IETF Logo Mail Archive

Re: [Cfrg] RFC 7748 on Elliptic Curves for Security

Watson Ladd <watsonbladd@gmail.com> Mon, 25 January 2016 19:05 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08CA51B392B for <cfrg@ietfa.amsl.com>; Mon, 25 Jan 2016 11:05:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.6
X-Spam-Level:
X-Spam-Status: No, score=-0.6 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i9MnE7jfmDSB for <cfrg@ietfa.amsl.com>; Mon, 25 Jan 2016 11:05:49 -0800 (PST)
Received: from mail-yk0-x22a.google.com (mail-yk0-x22a.google.com [IPv6:2607:f8b0:4002:c07::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BB961B3923 for <cfrg@irtf.org>; Mon, 25 Jan 2016 11:05:49 -0800 (PST)
Received: by mail-yk0-x22a.google.com with SMTP id v14so172505361ykd.3 for <cfrg@irtf.org>; Mon, 25 Jan 2016 11:05:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=VAIXvCJJVGR11AQivunBSmvG5AnG6pzXV4AFQcAkfB0=; b=KS3NsvpG6cUz4gsqUiDwPmWCr/ZTDZXR8G6lgDX3lKeb/VczTa7Q3AteHhwwW7Z048 1rLap6Ln7BTUdyCAUY0zRit4jyeNpzjSz9naA9jqE0nsdprhRSJ7DZZb0H4tWPj3KaTu a4VoRfE9oha1wvcvRqXlAITBL9XqMa+vZCzjp09bJqpMk0QFPiAbgILwPfxEBO9c4znJ uyl2UJBqoSMgAedlq8TFB9dmZs5o6vhC5Ty3BpIpzBNVmxpnYByQaYtEBLw24KbY5obq NqZqXMJZf8Q9Crtvg2woZaORO4n2+oFXvlrgiE0lerD+2fr1GeppXk5yoDQmLgLjRozi H5rg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=VAIXvCJJVGR11AQivunBSmvG5AnG6pzXV4AFQcAkfB0=; b=Fe/W+vaxmF2C9+G68GBYPweyPaFYzHIugYhuLlNLnlJCBK6ALooYg86i/bA4Lpzck3 fzsK3iTztiHJ2MxFXjRQmOfs8M4PguHq+jJqDXbYicCHTx0ZpTU7YZIWaCQIgDomZlKh z9crIC5h2ifQN/yjLb7iqdPr5QRPHGWFE13DIGtt+7m9tiPbBt2KvCaVNhGtVjByFAAL UQQcax8tramMM4MnIM7x7A1PusReGtMJTc5ObBZ023HOkW2rRM48nvjhrqsi1kXini9B LrXh4uARnATmrPbjAsQQrIPT2iRLapR+Oum8gk27S02mv4iRh3yMqDZFzRV9A3k2cIv1 Ko1g==
X-Gm-Message-State: AG10YOTcRRhtuacxHL/dL4rFSaHspGv6rLpxW5hr0UHKL/lPgF7fhBqOeUTez/ZCERiFxJGcS45RIOLU9mwRnw==
MIME-Version: 1.0
X-Received: by 10.129.123.134 with SMTP id w128mr9345680ywc.345.1453748748585; Mon, 25 Jan 2016 11:05:48 -0800 (PST)
Received: by 10.13.216.150 with HTTP; Mon, 25 Jan 2016 11:05:48 -0800 (PST)
In-Reply-To: <CAMm+LwhDiEpb-t4O1xWOw0+fWZnKTP3495BDG6zu-y9OCv4VXQ@mail.gmail.com>
References: <20160123002710.B4E4818045A@rfc-editor.org> <C8C1DF70-A138-42F9-8647-DAAE9ABD3779@netapp.com> <56A4B4EA.9030004@cs.tcd.ie> <CACsn0c=G8_+CPivBv92Yj5js_F-6xdSSqS=yX7r3JaU4bPBFKw@mail.gmail.com> <CAMm+LwhDiEpb-t4O1xWOw0+fWZnKTP3495BDG6zu-y9OCv4VXQ@mail.gmail.com>
Date: Mon, 25 Jan 2016 11:05:48 -0800
Message-ID: <CACsn0ckPO6rN8hqHDLeS4m+-nqHWi+G0pGp2anSeJRv9BAZ9yA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/a4lHC0cC1PitETq6Ni3P5LoWTFM>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] RFC 7748 on Elliptic Curves for Security
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2016 19:05:52 -0000

On Mon, Jan 25, 2016 at 10:43 AM, Phillip Hallam-Baker
<phill@hallambaker.com> wrote:
> I disagree.
>
> The timeline in question began on Friday September 6th 2013. That was
> the day that Glenn Greenwald revealed the existence of BULLRUN and the
> attempts to sabotage open standards for crypto. It is a little over
> two years since the initial discovery of the breach.
>
> Until that point there was no reason to call into question the NSA
> curves. And it was some time later that the DUAL_EC_RNG attack was
> discovered. And it took people some time to decide on what the
> appropriate response to the curve situation was.

Actually the security issues caused by the incomplete addition
formulas have been very well known for years. Really what this reveals
is how little people care about "actual security", that is the
exploits and weaknesses in existing deployed code and standards, and
how much people care about "imagined security", the risks of
subverting standards with tools we don't even know how would work.
Why? Because you need to have some taste and knowledge to care about
actual security, but every child can understand the tale of the bad
vizir.

Remember, the NSA is actively exploiting IKEv1 PSK aggressive mode.
Everyone I've talked to about this is completely unsurprised: they
knew about the hole since the day the RFC was published. Likewise
complaints about the OpenSSL API and the difficulty of encrypting
securely have been around since the beginning, but it wasn't until
Nacl that people tried to do something about it.

>
> The other bit of history here is that people have been peddling ECC
> curves for almost 20 years without much interest in the broader
> industry. The field has been clouded by purported IP claims that have
> effectively poisoned the well for proposals.
>
> Nor was it the case that Curve 25519 was a slam dunk proposition.
> There was a very good argument for going with the completely rigid
> curves proposed by Brian and his team. The CFRG was not asked to
> standardize Curve 25519. On the contrary it was tasked with performing
> a survey of options and picking one.

Exactly right. The IETF took what, if ordinary standards of "running
code and rough consensus" were applied, would have been a short
process, and decided to run a contest, effectively paralyzing the CFRG
for two years. Part of the reason was that it would avoid
fragmentation, but instead Microsoft is asking NIST to standardize its
variants, and same with the Brainpool people. Now we're taking
tcpcrypt, and again for political reasons, turning what would be a
simple "here is what you do to run this cool thing" into a baroque
construction that will be far harder to use. Then again this is
largely the story of IKEv2 vs. JFK, and IPsec more generally.

>
> Congratulations to everyone involved and thanks for the work on what I
> believe will become one of the key building blocks for future
> cryptographic infrastructures.
>
>
>
> On Mon, Jan 25, 2016 at 11:01 AM, Watson Ladd <watsonbladd@gmail.com> wrote:
>> On Sun, Jan 24, 2016 at 3:26 AM, Stephen Farrell
>> <stephen.farrell@cs.tcd.ie> wrote:
>>>
>>>
>>> On 24/01/16 08:47, Eggert, Lars wrote:
>>>> Excellent work, all! This is one of the more important RFCs that the
>>>> IRTF has published, and will have a direct impact on Internet user
>>>> privacy.
>>>
>>> Indeed. Good work and thanks to all including those whose fav
>>> curves didn't end up being part of the RFC - the debate, hard
>>> and gnarly though it was, was also an important part of this.
>>
>> Really?
>>
>> This RFC comes some 10 years after the introduction of Curve25519, and
>> some 5-6 years after everyone realized how simple it is to write
>> crypto code when you actually care about making it simple. The
>> existence of tools like signify and minilock was thankfully not
>> dependent on our blessing, which in any case, because the result is
>> Informational, apparently doesn't exist. (Nor for that matter was the
>> adoption in OpenSSH dependent, etc., etc.)
>>
>> The process hasn't lead to increased support from industry, in fact
>> the same players are now battling it out at NIST instead. I don't know
>> that anyone who wasn't planning on supporting Curve25519 before this
>> discussion is going to introduce it now over their own prefered
>> alternative, or that it even matters for "Internet user privacy".
>> Let's Encrypt has had far more of an impact, by ending an ill-thought
>> out experiment in charging people money to secure their websites. The
>> various attacks enabled by the bugs in implementations in the NIST
>> curves generally require some precise targeting: they are not "let's
>> decrypt all the data on the Internet".
>>
>> Blake2 didn't have to go through anything like this. Nor did Camelia,
>> nor the various national elliptic curve standards. I'm glad we are
>> done with this, but let's not be self-congratulatory about our impact,
>> which in this case has been extremely negative.
>>
>>>
>>> S
>>>
>>>>
>>>> Lars
>>>>
>>>> On 2016-01-23, at 1:27, rfc-editor@rfc-editor.org wrote:
>>>>>
>>>>> A new Request for Comments is now available in online RFC
>>>>> libraries.
>>>>>
>>>>>
>>>>> RFC 7748
>>>>>
>>>>> Title:      Elliptic Curves for Security Author:     A. Langley, M.
>>>>> Hamburg, S. Turner Status:     Informational Stream:     IRTF Date:
>>>>> January 2016 Mailbox:    agl@google.com, mike@shiftleft.org,
>>>>> sean@sn3rd.com Pages:      22 Characters: 39298
>>>>> Updates/Obsoletes/SeeAlso:   None
>>>>>
>>>>> I-D Tag:    draft-irtf-cfrg-curves-11.txt
>>>>>
>>>>> URL:        https://www.rfc-editor.org/info/rfc7748
>>>>>
>>>>> DOI:        http://dx.doi.org/10.17487/RFC7748
>>>>>
>>>>> This memo specifies two elliptic curves over prime fields that
>>>>> offer a high level of practical security in cryptographic
>>>>> applications, including Transport Layer Security (TLS).  These
>>>>> curves are intended to operate at the ~128-bit and ~224-bit
>>>>> security level, respectively, and are generated deterministically
>>>>> based on a list of required properties.
>>>>>
>>>>> This document is a product of the Crypto Forum Research Group of
>>>>> the IRTF.
>>>>>
>>>>>
>>>>> INFORMATIONAL: This memo provides information for the Internet
>>>>> community. It does not specify an Internet standard of any kind.
>>>>> Distribution of this memo is unlimited.
>>>>>
>>>>> This announcement is sent to the IETF-Announce, rfc-dist and
>>>>> IRTF-Announce lists.To subscribe or unsubscribe, see
>>>>> https://www.ietf.org/mailman/listinfo/ietf-announce
>>>>> https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist
>>>>> https://www.irtf.org/mailman/listinfo/irtf-announce
>>>>>
>>>>> For searching the RFC series, see
>>>>> https://www.rfc-editor.org/search For downloading RFCs, see
>>>>> https://www.rfc-editor.org/rfc.html
>>>>>
>>>>> Requests for special distribution should be addressed to either
>>>>> the author of the RFC in question, or to rfc-editor@rfc-editor.org.
>>>>> Unless specifically noted otherwise on the RFC itself, all RFCs are
>>>>> for unlimited distribution.
>>>>>
>>>>>
>>>>> The RFC Editor Team Association Management Solutions, LLC
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________ Cfrg mailing list
>>>> Cfrg@irtf.org https://www.irtf.org/mailman/listinfo/cfrg
>>>>
>>>
>>>
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> https://www.irtf.org/mailman/listinfo/cfrg
>>>
>>
>>
>>
>> --
>> "Man is born free, but everywhere he is in chains".
>> --Rousseau.
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email