Home » Mailing list archives » openbsd-tech » 2010 » December » 21

Re: Allegations regarding OpenBSD IPSEC

Previous thread: Re: Allegations regarding OpenBSD IPSEC by Theo de Raadt on Tuesday, December 21, 2010 - 12:59 pm. (6 messages)

Next thread: Felices Fiestas! tech@openbsd.org by Cueros Liberty on Tuesday, December 21, 2010 - 1:08 pm. (1 message)
[view original message]
From: Theo de Raadt
Subject: Re: Allegations regarding OpenBSD IPSEC
Date: Tuesday, December 21, 2010 - 1:33 pm

I do not understand what hashing principle you are basing this on.

In essence, md5 doesn't care what is in the buffer, or where it is.
Placing it at the front, vs massaging it in by hand... Fundamentally
there is no difference... or is there?


[ message continues ]
[view original message]
From: Joachim Schipper
Subject: Re: Allegations regarding OpenBSD IPSEC
Date: Tuesday, December 21, 2010 - 2:00 pm

This was based on the following intuition, which has very little to do
with hashing at all:

If our RC4 state is <nanotime_noise><known>, an attacker may be able to
predict *most* of the RC4 state through the first couple of rounds
(until <nanotime_noise> sufficiently interferes with the known state).

It *seems harder* (but I'm not an expert on this kind of thing!) to
predict the first couple of rounds if <nanotime_noise> is hashed (which
means that you have to re-do the complete calculation for each possible
<nanotime_noise>, which may not necessarily be the case above), and if
this hashing is used to distribute the noise over the entire initial
state of the cipher (so that no known portion exists).

Again, though, this is just intuition, and it's not wise to trust our
intuition in this kind of thing. I actually *am* a cryptographer, but
I'm quite new at it and a mathematician specializing in a very different
area, so don't take this as gospel. (I'd be willing to spend some more
time looking into this if we consider it important.)

		Joachim


[ message continues ]
[view original message]
From: Kjell Wooding
Subject: Re: Allegations regarding OpenBSD IPSEC
Date: Tuesday, December 21, 2010 - 2:13 pm

Hashing wasn't my objection. Hashing 3 times with data-dependent inputs and
XORing them together was.


[ message continues ]
[view original message]
From: Bob Beck
Subject: Re: Allegations regarding OpenBSD IPSEC
Date: Tuesday, December 21, 2010 - 2:15 pm

.....

Then no offense Jochim - stop suggesting it.. intuition like this is
what gets us things like the PHK md5 password scheme.

Look at it - fine, but don't make suggestions based on intuition.


[ message continues ]
[view original message]
From: Ted Unangst
Subject: Re: Allegations regarding OpenBSD IPSEC
Date: Tuesday, December 21, 2010 - 2:17 pm

On Tue, Dec 21, 2010 at 4:00 PM, Joachim Schipper

The attacker either knows nanotime or they don't.  If they know it,
they know md5(nanotime) as well.

RC4 is weak sauce and leaks its key in the beginning, but we avoid
that by discarding, so there's no way to tell what the initial state
is except by guessing.  And guessing md5(whatever) is no harder than
guessing whatever.

The md5 step would only be helpful if the initial key to rc4 were then
also used to something *else*, meaning it had some value apart from
being the key.  But it doesn't.


[ message continues ]
[view original message]
From: Joachim Schipper
Subject: Re: Allegations regarding OpenBSD IPSEC
Date: Tuesday, December 21, 2010 - 2:19 pm

On closer reflection, neither do I ("MD5 in CTR mode"? Cute, but not
necessarily a good idea). Can we just pretend I never sent that message?

		Joachim


[ message continues ]
Previous thread: Re: Allegations regarding OpenBSD IPSEC by Theo de Raadt on Tuesday, December 21, 2010 - 12:59 pm. (6 messages)

Next thread: Felices Fiestas! tech@openbsd.org by Cueros Liberty on Tuesday, December 21, 2010 - 1:08 pm. (1 message)