IETF Logo Mail Archive

Re: [Cbor] Gordian Envelope and Crypto-Agility for its Hash

Christopher Allen <christophera@lifewithalacrity.com> Wed, 08 March 2023 02:54 UTC

Return-Path: <christophera@lifewithalacrity.com>
X-Original-To: cbor@ietfa.amsl.com
Delivered-To: cbor@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9DCBC14F693 for <cbor@ietfa.amsl.com>; Tue, 7 Mar 2023 18:54:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.896
X-Spam-Level:
X-Spam-Status: No, score=-6.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lifewithalacrity-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id omSZ5NtQSbAy for <cbor@ietfa.amsl.com>; Tue, 7 Mar 2023 18:53:57 -0800 (PST)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9472C14F5E0 for <cbor@ietf.org>; Tue, 7 Mar 2023 18:53:57 -0800 (PST)
Received: by mail-ed1-x536.google.com with SMTP id u9so60468424edd.2 for <cbor@ietf.org>; Tue, 07 Mar 2023 18:53:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifewithalacrity-com.20210112.gappssmtp.com; s=20210112; t=1678244035; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=PiFlfSR9kDaZpRZ3yHzJoONA6k5sigTcVJ4P7wuS0Sc=; b=FS/rztmeh9pbxUqg+CAMsuVsIK1NTbWvJ0WYyY2BZx+UvALoFmvtyE8hUY53bXfZCC 0939yeiU9dQLFVh4SgKE+A/oqpKm9HmhkZBrJZocPkAvoIODFsgQTfqZvycBMpOPu/Uz cgcpJaHDI599VB+sEeDSNTOFtYYjh37SyH8VO4KnR8s1V9kqDaWXTRqflI6ISV6NdwxS NwHHxuyvKAioobe99q0NvKDSr/wlnLbghBnTvwRAl5kJHULqxk+8cuUtpY4sfYrZfkIm cyuPyvXZl+1HZ+E5u/rt1BhHi0thou+cQqW/lzhlBb9byZ9r9A3X4j9fkPTyByqIYQO5 MH6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678244035; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=PiFlfSR9kDaZpRZ3yHzJoONA6k5sigTcVJ4P7wuS0Sc=; b=svpX5fGxDysfVryNiDaQR0DDmTdsoKfRxPEjGDUwVWtHSwY4B0X5rr49GtJGakDtpM NecJb+f0urJuC9fpiGdwl6XwB1Gk/Yi+BBJRXIEJpGzWO79DUEkKWJpJbO87/8DX5MEU dGDP8WmGpvxj/f1nBxXPJMSYIvPJCab+GK7YbUjCylzUeQAVA4xsp8TkSt+u210Jg+dZ sW9hvsjT/81djymX+qHKZSFXcJLHTCj3R2AM8LDiooEwiN+EzOsw28Jl17We5EGCS2FH 6pNDXhBoXBQ1nGslye7W1Ar3lwwjyv9khhWiQrrYXj8ty6G9StbekcEF7K5wGAdxxKWu lV0Q==
X-Gm-Message-State: AO0yUKXNgNcLw6aJKmz0C/x2JldSoz9MHWRLzUmqIHyyWDXKhwh0DjYt RHqdoNHX+EEjDr3dyjxRJmans7EM9dSV8OXkfuQFUoR/fdReu7c15v8qVg==
X-Google-Smtp-Source: AK7set9V9D7LBE7nHdnrpZpN6GFo0cbcq9MsBoMJh1rzzr0SHYTx5P3RkmmwF8qieZbbawNtN+osGpKxlheM42+16Ec=
X-Received: by 2002:a17:906:b851:b0:877:7480:c76a with SMTP id ga17-20020a170906b85100b008777480c76amr8414848ejb.13.1678244035657; Tue, 07 Mar 2023 18:53:55 -0800 (PST)
MIME-Version: 1.0
References: <CAAse2dHXGbMDEh1vWbAReH5Ax7cCWOwv4QjfPZMh0Hv=cfaa5A@mail.gmail.com>
In-Reply-To: <CAAse2dHXGbMDEh1vWbAReH5Ax7cCWOwv4QjfPZMh0Hv=cfaa5A@mail.gmail.com>
From: Christopher Allen <christophera@lifewithalacrity.com>
Date: Tue, 07 Mar 2023 18:53:44 -0800
Message-ID: <CAAse2dGUmiZ3ETnbzdr8wVjxKkV5TesYx_RO7onoTMkkec+Tfw@mail.gmail.com>
To: cbor@ietf.org
Content-Type: multipart/alternative; boundary="000000000000979e5405f65aa3bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cbor/7MWD3W496_8sDyk_ZMqznYj5kDQ>
Subject: Re: [Cbor] Gordian Envelope and Crypto-Agility for its Hash
X-BeenThere: cbor@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <cbor.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cbor>, <mailto:cbor-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cbor/>
List-Post: <mailto:cbor@ietf.org>
List-Help: <mailto:cbor-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cbor>, <mailto:cbor-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2023 02:54:01 -0000

On Tue, Mar 7, 2023 at 12:25 AM Christopher Allen <
christophera@lifewithalacrity.com> wrote:

> When looking at switching back to SHA-256 from BLAKE3, we decided to
> forebear crypto-agility with Gordian Envelope, especially as we have only 1
> cryptographic algorithm (the hash), and desire to the conservative stance
> that having only one makes it easier to review, and if something major
> happens, we'll revise the standard to v2.
>
> This is the approach that more and more cryptographers and protocol
> designers like Wireguard are taking. I'm working now on an article about
> the various risks of crypto-agility, and alternatives like crypto-suites,
> methods, better layering, etc.
>

I’ve finished the article I was working on talking about why we’re
restricting the use of cryptographic agility in Gordian Envelope:

    https://www.blockchaincommons.com/musings/musings-agility/

Basically, I believe there are flaws with a full-throated embrace of
cryptographic agility, mainly:

* High Costs
* Bad Interactions
* Downgrade Attacks

Though there are obvious advantages to being able to nimbly switch to a new
algorithm if a problem emerges with an old one, I think that switchover
ability should be highly limited. For Gordian Envelope, I plan to include
just two options for the hash algorithm we use: a current version and a
reserved tag to switch to if/when problems arise.

There are other alternatives that I talk about in the article, such as
cipher suites, expiration dates, methods, and good usage of layering, but
my general philosophy after 23 years of experience since the release of
IETF TLS 1.0, is the less, the better.

The article goes into all of this in more depth.

-- Christopher Allen

v2.37.1 | Report a Bug | By Email | System Status