Re: [Cfrg] CFRG and thwarting pervasive montoring

Watson Ladd <> Sun, 29 December 2013 22:11 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0E4E41AE31C for <>; Sun, 29 Dec 2013 14:11:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=unavailable
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FYArlSBHlBiH for <>; Sun, 29 Dec 2013 14:11:45 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c00::229]) by (Postfix) with ESMTP id 43A041AE31F for <>; Sun, 29 Dec 2013 14:11:43 -0800 (PST)
Received: by with SMTP id y10so13596914wgg.2 for <>; Sun, 29 Dec 2013 14:11:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=FMh6tTWf/VJRISQpNsuHrEUqrn5ALb0f+KnX8xjJslU=; b=alWY35A2QN1zTrRqWa6ZhJ+8bYgXAt64XDWpo5/UoXQVhhWCrVUxlHezEpWcTxxQi9 CzgXuzoXtw0lVTuUFEdnBWt461ld4t+JWp6doUpJzUPiuSLS+DqkN+kPNXlFslTCMLyX uno4OoC2939WdTx4HWST+ZOjAZFBgCOELijeGR0iMTFU/fctigmIikuczFRDtSDxD4qM SfumEKGQvMPm+l8xMHGsjhjbwgYg2sXyAAJN3zdDSQm6C7fC4zofYsZDCL9CPgcArLx7 XwrWdIHPBjaDDnoz7HUve+UwJC8UgHhnyWazgRYSi+H0FGgqbgLLJUmsFI9rJXi9KADt a4bQ==
MIME-Version: 1.0
X-Received: by with SMTP id k18mr41551905wic.44.1388355097139; Sun, 29 Dec 2013 14:11:37 -0800 (PST)
Received: by with HTTP; Sun, 29 Dec 2013 14:11:37 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <>
Date: Sun, 29 Dec 2013 17:11:37 -0500
Message-ID: <>
From: Watson Ladd <>
To: Stephen Farrell <>,, "" <>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [Cfrg] CFRG and thwarting pervasive montoring
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 29 Dec 2013 22:11:47 -0000

On Sun, Dec 29, 2013 at 4:26 PM, Stephen Farrell
<> wrote:
> On 12/29/2013 09:12 PM, Paul Hoffman wrote:
>> On Dec 29, 2013, at 11:12 AM, Stephen Farrell
>> <> wrote:
>>> . . .
>>> I would love to see ongoing detailed work within CFRG as to how to
>>> counter pervasive monitoring.
>> Wearing your perpass hat, how can CFRG help? I ask this because I
>> have seen little on the perpass mailing list that indicated that an
>> even minor problem has been lack of crypto, or the use of crypto that
>> is thought to be breakable. What type of crypto research or
>> assessment would help perpass?

Sending to perpass to get feedback on this question.

>> Note that deprecating the use of crypto that is widely known to be
>> broken is the purview of IETF WGs, not the CFRG. The relevant WGs
>> (particularly TLS) seem to already be doing that.

I don't agree with this assessment: the BCP Yaron Sheffer wrote on
depreciating RC4 got kicked
to the newly formed UTA WG, which has done nothing with it. The
biggest changes here have
been AGL pushing stuff into Chrome, but he can't do the server side
nearly as easily. It's been
a controversial topic in the TLS WG, even with Marsh Ray and AGL pushing for it.

> One question might be whether some modes of operation are
> really inherently more likely to have side-channels in their
> implementation or not and whether the impact of that might
> be practically usable by an attacker.

That assumes crypto is being used, and can hide the relevant information.
DNS is still in cleartext, and even HTTPS reveals what sites you are looking at.
The only fixes are PIR protocols, onion routing, and related tricks. We can also
try to reduce what is revealed: version numbers, configurations, and options can
be quite interesting for targeting, particularly if they are linkable
across sessions.

Side-channels are fixable with good, freely usable implementations: I
don't understand
why we are concerned with bad implementers. (Of course, the standard
needs to allow
a good side channel free implementation.) The lazy would rather copy
than innovate incorrectly.

Anyway, AES-GCM has side channel issues, but with HMAC+Salsa20/Chacha
or Chacha/Poly1305
it is easier to avoid them with as they have efficient circuits which
CPUs can do.

> Another might relate to whether things like nonces might
> provide a way for borked implementations to leak key bits
> and if so, whether there are practical ways for susceptible
> protocols to mitigate that, or bits of advice that should
> be included in such protocol specs. (And finding some
> susceptible protocols would be cool too if CFRG folks were
> willing.)

As in leak a key via the bits of an IV? That's not borked but
deliberate. For signing quite a few covert channels are known in
ECDSA. This is rumored to be an issue in the Test Ban Treaty negotiations,
but good luck finding out about that!

The easy countermeasure for some algorithms is to use nonces that are
implicit, incrementing with message number. That way
each peer enforces the algorithm on the other. Robert Ransom deserves
credit for this recognition AFAIK,
but I am sure this has been done before.

> I'm sure clever folk can come up with more once they start
> to think about it.
> S.
>> --Paul Hoffman
> _______________________________________________
> Cfrg mailing list

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin