[chord] new auth type patch
Benjie Chen
benjie at amsterdam.lcs.mit.edu
Wed Jul 23 18:12:18 EDT 2003
> I guess 20 bytes isn't a lot smaller, though perhaps it would be more
> in-line with the "SHA1" kind of sizes that we tend to customarily
> used. certainly, 32 bytes is more than you'll ever need... i guess
> it would then be easy to be tempted to encode actual information
> in the nonce.
i don't like 20, because it's not power of 2. but i am not sure if
that matters.
> > behavior for existing DHASH_KEYHASH blocks, which also don't sign the
> > version number, permitting a replay attack: the adversary takes an old
>
> that seems poor. we should fix that. it looks like benjie was
> the person most immediately responsible for the code. i guess
> we'll see if we can make that better.
okay, i see what you mean. i think there are a few reasons why this is
the case
- you won't be able to stop replay attacks with a version number,
since a malicious server can just withhold newer data and you would
never even know you are being attacked against. you will have to use
higher layer mechanisms. i include that in my keyhash payload.
- including version number as part of the signed payload means dhash
servers would need to know about structure of the payload, at least
a header. this is not difficult, just that we need to iron this out.
for example, there are already a header that goes on top of the
signed payload right now, that includes the signature and key. do you
want to have another layering? i am not opposed to this if it
actually did something useful, but as i mentioned signed version
number does not stop replay/stale attacks
> if the only change is the addition of 32 bytes of nonce data used
> for naming, maybe we should just use this code, caling your stuff
> 'KEYHASH', and apps that don't care about being able to have
> more than one block being signed by the same key could just set
> the nonce to all zeros, perhaps via some sort of function that
> hid such details...?
i think this is a good idea, if this is adequate for michael. in this
case i would be happy to define a structure that includes a header with
a version and a nonce, then a payload, and the entire structure must be
signed.
then we can go from there, to see if any other changes need to be made
benjie
--
benjie chen
benjie at lcs.mit.edu
More information about the chord
mailing list