computed using the child zone's DNSKEY
Then if the validator accepts the above situation as secure then
this can be used as a downgrade attack since the stronger SHA-256
digest is ignored.
I won't insert it, however, unless there are other WG members that
agree it is sufficient and needed. I suspect there will be support
for something like this though.
--
Wes Hardaker
Sparta, Inc.
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>