Re: [Cfrg] how can CFRG improve cryptography in the Internet?
"Igoe, Kevin M." <kmigoe@nsa.gov> Wed, 12 February 2014 20:01 UTC
Return-Path: <kmigoe@nsa.gov>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BF731A09EA for <cfrg@ietfa.amsl.com>; Wed, 12 Feb 2014 12:01:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.448
X-Spam-Level:
X-Spam-Status: No, score=-7.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.548] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pY6zjoEuoPcg for <cfrg@ietfa.amsl.com>; Wed, 12 Feb 2014 12:01:37 -0800 (PST)
Received: from nsa.gov (emvm-gh1-uea08.nsa.gov [63.239.67.9]) by ietfa.amsl.com (Postfix) with ESMTP id 0DF531A0710 for <cfrg@irtf.org>; Wed, 12 Feb 2014 12:01:35 -0800 (PST)
X-TM-IMSS-Message-ID: <a3c670c80006534c@nsa.gov>
Received: from MSHT-GH1-UEA02.corp.nsa.gov ([10.215.227.181]) by nsa.gov ([63.239.67.9]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id a3c670c80006534c ; Wed, 12 Feb 2014 15:00:26 -0500
Received: from MSMR-GH1-UEA10.corp.nsa.gov (10.215.228.27) by MSHT-GH1-UEA02.corp.nsa.gov (10.215.227.181) with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 12 Feb 2014 15:01:09 -0500
Received: from MSMR-GH1-UEA03.corp.nsa.gov ([10.215.224.3]) by MSMR-GH1-UEA10.corp.nsa.gov ([10.215.228.27]) with mapi id 14.01.0289.001; Wed, 12 Feb 2014 15:01:09 -0500
From: "Igoe, Kevin M." <kmigoe@nsa.gov>
To: 'Watson Ladd' <watsonbladd@gmail.com>, "dan@geer.org" <dan@geer.org>
Thread-Topic: [Cfrg] how can CFRG improve cryptography in the Internet?
Thread-Index: AQHPJudgyc1QE4g2rUG1hhVkMUAHg5qv35+AgAIjsMA=
Date: Wed, 12 Feb 2014 20:01:09 +0000
Message-ID: <3C4AAD4B5304AB44A6BA85173B4675CABA9D2ED8@MSMR-GH1-UEA03.corp.nsa.gov>
References: <52F8ED2D.4060502@comodo.com> <20140211050902.5D2022280AE@palinka.tinho.net> <CACsn0cm8LVwf6c0AO-U3rsxo0cAY=DWJB=4SqxWct6NGD=AQHA@mail.gmail.com>
In-Reply-To: <CACsn0cm8LVwf6c0AO-U3rsxo0cAY=DWJB=4SqxWct6NGD=AQHA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.215.228.153]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] how can CFRG improve cryptography in the Internet?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Feb 2014 20:01:41 -0000
Watson et al: > > There is an assumption being made here: that algorithms will age badly. > This assumption is largely unwarranted. > First off, software does not decay. It does not develop security > problems spontaneously. Protocols with reductions remain secure so long > as the fundamental problems they reduce to remain hard. > I'd disagree slightly in that Moore's law says that the computational cost of an attack halves every 18 months. If one assumes Moore's law will continue to apply, eventually its rising tide will engulf any given choice of parameter sizes. Certainly Moore's Law must eventually grind to a halt, but over the years I've lost good money by drawing a line in the sand that I bet Moore's law could never get past. There are, of course, more pressing issues than worrying about Moore's law. > -----Original Message----- > From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Watson Ladd > Sent: Tuesday, February 11, 2014 12:48 AM > To: dan@geer.org > Cc: cfrg@irtf.org > Subject: Re: [Cfrg] how can CFRG improve cryptography in the Internet? > > On Mon, Feb 10, 2014 at 9:09 PM, <dan@geer.org> wrote: > > > > > No-longer-deemed-secure algorithms aren't the only security > > problems > facing out-of-date cryptographic software. So why not go > > one step > further and make the cryptographic software itself > expire? > > > > > > Might I extend this to crypto-in-hardware-in-embedded-systems? > > > > In other words, absolutely all embedded systems must either have a > > remote upgrade capability or a not-to-exceed pre-defined lifetime. > > There is an assumption being made here: that algorithms will age badly. > This assumption is largely unwarranted. > First off, software does not decay. It does not develop security > problems spontaneously. Protocols with reductions remain secure so long > as the fundamental problems they reduce to remain hard. > I'd disagree slightly in that Moore's law says that the computational cost of an attack halves every 18 months. If one assume Moore's law will continue to apply, inevitably the rising tide will engulf any give choice of parameter sizes. Of course Moore's Law must eventually grind to a halt, but over the years I've lost good money by drawing a line in the sand that I bet Moore's law could never get past. > The reasons why a piece of hardware made in 1996 would, 17 years later, > be no longer secure if properly designed in the first place, would > likely be the hash function. IDEA remains secure, even with the small > block causing fun at 4 GB. Blowfish is unlikely to have been done in > hardware. Triple DES would be fine today, but single DES would have > been on the way out due to the small 2^56 key size. > > Public key would likely be RSA. The big advances in algorithms were all > known at that point, so one just has to play the Moore's law game. > For ECC the security situation looks the same, and for Diffie-Hellman > over prime fields, I don't recall. > > The hash function would have died: it would have been MD5. With any > luck they would have used signature schemes that avoid falling to > simple collisions, but that's unlikely for RSA. > > The big problem is that the standards were and are so terrible. SSL v3 > made 3 mistakes: predictable IVs, a complex state machine, and exposing > a CBC padding oracle. PKCS 1.5 had lots wrong with it. For this > hardware to be useful, it wouldn't have made it to 2013 without massive > problems beyond the weak hash. > > Sincerely, > Watson Ladd > > -- > "Those who would give up Essential Liberty to purchase a little > Temporary Safety deserve neither Liberty nor Safety." > -- Benjamin Franklin > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-03.t… internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Dan Harkins
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… David McGrew
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… David McGrew
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Dan Harkins
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Paul Lambert
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Dan Harkins
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Yoav Nir
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Mike Hamburg
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Dan Harkins
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Robert Ransom
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] 2^40. I can't exhibit it, but it exist… Paul Lambert
- Re: [Cfrg] 2^40. I can't exhibit it, but it exist… Michael Hamburg
- Re: [Cfrg] 2^40. I can't exhibit it, but it exist… Watson Ladd
- [Cfrg] publishing dragonfly (was: Re: 2^40. I can… David McGrew
- Re: [Cfrg] publishing dragonfly (was: Re: 2^40. I… Eggert, Lars
- Re: [Cfrg] publishing dragonfly (was: Re: 2^40. I… Manger, James
- Re: [Cfrg] publishing dragonfly (was: Re: 2^40. I… Eggert, Lars
- [Cfrg] NSA sabotaging crypto standards Manger, James
- Re: [Cfrg] NSA sabotaging crypto standards Alexandre Anzala-Yamajako
- Re: [Cfrg] how can CFRG improve cryptography in t… Rob Stradling
- Re: [Cfrg] NSA sabotaging crypto standards Eggert, Lars
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- Re: [Cfrg] NSA sabotaging crypto standards Paul Hoffman
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- Re: [Cfrg] NSA sabotaging crypto standards Paul Hoffman
- Re: [Cfrg] NSA sabotaging crypto standards David McGrew
- Re: [Cfrg] NSA sabotaging crypto standards Dan Harkins
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- Re: [Cfrg] how can CFRG improve cryptography in t… David McGrew
- Re: [Cfrg] NSA sabotaging crypto standards Nikos Mavrogiannopoulos
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- Re: [Cfrg] NSA sabotaging crypto standards Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- [Cfrg] how can CFRG improve cryptography in the I… David McGrew
- Re: [Cfrg] how can CFRG improve cryptography in t… Daniel Kahn Gillmor
- Re: [Cfrg] NSA sabotaging crypto standards Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] how can CFRG improve cryptography in t… Hannes Tschofenig
- Re: [Cfrg] how can CFRG improve cryptography in t… Rene Struik
- Re: [Cfrg] how can CFRG improve cryptography in t… Stephen Farrell
- Re: [Cfrg] how can CFRG improve cryptography in t… dan
- Re: [Cfrg] how can CFRG improve cryptography in t… Watson Ladd
- Re: [Cfrg] how can CFRG improve cryptography in t… Daniel Kahn Gillmor
- Re: [Cfrg] how can CFRG improve cryptography in t… David McGrew
- Re: [Cfrg] how can CFRG improve cryptography in t… Stephen Farrell
- Re: [Cfrg] how can CFRG improve cryptography in t… Tom Ritter
- Re: [Cfrg] how can CFRG improve cryptography in t… Igoe, Kevin M.
- Re: [Cfrg] how can CFRG improve cryptography in t… Hannes Tschofenig
- Re: [Cfrg] how can CFRG improve cryptography in t… Hannes Tschofenig
- Re: [Cfrg] how can CFRG improve cryptography in t… Hannes Tschofenig
- Re: [Cfrg] how can CFRG improve cryptography in t… David McGrew
- Re: [Cfrg] how can CFRG improve cryptography in t… Paul Lambert
- Re: [Cfrg] how can CFRG improve cryptography in t… Watson Ladd
- Re: [Cfrg] how can CFRG improve cryptography in t… Rene Struik
- Re: [Cfrg] how can CFRG improve cryptography in t… Geoffrey Waters
- Re: [Cfrg] how can CFRG improve cryptography in t… S Moonesamy
- Re: [Cfrg] how can CFRG improve cryptography in t… David McGrew