[messaging] Bounding hash 2d preimage bits (was Re:...Test Data)

David Leon Gil coruus at gmail.com
Wed Jul 23 08:32:39 PDT 2014

(And, a somewhat delayed response.)

Fingerprint derivation MUST take measures to make multi-target attacks cost
as much as single-target attacks. The easiest approach is to use something
else the user verifies -- like an email address or (unique) screenname --
as an additional input to the KDF.

(The advantage, as dkg points out, is large even for private attackers.
It's gigantic for those involved in mass surveillance or espionage: it's
the total number of keys. Just for RSA and DSA SSH host keys: > 2^27
tagets. See, e.g.,

On Friday, July 11, 2014, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:

> On 07/11/2014 09:45 AM, Tom Ritter wrote:
> > In my mind, a 2^80 attacker is targeting a single key,
> Hm, i don't think this is always true.
> There are groups of people (and groups of machines) where the attacker
> can get value from impersonating any one of them.  For example, a
> mid-size hosting company may operate roughly 2^10 servers, each with its
> own ssh host key.  With many modern OpenSSH instances, each sshd has 3
> or even 4 host keys: dsa, rsa, ecdsa. ed25519; so that's 2^11 or 2^12
> target keys you can try to match.
> Maybe we don't want to capture this additional attacker advantage in our
> model, but if so, we should at least explicitly state it as out of scope.
>         --dkg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140723/3fc23bcd/attachment.html>

More information about the Messaging mailing list