IETF Logo Mail Archive

Re: [Cfrg] New guidance from NSA on cryptographic algorithms

Benjamin Kaduk <kaduk@MIT.EDU> Thu, 28 January 2016 03:25 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32DFC1B319D for <cfrg@ietfa.amsl.com>; Wed, 27 Jan 2016 19:25:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YcxSP_Gh6k90 for <cfrg@ietfa.amsl.com>; Wed, 27 Jan 2016 19:25:57 -0800 (PST)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id 0432A1B3198 for <cfrg@irtf.org>; Wed, 27 Jan 2016 19:25:55 -0800 (PST)
X-AuditID: 12074422-06bff700000009a4-68-56a98a4217f9
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id F1.0A.02468.24A89A65; Wed, 27 Jan 2016 22:25:54 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id u0S3Pral019274; Wed, 27 Jan 2016 22:25:53 -0500
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u0S3Pn1G031251 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 27 Jan 2016 22:25:52 -0500
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id u0S3Pnhg000483; Wed, 27 Jan 2016 22:25:49 -0500 (EST)
Date: Wed, 27 Jan 2016 22:25:49 -0500
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Phillip Hallam-Baker <phill@hallambaker.com>
In-Reply-To: <CAMm+LwiJ89gGSt7bntAOHNY9ef1kQMfgsDf6fvhruKqXwLipCQ@mail.gmail.com>
Message-ID: <alpine.GSO.1.10.1601272219010.26829@multics.mit.edu>
References: <7C5502DA-0F6C-49CC-8D8A-5ED563109662@vigilsec.com> <7FEEF4D2-DCEB-47E4-9159-034BB5209844@vigilsec.com> <CAMm+LwhXHsnTitXAUZjBQ4BEtoWFk9DJ6gMEnTf-JQXya0s1Nw@mail.gmail.com> <20160127173529.GA8791@LK-Perkele-V2.elisa-laajakaista.fi> <D2CE6F5E.26147%uri@ll.mit.edu> <CAMm+LwiJ89gGSt7bntAOHNY9ef1kQMfgsDf6fvhruKqXwLipCQ@mail.gmail.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRmVeSWpSXmKPExsUixCmqrevUtTLMoHuDnEX3j4NMFq9e3GS3 mPhhNqMDs8eF1V+ZPCZvPMzmserOF9YA5igum5TUnMyy1CJ9uwSujD3z7jMV3BGuOHi0j7WB 8QN/FyMnh4SAicSnhj7mLkYuDiGBNiaJFc37WCCcjYwS22fvZgSpEhI4xCSx42kCRKKBUWLy 1mksIAkWAW2JvumLwYrYBFQkZr7ZyAZiiwgYSDzcfIkJxGYWqJP4Mm8haxcjB4ewgKvE47Xs IGFOgUCJaZ8ngZXzCjhKXPp5DWrxLSaJjw1bweaLCuhIrN4/hQWiSFDi5MwnLBAztSSWT9/G MoFRYBaS1CwkqQWMTKsYZVNyq3RzEzNzilOTdYuTE/PyUot0TfVyM0v0UlNKNzGCwpTdRWkH 48+DSocYBTgYlXh4V4SvDBNiTSwrrsw9xCjJwaQkyquRDxTiS8pPqcxILM6ILyrNSS0+xCjB wawkwqtYDZTjTUmsrEotyodJSXOwKInz7uqYGyYkkJ5YkpqdmlqQWgSTleHgUJLgvd0B1ChY lJqeWpGWmVOCkGbi4AQZzgM03L4TZHhxQWJucWY6RP4Uo6KUOO87kGYBkERGaR5cLziN7GZS fcUoDvSKMO9PkCoeYAqC634FNJgJaPBB+eUgg0sSEVJSDYxpu+5mszdsPJbXfewN92P+hS2d 7LXSqWGLgjykfjhsZN927+XxVXYBU3cdL6wv+B6VlshfIlRa4bjCpT8xlXHBwciml/PO1DNP THs4QTOcITHlw/MHnv5LtgpH3Tas2fz7vclnK3Hm53rL0rdvKz/1wab01cXdAit1edUZ3dbP v9Igved1s48SS3FGoqEWc1FxIgClHODX/gIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/joFBCWKxu6pZ-MMUBk1Vl_ecjuI>
Cc: IRTF CFRG <cfrg@irtf.org>, Russ Housley <housley@vigilsec.com>
Subject: Re: [Cfrg] New guidance from NSA on cryptographic algorithms
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jan 2016 03:25:59 -0000

On Wed, 27 Jan 2016, Phillip Hallam-Baker wrote:

> On Wed, Jan 27, 2016 at 1:05 PM, Blumenthal, Uri - 0553 - MITLL
> <uri@ll.mit.edu> wrote:
> > On 1/27/16, 12:35 , "Cfrg on behalf of Ilari Liusvaara"
> > <cfrg-bounces@irtf.org on behalf of ilariliusvaara@welho.com> wrote:
> >
> >>On Wed, Jan 27, 2016 at 11:54:55AM -0500, Phillip Hallam-Baker wrote:
> >>> On Wed, Jan 27, 2016 at 10:38 AM, Russ Housley <housley@vigilsec.com>
> >>>wrote:
> >>> > NSA has posted some more information about their previous guidance:
> >>> >
> >>> >
> >>>https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/a
> >>>lgorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm
> >>>
> >>> You can't get there using Chrome due to the SHA-1 certificate in the
> >>>path.
> >>
> >>
> >>> On the QC stuff. Of course we have to start looking at that now. But I
> >>> think we need to look at the problem on two separate tracks:
> >>>
> >>> 1) Find a public key algorithm that resists QC using Shorr's algorithm.
> >>> 2) Find a mechanism that makes symmetric key feasible in place of
> >>>public.
> >>
> >>The problem is that symmetric keys are rarely feasible due to
> >>asymptotically worse scalability (asymmetric tend to scale as O(N)
> >>while symmetric tends to scale as O(N^2).
> >
> > Kerberos was facing this problem three decades ago. I personally think
> > their solution was fine.
>
> Exactly, which was why I said Kerberos tickets.
>
> Doing Kerberos at Web scale would be horrendous and you don't get non
> repudiable signatures. It would not be fun at all. But if people told
> me today that QC was broken and gave me access to the necessary
> resources, we could deploy a kerberos type scheme in 12 months.
>
> The problem is that there would be no way to bootstrap the
> authentication system. Which is why it makes sense to use PKI while we
> can trust it.

A few people have been proposing to use PKI to make cross-realm Kerberos
"just work" recently, but there hasn't been enough manpower in kitten to
actually put things together.  We'd be happy to have more eyes on, e.g.,
draft-williams-kitten-krb5-pkcross or draft-vanrein-dnstxt-krb1 (or other
potential proposals).

There is also the question of what the realm topology would look like --
in other contexts there was talk of a central "clearinghouse" realm that
would share keys with anyone that asked, leaving trust decisions to the
end parties.  But that is not the only possible model...

-Ben

v2.23.0 | Report a Bug | By Email