Re: [Cfrg] WebCrypto Security Guidelines into IRTF Informational Draft?
Taylor R Campbell <campbell+cfrg@mumble.net> Mon, 02 November 2015 14:30 UTC
Return-Path: <campbell@mumble.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C87FA1B3720 for <cfrg@ietfa.amsl.com>; Mon, 2 Nov 2015 06:30:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Level:
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZzFYBl9Zs2jn for <cfrg@ietfa.amsl.com>; Mon, 2 Nov 2015 06:30:54 -0800 (PST)
Received: from jupiter.mumble.net (jupiter.mumble.net [74.50.56.165]) by ietfa.amsl.com (Postfix) with ESMTP id B9D901B3742 for <cfrg@irtf.org>; Mon, 2 Nov 2015 06:30:54 -0800 (PST)
Received: by jupiter.mumble.net (Postfix, from userid 1014) id 66376604CF; Mon, 2 Nov 2015 14:30:44 +0000 (UTC)
From: Taylor R Campbell <campbell+cfrg@mumble.net>
To: Harry Halpin <hhalpin@w3.org>
In-reply-to: <5636A760.8080207@w3.org> (hhalpin@w3.org)
Date: Mon, 02 Nov 2015 14:30:53 +0000
Sender: Taylor R Campbell <campbell@mumble.net>
User-Agent: IMAIL/1.21; Edwin/3.116; MIT-Scheme/9.1.99
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <20151102143044.66376604CF@jupiter.mumble.net>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/hKbyBnTD3x_PU0KBV8w8YVRBNp8>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] WebCrypto Security Guidelines into IRTF Informational Draft?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Nov 2015 14:30:57 -0000
Date: Sun, 01 Nov 2015 18:59:28 -0500 From: Harry Halpin <hhalpin@w3.org> Note we did a update taking into account the last round of feedback of the CFRG, and we'd like to ask CFRG if they are any objections to moving this forward. I can file and Internet Draft tomorrow if there are no objections to moving it forward. Input from end-users of the WebCrypto W3C draft said a security guideline document would help them, so we'd like to have this resource available and myself and INRIA can maintain it. Developers will mostly look at the "Yes/No" table for future use. First impression, looking at Table 1: If I were J. Random Web Developer, I wouldn't have the foggiest idea what most of the ETLA soup there means. I know -- as J. Random Web Developer -- that I want RSA and AES and MD5, because I grew up hearing about them -- but what are RSAES-PKCS1-v1_5 and RSA-OAEP and RSASSA-PKCS1-v1_5 and RSA-PSS, and why isn't MD5 listed, and how do I just send a message from one agent to another agent who have known-good public information about one another? Users of crypto need to know what security properties the crypto gives them and what their responsibilities are for using it. What's in this document isn't guidelines for developers -- it's citations for an audience of cryptographers (if that). If you want guidelines for developers, it would be much more helpful to organize the algorithms by protocol, e.g. public-key authenticated encryption, giving for each protocol what its threat model and user responsibilities are, and giving for each algorithm its conjectured security level and any additional caveats. It is common practice, but calling AES-CTR and AES-GCM both `modes' of AES is terribly confusing for non-cryptographers -- one of them is a mere (unauthenticated) encryption function; the other is an authenticated encryption function. NaCl sensibly distinguishes them by calling them, e.g., crypto_stream_xor_aes128ctr and crypto_secretbox_aes128gcm, not by calling them `modes' of AES. Some of the entries in the table are individual algorithms with fixed parameters and specific security properties, such as SHA-256. But some are large families, such as `RSA-PSS' and `ECDH', with tremendous variance in quantitative and qualitative security properties across the family. Mixing categories like this in a single table is bound to cause confusion -- and leaving it up to developers to pick parameters like group modulus size for finite-field DH, let alone curve for elliptic-curve DH, is just asking for trouble. Implementations of RSA, finite-field DH, elliptic-curve DH over all but a few select curves, and AES, are all historically riddled with timing side channels. It is more important for application developers to know about side channels than to know about the details of theoretical security reductions. If you are going to emphasize theoretical security reductions (`security proofs'), then at the very least you should identify what the security of a construction reduces to. For example, RSASSA-PKCS1-v1_5 and RSA-PSS rely on collision resistance of the hash function, which MD5 flunked; Ed25519 relies only on target collision resistance, which to my knowledge nobody has broken for MD5 nor even shown progress toward. Reliance on collision resistance of the hash function led to certificate forgery in the wild by nation-state actors with MD5. Part of identifying security levels is qualitative properties of the best attacks: - The best attack on a single ECDH or FFDH function involves a single large precomputation to solve ECDLP or FFDLP in that group -- and then the attacker can quickly decrypt every past recorded key exchange. For RFC 2409 Group 2, namely (Z/pZ)^* over a 1024-bit prime p, that precomputation is feasible today; for Curve25519, it's not. - The best attack on AES-128 is on multiple targets simultaneously, with no precomputation -- 2^n time to attack any of 2^k targets in parallel can give success probability ~2^-(128 - n - k), typically much larger than what one might naively expect, ~2^-(128 - n). Hence a common choice to use AES-256 instead of AES-128 for a 128-bit aggregate security level. - For many applications, long-term confidentiality matters more than long-term authenticity: signing keys may expire in a year but the NSA keeps all your ciphertext for eternity to try decrypting it later if they ever manage to build a quantum computer. So for confidentiality properties, the post-quantum security level is worth considering now. These qualitative properties needn't necessarily be given in detail as guidelines to developers, but they are relevant to what you advertise as the security level of, e.g., AES-128, or RSA-OAEP over a 2048-bit modulus.
- [Cfrg] WebCrypto Security Guidelines into IRTF In… Harry Halpin
- Re: [Cfrg] WebCrypto Security Guidelines into IRT… Watson Ladd
- Re: [Cfrg] WebCrypto Security Guidelines into IRT… Taylor R Campbell
- Re: [Cfrg] WebCrypto Security Guidelines into IRT… Simon Josefsson