[dnssec-deployment] DNSSEC in Russia

Basil Dolmatov dol at cryptocom.ru
Fri Apr 3 06:28:30 EDT 2009 


Paul Hoffman пишет:
> At 4:59 PM -0400 4/2/09, Edward Lewis wrote:
>> At 13:18 -0700 4/2/09, Paul Hoffman wrote:
>>
>>> ...with a signature algorithm that has had little cryptographic analysis done
>>> that could be verified by other cryptographers (and for which there is
>>> already some damaging analysis that can be found trivially with Google).
>>> Why should the root sign with such an algorithm?
>> Why shouldn't it? 

Sorry to intervene into DNSsec thread with cryptographic stuff but it 
seems necessary in order to break the hypnotism of the only speaker 
repeating some mantra to audience.
> 
> Because signing with a weak algorithm can lead to cryptographic attacks on the data that is signed. In specific, if the hash algorithm has a preimage attack (as has already been suggest for GOST in a recent paper), then an attacker can possibly create false signatures.
> 
In simple words:
- "strength" of the algorithm is considered to be proportional to the 
qantity of operations necessary to break it (get plaintext, or key, or 
colliding hash, etc.)
- there is obvious dependency between key length and "strength"
- there could be methods which lowers "strength" of algorithm 
effectively reducing computational burden necessary for breaking it, 
these methods are called "attacks"
- some of these "attacks" are practical (can be used for getting real 
benefit in process of breaking) and some of them are "impractical" 
(cannot be realised and have only speculative meaning)

The referred article is a pure example of "impractical" "attack".

The reason is that for its implementation (getting real benefit of 
reducing computational expences) one have to have a lot of memory, a 
_real_ _lot_ of memory - say if we convert all the atoms in the Sun to 
memory cells than it will be enough memory to implement so-called 
"attack".  ;)

I have no knowledge about _any_ movements from authoritative side in 
order to react in _any_ way to this so-called "attack". And I understand 
the reason: this "attack" can not be realised in decades (or even 
centuries ;) ), so it does not impact the real strength of algorithm.

I feel necessary to give this explanation to the audience and promise to 
refrain from discussing crypto issues in this list except in cases of 
some blatant statements will be done again.

Sorry once again for intervention.
dol@

More information about the Dnssec-deployment mailing list