[messaging] Bounding hash 2d preimage bits (was Re:...Test Data)
David Leon Gil
coruus at gmail.com
Wed Jul 23 08:32:39 PDT 2014
(And, a somewhat delayed response.)
Fingerprint derivation MUST take measures to make multi-target attacks cost
as much as single-target attacks. The easiest approach is to use something
else the user verifies -- like an email address or (unique) screenname --
as an additional input to the KDF.
(The advantage, as dkg points out, is large even for private attackers.
It's gigantic for those involved in mass surveillance or espionage: it's
the total number of keys. Just for RSA and DSA SSH host keys: > 2^27
tagets. See, e.g.,
On Friday, July 11, 2014, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> On 07/11/2014 09:45 AM, Tom Ritter wrote:
> > In my mind, a 2^80 attacker is targeting a single key,
> Hm, i don't think this is always true.
> There are groups of people (and groups of machines) where the attacker
> can get value from impersonating any one of them. For example, a
> mid-size hosting company may operate roughly 2^10 servers, each with its
> own ssh host key. With many modern OpenSSH instances, each sshd has 3
> or even 4 host keys: dsa, rsa, ecdsa. ed25519; so that's 2^11 or 2^12
> target keys you can try to match.
> Maybe we don't want to capture this additional attacker advantage in our
> model, but if so, we should at least explicitly state it as out of scope.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging