Errata Search
RFC Number:		Errata ID:
Source of RFC		Status:	All/Any Verified+Reported Verified Reported Held for Document Update Rejected
Area Acronym:	All/Any app art gen int ops rai rtg sec tsv wit	Type:	All/Any Editorial Technical
WG Acronym:		Submitter Name:
Other:	All/Any IAB INDEPENDENT IRTF Legacy Editorial	Date Submitted:
Summary Table Full Records

Found 3 records.

Status: Verified (1)

RFC 4270, "Attacks on Cryptographic Hashes in Internet Protocols", November 2005

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

Errata ID: 1072
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Henrik Levkowetz
Date Reported: 2005-12-02
Verifier Name: Russ Housley
Date Verified: 2010-03-11

Section 1 says:

   Hash algorithms are used by cryptographers in a variety of security
   protocols, for a variety of purposes, at all levels of the Internet
   protocol stack.  They are used because they have two security
   properties: to be one way and collision free.

It should say:

   Hash algorithms are used by cryptographers in a variety of security
   protocols, for a variety of purposes, at all levels of the Internet
   protocol stack.  They are used because they have two security
   properties: to be one-way and collision-free.

Notes:

Note the " one way and collision free." On the face of it, as plain
English, this is nonsense. In cryptographic terminology, I believe
the correct expression is " one-way and collision-free."

Status: Held for Document Update (1)

RFC 4270, "Attacks on Cryptographic Hashes in Internet Protocols", November 2005

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

Errata ID: 2659
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Lloyd Wood
Date Reported: 2010-12-04
Held for Document Update by: Stephen Farrell

Section 3 says:

      Integrity protection.  It is common to compare a hash value that
      is received out-of-band for a file with the hash value of the file
      after it is received over an unsecured protocol such as FTP.

It should say:

      Reliability checking and error detection.  It is common to compare a hash value that
      is received out-of-band for a file with the hash value of the file
      after it is received over an unsecured protocol such as FTP.

Notes:

"integrity protection" is a term with specific meaning to security researchers, and that meaning doesn't gel with how the rest of the world uses terms like 'integrity' or 'protection,' or with the rest of this bullet point. So, we swap the term out for something less contentious.

This came up in discussion with Martin Rex and the IESG. Martin writes:

> Integrity protection is terminology that is used in the
> security&cryptographic area and this defect of rfc-4270 is going
> to create misunderstandings.

So, filing an erratum.

Status: Rejected (1)

RFC 4270, "Attacks on Cryptographic Hashes in Internet Protocols", November 2005

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

Errata ID: 2658
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Lloyd Wood
Date Reported: 2010-12-04
Rejected by: Stephen Farrell
Date Rejected: 2011-11-12

Section 1 says:

The Internet protocol community needs to
migrate in an orderly manner away from SHA-1 and MD5 -- especially
MD5 -- and toward more secure hash algorithms.

It should say:

The Internet community needs to migrate in an orderly manner away from reliance for
security purposes on SHA-1 and MD-5 -- especially MD5 -- and toward more secure hash algorithms
for all security-related usages of hash functions in all protocols.

Notes:

This came up in discussion with Sean Turner, Martin Rex and the IESG over IESG Last Call: <draft-turner-md5-seccon-update-07.txt>.

RFC4270 lists seven uses for hash algorithms in section 3. MD5 should not be used for two of those [non-repudiable signatures and digital signatures in certificates] as those are are affected by collision attacks -- albeit only in limited circumstances. For the other five uses - particularly reliability checking (misnamed integrity protection in this draft) in a non-security context, MD5 remains fine to use. Martin flagged the original text as bad, and we came up with qualifiers - below.


On 3 Dec 2010, at 21:40, Martin Rex wrote:

> L.Wood@surrey.ac.uk wrote:

>> I also take issue with RFC4270's claim that:
>>
>> >The Internet protocol community needs to
>> > migrate in an orderly manner away from SHA-1 and MD5 -- especially
>> > MD5 -- and toward more secure hash algorithms.
>>
>> which is rather broad, and entirely without the context and qualifiers
>> we're discussing. RFC4270 was not written for a general audience,
>> but for a security audience. The Internet _security protocol_ community
>> may well need to migrate from these for certain uses (despite there not
>> yet being obvious things to move _to_), but RFC4270 and your draft's
>> sum take-away message that MD5BADDONOTUSE overstates the case.
>
> I agree that the above wording of rfc-4270 is BAD.
>
> It should have said:
>
> The Internet community needs to migrate in an orderly manner away from
> SHA-1 and MD5 -- especially MD5 -- and toward more secure hash algorithms
> for all security-related usages of hash functions in all protocols.

That wording is better, though I would also add a qualifier
on the front by saying 'away from reliance for security purposes on SHA-1
and MD-5...'. This should imo be filed as an erratum on RFC4270.
--VERIFIER NOTES--
This is a substantive change that would require "security-related" to be sufficiently well defined. Writing a draft about this would be better.

Report New Errata