[Standards] Re: [jdev] XEP-0115: Entity Capabilities
dave at cridland.net
Wed Jul 4 09:38:26 UTC 2007
On Tue Jul 3 23:45:53 2007, Justin Karneges wrote:
> Apologies for not understanding this thread at all and just
> commenting out of nowhere, but what security is gained by using a
> hash in the caps protocol?
It's an attempt at preventing a theoretical attack, as I understand
things. The only instance of caps "pollution" being an issue appears
- from my reading of this thread - to be an inadvertant error, not a
> If there is no security gained by using a hash (e.g. everyone has
> access to the raw data such that they can all calculate the same
> hash) then what difference does it make which algorithm is used?
I know Ian and Joe have answered this, I'm hoping I might add a
different perspective on this, plus there's actually a new point at
the bottom. :-)
In principle, an attacker capable of mounting a selected preimage
attack (specifically, one that involves being able to create a caps
list such that it produces a hash identical to that provided by
legitimate clients *and* it gains some benefit to the attacker, in a
reasonable timeframe) might be able to subvert communications.
An example of this might be convincing a client that one or more
users on the roster are, contrary to reality, unable to handle
esessions, or some new encrypted Jingle, enabling the attacker to
eavesdrop communications. To do this, the attacker has to detirmine
the "real" hash, use the preimage attack to find a caps list to
supply by disco which is both syntactically correct and excludes the
extensions that the attacker wishes to remove, do so before the
target client can query any "real" clients, and finally place
themselves in a position such that they answer such queries.
The latter can be achieved either by sending a directed presence or
by subverting the server entirely - we can treat this as the easy bit.
The hard part remains the timing issue - in order to have any value,
you'd need to pollute the target clients capability cache prior to it
discovering the real capabilities, and that's an extraordinarily
short time window.
A simple MD5 hash will adequately prevent any chance of inadvertant
cache pollution, which leaves the selection of any hash algorithm
purely down to the time it'd take to mount a preimage attack.
I've reviewed the various papers on MD5 as best I can, and I don't
think its known weaknesses are such that a preimage attack can be
mounted within a useful timeframe, hence I'm not too fussed, but I'd
be happy to see SHA-1 used if people are genuinely concerned.
Whatever we choose, hash functions are continually eroded, and what's
reasonable now will not be in the future.
(FWIW, Ian's mention of a "one hour attack" is a collision attack,
not a preimage attack, and finds a pair of two-block messages which
collide, both of which have specific properties, and the time figures
are quoted for an IBM P690, which is somewhat bigger iron than I have
about, anyway. Our attacker needs a selected preimage attack, and
will almost certainly need one where the legitimate message is
several blocks long for MD5, and their primary source of computing
power is likely to be a distributed botnet at best - I'm not clear if
this attack is distributable or not, but I'm not concerned by it).
I mentioned earlier that we could gain a benefit from ver/ext by
using "prepackaged" sets of capabilities, in order that there was
more likelyhood of a cache-hit, and moreover, allows clients to ship
with a hardcoded cache containing these prepackaged sets already,
avoiding the need to probe at all.
I think it might be worth noting that the more commonality we have
between clients in this respect, the harder it is to mount such an
attack, although correspondingly higher gains can be made. If clients
are able to ship with a pre-polulated cache, then the window of
opportunity for an attacker vanishes entirely for those clients,
however, allowing those clients to effectively claim immunity from
such attacks. Sorry, it's another trade-off.
FWIW, I lean heavily toward pre-defined sets, as I think that "good
clients" gain in both security and efficiency, whereas "old clients"
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Standards