IETF Logo Mail Archive

Re: [Cfrg] pkcs#1v1.5 (was: Re: [saag] Fwd: W3C Web Crypto API - moving to Last Call)

Watson Ladd <watsonbladd@gmail.com> Sat, 22 March 2014 21:11 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CEEA1A0A04 for <cfrg@ietfa.amsl.com>; Sat, 22 Mar 2014 14:11:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y0lJhxa5kMat for <cfrg@ietfa.amsl.com>; Sat, 22 Mar 2014 14:11:52 -0700 (PDT)
Received: from mail-yh0-x22e.google.com (mail-yh0-x22e.google.com [IPv6:2607:f8b0:4002:c01::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 1ECED1A0A06 for <cfrg@irtf.org>; Sat, 22 Mar 2014 14:11:51 -0700 (PDT)
Received: by mail-yh0-f46.google.com with SMTP id b6so3825325yha.33 for <cfrg@irtf.org>; Sat, 22 Mar 2014 14:11:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=axkDHeXrRiP1RQZ8o7A8PQo3XptY5MawnpU5gxnsHcM=; b=o2LhLkz0etnCfykIMxoimTIzv1sEMFUdb8jkf5KK7p+4an3RA/8mdjzaOQupXenGEG yWJvflv2twZK3WZoEPBpJvnMSwgWWUN2Gp4bsN3NxspT2XHr5VFd6bRjtf9qtUj3Nzuj 6jSgJ98TCpWaZp7wJ9Wuzt+kGi8TocGTOLuUwcwLOCd3YViB43ogPVn3PLkQRKJre6od LN03mElTtn+UAnu3IS2GyHSua/vEeqgUZMWqhffzoVRCGXV2k33Neaw5nA/kdokfUFkI SjCHpZTAxbxnMEdnAtNL4nQ66t7ex4LFYXP+q1a15EOf4BgA+3oWpTlugE3lyrht8D+U Hi1Q==
MIME-Version: 1.0
X-Received: by 10.236.151.198 with SMTP id b46mr53053303yhk.3.1395522711647; Sat, 22 Mar 2014 14:11:51 -0700 (PDT)
Received: by 10.170.80.214 with HTTP; Sat, 22 Mar 2014 14:11:51 -0700 (PDT)
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C711FCF2504B@USMBX1.msg.corp.akamai.com>
References: <239D7A53E5B17B4BB20795A7977613A40207DB59F189@CROEXCFWP04.gemalto.com> <9cb524b6-c260-484e-bf44-45d52e7319a1@email.android.com> <CF522EF0.19491%kenny.paterson@rhul.ac.uk> <532D99CA.10405@cs.tcd.ie> <CF535271.19584%kenny.paterson@rhul.ac.uk> <2A0EFB9C05D0164E98F19BB0AF3708C711FCF2504B@USMBX1.msg.corp.akamai.com>
Date: Sat, 22 Mar 2014 14:11:51 -0700
Message-ID: <CACsn0ck3FY1Pro-zASvcPXO1sjTs3LSNtS9z8aofx2j-e_xQsQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/1ze-clcWMGYi_1FmPyRDVuGKKyo
Cc: "Virginie.GALINDO@gemalto.com" <Virginie.GALINDO@gemalto.com>, "cfrg@irtf.org" <cfrg@irtf.org>, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [Cfrg] pkcs#1v1.5 (was: Re: [saag] Fwd: W3C Web Crypto API - moving to Last Call)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Mar 2014 21:11:55 -0000

On Sat, Mar 22, 2014 at 11:30 AM, Salz, Rich <rsalz@akamai.com> wrote:
>> I agree, this is important. But putting the already broken schemes in a new standard does not seem helpful in that regard.
>
> It's a  new API.  It's not a standardization of something that already exists, it's a brand new whole-cloth invention of something that did not exist before.  And yet, we're going to allow developers to create broken data.  "Does not seem helpful" is really understatement.
>
> Perhaps they can create read-only bindings for these insecure structures?
>
> Perhaps, as a gedanken experiment, I can propose a generalization of the symmetric encryption algorithm rot-13, which has a huge historical legacy via Usenet? The security considerations are pretty simple: "do not choose number of rounds (n) and shift size (s) such that n*s is zero mod 26."  That would seem to meet all the requirements of the current draft.

Let's be even clearer: there is no reason why crypto_box(pubkey,
seckey, message, nonce, assoc_data) cannot be provided in the API as a
safe combination of the primitives already existing, but the current
draft ignores what application developers actually want. By providing
subtle_crypto the authors are saying that PKCS 1.5 and AES-CBC aren't
problems, but AES-CTR is. (This is actually said in the current
draft). By failing to provide a safe alternative to roll your own,
they are asking developers who don't know anything about crypto to
play a Choose-Your-Own-Adventure novel where most paths end with
death.

This is the wrong approach to take. If the current draft is
implemented, expect thousands of of badly broken applications to be
built on top if it. It should be difficult to do the wrong thing, and
easy to do the right thing, but this API takes the opposite approach.

Sincerely,
Watson Ladd
>
>         /r$
>
> --
> Principal Security Engineer
> Akamai Technology
> Cambridge, MA
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email