IETF Logo Mail Archive

Re: [Cfrg] how can CFRG improve cryptography in the Internet?

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 11 February 2014 06:40 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCF361A04C6 for <cfrg@ietfa.amsl.com>; Mon, 10 Feb 2014 22:40:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id egM9eqMa9iAm for <cfrg@ietfa.amsl.com>; Mon, 10 Feb 2014 22:40:36 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 7AADA1A08D2 for <cfrg@irtf.org>; Mon, 10 Feb 2014 22:40:36 -0800 (PST)
Received: from [192.168.13.108] (lair.fifthhorseman.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id 9A71BF984 for <cfrg@irtf.org>; Tue, 11 Feb 2014 01:40:34 -0500 (EST)
Message-ID: <52F9C5E0.60603@fifthhorseman.net>
Date: Tue, 11 Feb 2014 01:40:32 -0500
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0
MIME-Version: 1.0
To: "cfrg@irtf.org" <cfrg@irtf.org>
References: <52F8ED2D.4060502@comodo.com> <20140211050902.5D2022280AE@palinka.tinho.net> <CACsn0cm8LVwf6c0AO-U3rsxo0cAY=DWJB=4SqxWct6NGD=AQHA@mail.gmail.com>
In-Reply-To: <CACsn0cm8LVwf6c0AO-U3rsxo0cAY=DWJB=4SqxWct6NGD=AQHA@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="a4wG28pV5h8B97jEwiwloKo4R9aQkELHp"
Subject: Re: [Cfrg] how can CFRG improve cryptography in the Internet?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Feb 2014 06:40:39 -0000

On 02/11/2014 12:47 AM, Watson Ladd wrote:
> There is an assumption being made here: that algorithms will age
> badly. This assumption is largely unwarranted.

As the person who suggested "expiring" algorithms or protocols, i should
probably point out that this is *not* my underlying assumption.

My assumption was that we gain knowledge and experience, and in light of
the new knowledge and experience, *some* algorithms or protocols do not
hold up well (as you document clearly about hash functions and SSLv3).

In hindsight, we know which mechanisms didn't hold up; but during
deployment, that's not necessarily knowable.  Presumably we believe the
code we're deploying to be reasonably strong when we deploy it; and we
assume that it will hold up over time, but we don't know.

Introducing an "expiration" date is a mechanism for ensuring that the
software actively validates that assumption against some external source
at some point.  It's even possible that the source could say "carry on;
algorithm X should have its expiration date extended to June of 2020".

The alternative might be what we have today: a bunch of known-broken
algorithms, widely-deployed, with no clear termination date, so everyone
keeps on deploying them, because we keep expecting to need to
interoperate with these interminably-unsupportable known-bad
implementations.

If there are other ideas about how to avoid this problem besides
expiration or revocation, i'd love to hear some suggestions.  What we
have now doesn't seem to be working to get the 'net switched over to
known-good tools with any sort of plausible speed, even as known
weaknesses are present.

> Protocols with reductions remain
> secure so long as the fundamental problems they reduce to remain hard.

Even with a security reduction, it's possible that researchers discover
that the security model used with the reduction doesn't actually apply
in a real-world scenario where the algorithm was actually used; or that
the algorithm's resistance to online attack in a given instance (or with
given parameters) can be weakened with some sort of novel massive
pre-computation that we didn't expect to be feasible; or some other
break in the relationship between the model and reality that no one foresaw.

If there is consensus that any of these cryptanalysis failures happened,
having an expiration or a globalized check for revocation would provide
a way to disable a mechanism for a given use.

Regards,

	--dkg

v2.23.0 | Report a Bug | By Email