spf-discuss
[Top] [All Lists]

Re: ANNOUNCE: SRS v0.15 documentation and code

2004-02-11 09:55:18
On Wed, 11 Feb 2004, wayne wrote:

In 
<Pine(_dot_)LNX(_dot_)4(_dot_)53(_dot_)0402110952540(_dot_)29116(_at_)astray(_dot_)com>
 Shevek <spf(_at_)anarres(_dot_)org> writes:

As Daniel Roethlisberger points out, you really don't need a complete
MD5 hash.  My gut feel is that even 16 bits of the hash would prevent
any useful spoofing of the SRS system, and I think it would be very
useful to calculate a lower bound.  Then, you can use base32 encoding
or something more resilient to strange MTA manglings.

I've been thinking about this a little bit.

All we need to do is make it impractical to use SRS to create open
relays, not impossible.  As such, I think that 15-20 bits is probably
more than enough.

15 to 20 bits doesn't provide any pretence of security. It can probably be 
cracked in a few milliseconds on an average PC. Since spammers are already 
using lots of virus-infected slave machines to perform their task, this 
much CPU is negligible.

Speed is an issue in MTAs.  Could we save a significant amount of CPU
time by using AES in CBC mode vs MD5?  Could we use RC4?

AES is an encryption scheme, not a message authentication scheme.  
Furthermore, RC4 is a keystream system and since we're encrypting small
amounts of data, it would be very hard to deploy using secure IVs. It is
in appropriate to this task. You are comparing chalk and cheese. As far as 
CBC is concerned, we're talking about 40 bytes here. You're not even going 
to get a single block!

SHA1 is (IIRC) a four-pass S-box system using boolean logic functions and
some magic numbers. We're talking about encoding one MAC block per mail,
not encrypting the entire mail. This is not going to cause significant
CPU overhead.

Heck, is there any reason to specify the cipher/hash at all?  The only
two requirements are that the host that generates the stamp can verify
it, and that you can't use past examples of the SRS to predict future
hashes.

No, there is no reason to specify the hash. However, in the light of the
propensity of system designers and administrators to choose very poor
encryption schemes (examples in a previous post), or to "leave out the
encryption for now", it only seems sensible that we make some "default"
recommendations.

If anyone wants to use CBC or RC4, they are welcome. This is permitted by
SRS. However, it's their lookout if they do.

S.

-- 
Shevek                                    http://www.anarres.org/
I am the Borg.                         http://www.gothnicity.org/