IETF Logo Mail Archive

Re: [Cfrg] NSA sabotaging crypto standards

"Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu> Fri, 07 February 2014 19:49 UTC

Return-Path: <prvs=7115ef9fce=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F33A1ACC87 for <cfrg@ietfa.amsl.com>; Fri, 7 Feb 2014 11:49:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.237
X-Spam-Level:
X-Spam-Status: No, score=-4.237 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MISSING_MID=0.497, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.535, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dveeJXkAR-AF for <cfrg@ietfa.amsl.com>; Fri, 7 Feb 2014 11:49:11 -0800 (PST)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id C1D6F1A01D2 for <cfrg@irtf.org>; Fri, 7 Feb 2014 11:49:10 -0800 (PST)
Received: from LLE2K7-HUB01.mitll.ad.local (LLE2K7-HUB01.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id s17JmwMj004746; Fri, 7 Feb 2014 14:48:59 -0500
From: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
To: "'watsonbladd@gmail.com'" <watsonbladd@gmail.com>
Date: Fri, 07 Feb 2014 14:48:58 -0500
Thread-Topic: [Cfrg] NSA sabotaging crypto standards
Thread-Index: Ac8kJ3hwqLlhr+4ETv+WNycOncuWbgAFiuAB
In-Reply-To: <CACsn0cnYkDwyAdwdf0+-JtksWu4NhKPr3L2emG2b3kFDe5v6hg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-02-07_07:2014-02-07, 2014-02-07, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1402070110
Cc: "'cfrg@irtf.org'" <cfrg@irtf.org>, "'nmav@gnutls.org'" <nmav@gnutls.org>
Subject: Re: [Cfrg] NSA sabotaging crypto standards
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2014 19:49:13 -0000
X-Message-ID:
Message-ID: <20140418010542.2560.52898.ARCHIVE@ietfa.amsl.com>

1. Yes, those objections were informed - and based on the best data we *all* had *back then*. (I personally discussed it with Don Johnson, and Don Coppersmith, which was easy as we worked in the same building. There is *a lot* to say on the subject, but it does not matter now.)
This is the blessing of and the problem with the hindsight. We did Encrypt-then-MAC mostly for performance reasons, and hoped there were no unforeseen negative security implications. A decade later it turned out that our approach was preferable from security point of view, and now (2+ decades later) people are criticized for not embracing our method... But for sure I can't call my colleagues of that time "mistaken".

Who knows what we'll learn in the next ten years?

2. "Blunder" is a strong word. I cannot call what happened in those WG a "blunder" (much unlike the [in]famous WEP).

What should be done? A good question. Theoretically, impacted standards and implementations should be re-done to address the problems we know about now. Practically, considering the inertia of the industry and the leg irons of backwards compatibility? With the money considerations (cost of the changes vs expected revenue from them) thrown in this mix?  Off-hand, I don't know.

On one hand, IETF needs a (better) ability to deprecate algorithms and protocols (as Dave McGrew just said). On the other hand, there is no enforcement arm, and if (for the sake of the argument) Microsoft decides to keep a deprecated protocol alive, you and I can criticize it all we want, but it won't take it off the 90% of the world's desktops and who knows what percentage of the servers that must communicate with those desktops. 

3. Regarding the new protocols? It should be simpler, as they rarely carry the burden of compatibility with something we may or may not like. IETF is trying to steer things away from bad by making statements like "No new protocol shall use MD5" (back then, or SHA-1, in later days). 

IMHO, one way to improve things is getting out IESG statements like "Construct X was shown to be vulnerable to A, B, and C - and must not be used in any new protocol", and "Construct Y was shown to be strong/good for D, E, and F - and new protocols doing those should employ Y"... Security AD  would be a reasonable source of such statements. It is up to the individual members to create, analyze/debug/vet such statements, and submit them for AD's consideration. If such a statement were coming from CFRG rather than a single individual, it would be even better.

Describing attacks against proposed protocols, together with recommended fixes, would also help. The more practical and specific the attacks are - the likelier it is that the WG would listen (and vs versa). Availability and usability of the fixes is a factor too...

One caveat: security proofs is a tricky field. I remember having fun reading proofs and "dis-proofs" on MQV/HMQV/FHMQV. It is far from, e.g., proofs in geometry or algebra that we're so used to rely upon. :-). So I personally tale security proofs with a good grain of salt, and try to look at the assumptions much more closely than at the actual proofs.

Also, implementers positively hate designs/protocols encumbered by IPR. They would much rather take a chance of a weird attack than of a potential litigation. If a good protocol is patented - it won't be touched with a 10-foot pole (e.g., think EKE), no matter how great security proofs or performance advantages it has. 

GPL license is great (when available :), but it doesn't cover all the needs of the industry...

I better stop here before I lose too much of coherence. :-)

Would be happy to answer specific questions, or discuss specific steps.

TNX!
--
Regards,
Uri Blumenthal                            Voice: (781) 981-1638
Cyber Systems and Technology   Fax:   (781) 981-0186
MIT Lincoln Laboratory                Cell:  (339) 223-5363
244 Wood Street                        Email: <uri@ll.mit.edu>
Lexington, MA  02420-9185       

Web:  http://www.ll.mit.edu/CST/

 

MIT LL Root CA: 

 <https://www.ll.mit.edu/labcertificateauthority.html>


DSN:   478-5980 ask Lincoln ext.1638

----- Original Message -----
From: Watson Ladd [mailto:watsonbladd@gmail.com]
Sent: Friday, February 07, 2014 12:10 PM
To: Blumenthal, Uri - 0558 - MITLL
Cc: nmav@gnutls.org <nmav@gnutls.org>; cfrg@irtf.org <cfrg@irtf.org>
Subject: Re: [Cfrg] NSA sabotaging crypto standards

On Fri, Feb 7, 2014 at 8:39 AM, Blumenthal, Uri - 0558 - MITLL
<uri@ll.mit.edu> wrote:
> Don Johnson, for one. Carl Meyer. (Yes, those guys who invented Lucifer and DES ciphers.)
>
> You keep forgetting (or simply aren't old enough to be aware?) of how things were done back when the "Cryptography: The New Dimension" book was published.
>
> The standard was "MAC, then Encrypt", and it had reasons for doing things in that order. In fact, SNMP was the first IETF protocol (circa 1992-1994) to diverge from that approach, and it took some flak for not doing what was the conventional wisdom of that day.

Was that flack informed? Or was it coming from people who didn't
really understand the mathematics behind crypto? Were those reasons
informed? Just because everyone was making the same mistakes doesn't
make those mistakes less serious. Even if we make Bellare-Nampare the
point at which no one should have done MAC then Encrypt, that was 13
years ago. Bard explained BEAST 9 years before the demonstration.

The best you can say is that the TLS WG was woefully slow in
responding to the changing situation.

>
> Since then the priorities and the attacks changed, and now "Encrypt-then-MAC" is the standard.
>
> Watson, I'd like to join other suggesting that you become less combative here. I'm not a "peacenik" myself, but any patience has a limit.

What should the CFRG and the IETF do more broadly to ensure that
blunders as serious as the ones above don't happen again? What has the
CFRG done to ensure that other 90's era protocols have these problems
addressed, particularly when the WGs responsible have disbanded?
Should we simply let sleeping dogs lie, and work on ensuring that new
protocols don't make similar mistakes?
I'm here to fix the problems: explain what I need to do to fix them,
and I'll do it.

Sincerely,
Watson
>
> --
> Regards,
> Uri Blumenthal                            Voice: (781) 981-1638
> Cyber Systems and Technology   Fax:   (781) 981-0186
> MIT Lincoln Laboratory                Cell:  (339) 223-5363
> 244 Wood Street                        Email: <uri@ll.mit.edu>
> Lexington, MA  02420-9185
>
> Web:  http://www.ll.mit.edu/CST/
>
>
>
> MIT LL Root CA:
>
>  <https://www.ll.mit.edu/labcertificateauthority.html>
>
>
> DSN:   478-5980 ask Lincoln ext.1638
>
> ----- Original Message -----
> From: Watson Ladd [mailto:watsonbladd@gmail.com]
> Sent: Friday, February 07, 2014 11:28 AM
> To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
> Cc: cfrg@irtf.org <cfrg@irtf.org>
> Subject: Re: [Cfrg] NSA sabotaging crypto standards
>
> On Fri, Feb 7, 2014 at 8:11 AM, Nikos Mavrogiannopoulos <nmav@gnutls.org> wrote:
>> On 02/07/2014 04:59 PM, Watson Ladd wrote:
>>
>>> But let's go into detail about how well the cryptographers did in TLS.
>>> In 1995 Phil Rogaway tells everyone to use encrypt-then-MAC.
>>
>> I believe you are oversimplifying things. Indeed Rogaway suggested
>> encrypt-then-MAC, but other cryptographers were suggesting
>> MAC-then-Encrypt (authenticate what is meant not what is sent). There
>> was also no attack known for MAC-then-encrypt.
>
> Show me one cryptographer who recommended MAC-then-Encrypt.
> Also, absence of known attacks is not the same as absence of attacks.
> Encrypt-then-MAC was the conservative choice.
>
>>
>> In general it is very easy to see the obvious solution 20 years later,
>> but the challenge is to properly decide at the right time.
>
> It was obvious then: encrypt-then-MAC was known secure, while
> MAC-then-encrypt was not.
> Any excuse vanishes with Bellare-Nampare (2000). Of course, even if we
> take the best interpretation, the TLS WG frittered away 9 years after
> being informed of an attack.
>
> Sincerely,
> Watson Ladd
>>
>> regards,
>> Nikos
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>
>
>
> --
> "Those who would give up Essential Liberty to purchase a little
> Temporary Safety deserve neither  Liberty nor Safety."
> -- Benjamin Franklin
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email