Re: [Cfrg] New guidance from NSA on cryptographic algorithms

[Stephen Farrell <stephen.farrell@cs.tcd.ie>]

On 28/01/16 03:25, Benjamin Kaduk wrote:
> On Wed, 27 Jan 2016, Phillip Hallam-Baker wrote:
> 
>> On Wed, Jan 27, 2016 at 1:05 PM, Blumenthal, Uri - 0553 - MITLL
>> <uri@ll.mit.edu> wrote:
>>> On 1/27/16, 12:35 , "Cfrg on behalf of Ilari Liusvaara"
>>> <cfrg-bounces@irtf.org on behalf of ilariliusvaara@welho.com> wrote:
>>>
>>>> On Wed, Jan 27, 2016 at 11:54:55AM -0500, Phillip Hallam-Baker wrote:
>>>>> On Wed, Jan 27, 2016 at 10:38 AM, Russ Housley <housley@vigilsec.com>
>>>>> wrote:
>>>>>> NSA has posted some more information about their previous guidance:
>>>>>>
>>>>>>
>>>>> https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/a
>>>>> lgorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm
>>>>>
>>>>> You can't get there using Chrome due to the SHA-1 certificate in the
>>>>> path.
>>>>
>>>>
>>>>> On the QC stuff. Of course we have to start looking at that now. But I
>>>>> think we need to look at the problem on two separate tracks:
>>>>>
>>>>> 1) Find a public key algorithm that resists QC using Shorr's algorithm.
>>>>> 2) Find a mechanism that makes symmetric key feasible in place of
>>>>> public.
>>>>
>>>> The problem is that symmetric keys are rarely feasible due to
>>>> asymptotically worse scalability (asymmetric tend to scale as O(N)
>>>> while symmetric tends to scale as O(N^2).
>>>
>>> Kerberos was facing this problem three decades ago. I personally think
>>> their solution was fine.
>>
>> Exactly, which was why I said Kerberos tickets.
>>
>> Doing Kerberos at Web scale would be horrendous and you don't get non
>> repudiable signatures. It would not be fun at all. But if people told
>> me today that QC was broken and gave me access to the necessary
>> resources, we could deploy a kerberos type scheme in 12 months.
>>
>> The problem is that there would be no way to bootstrap the
>> authentication system. Which is why it makes sense to use PKI while we
>> can trust it.
> 
> A few people have been proposing to use PKI to make cross-realm Kerberos
> "just work" recently, but there hasn't been enough manpower in kitten to
> actually put things together.  We'd be happy to have more eyes on, e.g.,
> draft-williams-kitten-krb5-pkcross or draft-vanrein-dnstxt-krb1 (or other
> potential proposals).
> 
> There is also the question of what the realm topology would look like --
> in other contexts there was talk of a central "clearinghouse" realm that
> would share keys with anyone that asked, leaving trust decisions to the
> end parties.  But that is not the only possible model...

That topic ("realm topology"), including who trusts whom for what,
might be a fine thing for a small group of folks to try sketch out in
case we needed such. The content might be initial attempts to answer
the question "what if we had to use Kerberos everywhere we now use
(EC)DH or RSA key transport, what'd that look like at Internet scale?"
That work might identify bits of work that could be taken up by the
IETF kitten WG later on.

As CFRG is considering post-quantum stuff, that'd fit well here think,
if someone wanted to take a stab at it. (Sorry, I don't have time to
help with that right now.)

Cheers,
S.

> 
> -Ben
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>