[Standards] [Fwd: [Council] meeting minutes, 2007-11-21]
dave at cridland.net
Thu Nov 22 15:39:39 UTC 2007
On Thu Nov 22 10:38:43 2007, Lauri Kaila wrote:
> What kind of attacks are based on this weakness in XEP-0115? I can
> only think of DOS by lying capabilities (when the hash of a liar's
> capabilities collides with someone's real caps). I'd think disabling
> XEP-0115 is the cure to recover and prevent happening again.
There's a small window for a downgrade attack. For instance, if one
happened to be able to find out that someone whom the victim usually
spoke to under some e2e encryption upgraded their client before the
victim, you could arrange for the victim to query your fake caps by
disco rather than the target's, allowing you to remove the e2e
This requires a preimage attack - ie, you need to select a plaintext
such that a hash comes out equal. You could mount either a first or
second preimage attack, it doesn't matter much. I've tended to refer
to a second preimage attack, since we're actually looking at matching
the hash in the entity caps, but a first is practical too if it's
In principle, you could mount the attack via a collision attack - in
which case it'd be practical with MD5 - except that would require you
gained sufficient access to the disco responses of the target, which
means either mounting a very expensive and pointless attack on the
target's computer, or by subverting the development process of their
client. I'm inclined to rule these out, since a rogue developer going
undetected is able to do much more interesting things, as is someone
able to take control of specific remote computers at will.
Maybe RFC4270 should be required reading before we go much further.
Suffice to say there are still no known preimage attacks on either
MD5 or SHA-1. There is one for MD4, so let's rule that out, 'kay?
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Standards