IETF Logo Mail Archive

[Cfrg] how can CFRG improve cryptography in the Internet?

David McGrew <mcgrew@cisco.com> Fri, 07 February 2014 19:04 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87A6F1A01B0 for <cfrg@ietfa.amsl.com>; Fri, 7 Feb 2014 11:04:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.036
X-Spam-Level:
X-Spam-Status: No, score=-15.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8MK6EFPX9z1Q for <cfrg@ietfa.amsl.com>; Fri, 7 Feb 2014 11:04:14 -0800 (PST)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id 6037F1A018C for <cfrg@irtf.org>; Fri, 7 Feb 2014 11:04:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7271; q=dns/txt; s=iport; t=1391799854; x=1393009454; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=wrx5f/Qpv+iGh7AV9VqTLAaKetcnuo9uQ83uft4qsJY=; b=FB653n5imheK/bPwOUulFAJE7Jhq8aSvdT8H852DSQ29IRghOybV4WsL rUOL2qqt208FpPhwiJf07goYEPZQzEfJAsiI07GTw0uSAZsSKSGOtPjGf sh0JjaunB2j3YNE7gK8IK7w3XdlnFbiVB6/uUujCEfVERGvJnNAiRnpne I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ah8FAKst9VKtJV2b/2dsb2JhbABWA4MMOL8/gQ4WdIIlAQEBBAEBATUzAwUFAQwEHAQBAQEJFggHCQMCAQIBDwYfCQgGDQEFAgIFEodWAxENw0kNiEQXjFcPGYEcCgEGAUAQBwYLhCcEiUmKeYF9gWyGSIYWA4VAg0segSwBCBcE
X-IronPort-AV: E=Sophos;i="4.95,802,1384300800"; d="scan'208";a="302427812"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-1.cisco.com with ESMTP; 07 Feb 2014 19:04:13 +0000
Received: from [10.0.2.15] (rtp-mcgrew-8913.cisco.com [10.117.10.228]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id s17J4Dp1024725; Fri, 7 Feb 2014 19:04:13 GMT
Message-ID: <52F52E2D.8090104@cisco.com>
Date: Fri, 07 Feb 2014 14:04:13 -0500
From: David McGrew <mcgrew@cisco.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130922 Icedove/17.0.9
MIME-Version: 1.0
To: Watson Ladd <watsonbladd@gmail.com>
References: <CACsn0ckOL8xdp5z7DdB9wyHhFpax0DhVXjsUMuGj39HgKk4YBA@mail.gmail.com> <52f50c59.aa1b8c0a.77c0.4985SMTPIN_ADDED_MISSING@mx.google.com> <CACsn0cnYkDwyAdwdf0+-JtksWu4NhKPr3L2emG2b3kFDe5v6hg@mail.gmail.com>
In-Reply-To: <CACsn0cnYkDwyAdwdf0+-JtksWu4NhKPr3L2emG2b3kFDe5v6hg@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "nmav@gnutls.org" <nmav@gnutls.org>
Subject: [Cfrg] how can CFRG improve cryptography in the Internet?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2014 19:04:16 -0000

Hi All,

it is healthy to have a discussion on what CFRG and IETF can do 
differently to improve security and privacy in the Internet.

Ultimately, we are not limited by the current CFRG charter, but rather 
by our collective willingness to do the work that needs to be done, and 
I suppose on our ability to develop enough rough consensus about what 
needs to be done.   We do have a charter that we need to stick to at 
present, but we can do more within that charter, and we can consider 
changes to the charter if we think those are needed.   (Though note that 
we would need to get those changes approved.)

An approach that might work for us is to develop replacement mechanisms 
for the ones in current use that we think need to be replaced, keeping 
in mind that the actual replacement might take ten years or so, or might 
never happen.   At the same time, we can document the problems with 
existing mechanisms, to help provide a motivation for that replacement.

It is worthwhile to keep in mind the interoperability problems that can 
be caused by changes in cryptography, and the inertia created by all of 
those millions of crypto implementations that are currently in use.   We 
can't expect new crypto to appear in a five year old piece of software 
that is no longer supported by its creator, for instance, and that will 
slow down adoption of newer crypto, no matter how much better it is.   
As a practical matter, we also need to realize that many users of 
cryptography believe that there is no economic justification for 
deploying new crypto until breaking the old crypto scheme is so easy 
that a script kiddie can do it with a backtrack CD-ROM.   The burden is 
on us to provide this justification.

At the same time, I share the frustration that too much bad cryptography 
is in use, which should have been replaced long ago. The fact that it 
might take years to replace is no excuse not to start the process now.   
I'm thinking of RADIUS and other protocols that are used with 
human-generated passwords (and are not PAKE systems) in particular.   It 
would be *great* to have CFRG document what protocols are bad, and how 
bad they are, in a way that we could demonstrate expert consensus on our 
opinions. If we did a decent job, I bet we could get a slot in front of 
the IESG or some other responsible IETF group.   I am confident that, if 
we can offer IETF good information about the security of current 
standards, they will find a way to propagate and use that information.

An aside: a history of crypto protocols at IETF might provide some 
useful perspective; maybe a couple of people who were involved would be 
willing to write up something?    It might be useful to focus on one 
case study where things were done wrong, and one where things were done 
right.

David

On 02/07/2014 12:10 PM, Watson Ladd wrote:
> On Fri, Feb 7, 2014 at 8:39 AM, Blumenthal, Uri - 0558 - MITLL
> <uri@ll.mit.edu> wrote:
>> Don Johnson, for one. Carl Meyer. (Yes, those guys who invented Lucifer and DES ciphers.)
>>
>> You keep forgetting (or simply aren't old enough to be aware?) of how things were done back when the "Cryptography: The New Dimension" book was published.
>>
>> The standard was "MAC, then Encrypt", and it had reasons for doing things in that order. In fact, SNMP was the first IETF protocol (circa 1992-1994) to diverge from that approach, and it took some flak for not doing what was the conventional wisdom of that day.
> Was that flack informed? Or was it coming from people who didn't
> really understand the mathematics behind crypto? Were those reasons
> informed? Just because everyone was making the same mistakes doesn't
> make those mistakes less serious. Even if we make Bellare-Nampare the
> point at which no one should have done MAC then Encrypt, that was 13
> years ago. Bard explained BEAST 9 years before the demonstration.
>
> The best you can say is that the TLS WG was woefully slow in
> responding to the changing situation.
>
>> Since then the priorities and the attacks changed, and now "Encrypt-then-MAC" is the standard.
>>
>> Watson, I'd like to join other suggesting that you become less combative here. I'm not a "peacenik" myself, but any patience has a limit.
> What should the CFRG and the IETF do more broadly to ensure that
> blunders as serious as the ones above don't happen again? What has the
> CFRG done to ensure that other 90's era protocols have these problems
> addressed, particularly when the WGs responsible have disbanded?
> Should we simply let sleeping dogs lie, and work on ensuring that new
> protocols don't make similar mistakes?
> I'm here to fix the problems: explain what I need to do to fix them,
> and I'll do it.
>
> Sincerely,
> Watson
>> --
>> Regards,
>> Uri Blumenthal                            Voice: (781) 981-1638
>> Cyber Systems and Technology   Fax:   (781) 981-0186
>> MIT Lincoln Laboratory                Cell:  (339) 223-5363
>> 244 Wood Street                        Email: <uri@ll.mit.edu>
>> Lexington, MA  02420-9185
>>
>> Web:  http://www.ll.mit.edu/CST/
>>
>>
>>
>> MIT LL Root CA:
>>
>>   <https://www.ll.mit.edu/labcertificateauthority.html>
>>
>>
>> DSN:   478-5980 ask Lincoln ext.1638
>>
>> ----- Original Message -----
>> From: Watson Ladd [mailto:watsonbladd@gmail.com]
>> Sent: Friday, February 07, 2014 11:28 AM
>> To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
>> Cc: cfrg@irtf.org <cfrg@irtf.org>
>> Subject: Re: [Cfrg] NSA sabotaging crypto standards
>>
>> On Fri, Feb 7, 2014 at 8:11 AM, Nikos Mavrogiannopoulos <nmav@gnutls.org> wrote:
>>> On 02/07/2014 04:59 PM, Watson Ladd wrote:
>>>
>>>> But let's go into detail about how well the cryptographers did in TLS.
>>>> In 1995 Phil Rogaway tells everyone to use encrypt-then-MAC.
>>> I believe you are oversimplifying things. Indeed Rogaway suggested
>>> encrypt-then-MAC, but other cryptographers were suggesting
>>> MAC-then-Encrypt (authenticate what is meant not what is sent). There
>>> was also no attack known for MAC-then-encrypt.
>> Show me one cryptographer who recommended MAC-then-Encrypt.
>> Also, absence of known attacks is not the same as absence of attacks.
>> Encrypt-then-MAC was the conservative choice.
>>
>>> In general it is very easy to see the obvious solution 20 years later,
>>> but the challenge is to properly decide at the right time.
>> It was obvious then: encrypt-then-MAC was known secure, while
>> MAC-then-encrypt was not.
>> Any excuse vanishes with Bellare-Nampare (2000). Of course, even if we
>> take the best interpretation, the TLS WG frittered away 9 years after
>> being informed of an attack.
>>
>> Sincerely,
>> Watson Ladd
>>> regards,
>>> Nikos
>>>
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> http://www.irtf.org/mailman/listinfo/cfrg
>>
>>
>> --
>> "Those who would give up Essential Liberty to purchase a little
>> Temporary Safety deserve neither  Liberty nor Safety."
>> -- Benjamin Franklin
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>
>

v2.23.0 | Report a Bug | By Email