IETF Logo Mail Archive

Re: [Cfrg] NSA sabotaging crypto standards

Watson Ladd <watsonbladd@gmail.com> Fri, 07 February 2014 17:10 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37A331AC829 for <cfrg@ietfa.amsl.com>; Fri, 7 Feb 2014 09:10:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wfIHQUYiuiUF for <cfrg@ietfa.amsl.com>; Fri, 7 Feb 2014 09:10:15 -0800 (PST)
Received: from mail-wg0-x231.google.com (mail-wg0-x231.google.com [IPv6:2a00:1450:400c:c00::231]) by ietfa.amsl.com (Postfix) with ESMTP id EA3F51A03EC for <cfrg@irtf.org>; Fri, 7 Feb 2014 09:10:14 -0800 (PST)
Received: by mail-wg0-f49.google.com with SMTP id a1so2423571wgh.28 for <cfrg@irtf.org>; Fri, 07 Feb 2014 09:10:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=RyHCzUlfOdJRKE+tN6OV/yYjUCBMItlc6DkoArUFUF0=; b=rbVfi26pvyWm45TE+ohfXzapvstlT6GfoKQTBL8LNCiutzmgyehn3xbj/yM87cIBXt UYDRgJ4GO6St7tzkAcD7voJ4KKsIEcMhIMvXLhMrIzN//0fryoEI3IfDfHrnvTJ289R8 avH8Dk1/horvVSm86x0pBdL9j39TibjJUzmPRe6Ll+7JF1AoICOKFLQowLUwKp42CzUF 482Q9KgwH81mzKEiQFJSGBBzIUy0XDLbmCb52ynJj9rqoy9cdZVsVFLm0aUVpP4arIam KEUcSErX75ZalHLTkeHjS/AnXGUDewUoTTmEny2KXqR5opL6U84LC1wReDF8Y0jNgSt5 FpxQ==
MIME-Version: 1.0
X-Received: by 10.180.95.162 with SMTP id dl2mr664472wib.17.1391793013985; Fri, 07 Feb 2014 09:10:13 -0800 (PST)
Received: by 10.194.250.101 with HTTP; Fri, 7 Feb 2014 09:10:13 -0800 (PST)
In-Reply-To: <52f50c59.aa1b8c0a.77c0.4985SMTPIN_ADDED_MISSING@mx.google.com>
References: <CACsn0ckOL8xdp5z7DdB9wyHhFpax0DhVXjsUMuGj39HgKk4YBA@mail.gmail.com> <52f50c59.aa1b8c0a.77c0.4985SMTPIN_ADDED_MISSING@mx.google.com>
Date: Fri, 07 Feb 2014 09:10:13 -0800
Message-ID: <CACsn0cnYkDwyAdwdf0+-JtksWu4NhKPr3L2emG2b3kFDe5v6hg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "nmav@gnutls.org" <nmav@gnutls.org>
Subject: Re: [Cfrg] NSA sabotaging crypto standards
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2014 17:10:18 -0000

On Fri, Feb 7, 2014 at 8:39 AM, Blumenthal, Uri - 0558 - MITLL
<uri@ll.mit.edu> wrote:
> Don Johnson, for one. Carl Meyer. (Yes, those guys who invented Lucifer and DES ciphers.)
>
> You keep forgetting (or simply aren't old enough to be aware?) of how things were done back when the "Cryptography: The New Dimension" book was published.
>
> The standard was "MAC, then Encrypt", and it had reasons for doing things in that order. In fact, SNMP was the first IETF protocol (circa 1992-1994) to diverge from that approach, and it took some flak for not doing what was the conventional wisdom of that day.

Was that flack informed? Or was it coming from people who didn't
really understand the mathematics behind crypto? Were those reasons
informed? Just because everyone was making the same mistakes doesn't
make those mistakes less serious. Even if we make Bellare-Nampare the
point at which no one should have done MAC then Encrypt, that was 13
years ago. Bard explained BEAST 9 years before the demonstration.

The best you can say is that the TLS WG was woefully slow in
responding to the changing situation.

>
> Since then the priorities and the attacks changed, and now "Encrypt-then-MAC" is the standard.
>
> Watson, I'd like to join other suggesting that you become less combative here. I'm not a "peacenik" myself, but any patience has a limit.

What should the CFRG and the IETF do more broadly to ensure that
blunders as serious as the ones above don't happen again? What has the
CFRG done to ensure that other 90's era protocols have these problems
addressed, particularly when the WGs responsible have disbanded?
Should we simply let sleeping dogs lie, and work on ensuring that new
protocols don't make similar mistakes?
I'm here to fix the problems: explain what I need to do to fix them,
and I'll do it.

Sincerely,
Watson
>
> --
> Regards,
> Uri Blumenthal                            Voice: (781) 981-1638
> Cyber Systems and Technology   Fax:   (781) 981-0186
> MIT Lincoln Laboratory                Cell:  (339) 223-5363
> 244 Wood Street                        Email: <uri@ll.mit.edu>
> Lexington, MA  02420-9185
>
> Web:  http://www.ll.mit.edu/CST/
>
>
>
> MIT LL Root CA:
>
>  <https://www.ll.mit.edu/labcertificateauthority.html>
>
>
> DSN:   478-5980 ask Lincoln ext.1638
>
> ----- Original Message -----
> From: Watson Ladd [mailto:watsonbladd@gmail.com]
> Sent: Friday, February 07, 2014 11:28 AM
> To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
> Cc: cfrg@irtf.org <cfrg@irtf.org>
> Subject: Re: [Cfrg] NSA sabotaging crypto standards
>
> On Fri, Feb 7, 2014 at 8:11 AM, Nikos Mavrogiannopoulos <nmav@gnutls.org> wrote:
>> On 02/07/2014 04:59 PM, Watson Ladd wrote:
>>
>>> But let's go into detail about how well the cryptographers did in TLS.
>>> In 1995 Phil Rogaway tells everyone to use encrypt-then-MAC.
>>
>> I believe you are oversimplifying things. Indeed Rogaway suggested
>> encrypt-then-MAC, but other cryptographers were suggesting
>> MAC-then-Encrypt (authenticate what is meant not what is sent). There
>> was also no attack known for MAC-then-encrypt.
>
> Show me one cryptographer who recommended MAC-then-Encrypt.
> Also, absence of known attacks is not the same as absence of attacks.
> Encrypt-then-MAC was the conservative choice.
>
>>
>> In general it is very easy to see the obvious solution 20 years later,
>> but the challenge is to properly decide at the right time.
>
> It was obvious then: encrypt-then-MAC was known secure, while
> MAC-then-encrypt was not.
> Any excuse vanishes with Bellare-Nampare (2000). Of course, even if we
> take the best interpretation, the TLS WG frittered away 9 years after
> being informed of an attack.
>
> Sincerely,
> Watson Ladd
>>
>> regards,
>> Nikos
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>
>
>
> --
> "Those who would give up Essential Liberty to purchase a little
> Temporary Safety deserve neither  Liberty nor Safety."
> -- Benjamin Franklin
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email