Re: [Cfrg] Security proofs v DH backdoors

Michael Scott <mike.scott@miracl.com> Fri, 28 October 2016 09:52 UTC

Return-Path: <mike.scott@miracl.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73DBA129A14 for <cfrg@ietfa.amsl.com>; Fri, 28 Oct 2016 02:52:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=miracl-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B_QO76yY0rbh for <cfrg@ietfa.amsl.com>; Fri, 28 Oct 2016 02:52:01 -0700 (PDT)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51B7E129A13 for <cfrg@irtf.org>; Fri, 28 Oct 2016 02:52:01 -0700 (PDT)
Received: by mail-yw0-x22b.google.com with SMTP id w3so75183353ywg.1 for <cfrg@irtf.org>; Fri, 28 Oct 2016 02:52:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=miracl-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=3YOjj36lDPahmGNUgTI17TbpEXB8LerkuEyNPqhX3OU=; b=R4oGintAUXQ+OcOZoxIn8PjRD0X5gZFOqfLB93x5gNssQ2ETmQyKA7Z3hKMEjpHw3y V/+Z19PcuiMwBl+Owlylsy6/SvZ4hhOuOk4dL5pHQLH+KME2WFZOGMvgbqZnhsBGHm1f Y9VJ2VGcmGb8hG+Edz81nr0z8aqovchrrB3Y6xl8hrmXcvZNldbVOID2IB9ijv/WncK7 CcQZvgx071uL65smUCJhR30xFy8SzPyRlbuTCJFpFvDTKOpcFQKHe4USE4ripR1dTuh1 gLoOHM4SHuoNyNtMCgcRxeTEeAfgRN5t4HxeX7AC4ol6aRj2TU3VgZfUifPU9rlFPPmx LKtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=3YOjj36lDPahmGNUgTI17TbpEXB8LerkuEyNPqhX3OU=; b=OYArxpMQduQiGOEd10geOCk6aHxUCYnvIs0yYb16GpzTQZunvvKWDP/NsE/yTTKqBD rGpkkdXw2ZTMzrA8s1UWunVJ/ChDLIyqjysB51V9AFrO+eOhonQKMVp/wTgiADATDZsu jYKhJRpzPxzFKnE2Fr+fP/T7ZyIRwfrjSpbc8ktNibzi2c41hK7swmy0PQsFAZc6ddYJ mcn3v+GiGLTK5GnasM0feo33VR5/hicsl9hwXb++0lJftiyMJPHs6C7UA1URvHQTnGVc Xl1OGurzfpTYebR7dB4ZGz4PdkYG+xERqnikfedD8+ur9WfK0+jcWwLgTo68xImKjWfv 4pug==
X-Gm-Message-State: ABUngvfD6Bl47wGky/AysXPDSGGBcUptju3HQvVd1Ue+xHfCRUPATupBE6aHYEnNCBIWoDoRCqq3tBLjwQlZj3YN
X-Received: by 10.36.30.74 with SMTP id 71mr1037861itt.81.1477648320149; Fri, 28 Oct 2016 02:52:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.153.83 with HTTP; Fri, 28 Oct 2016 02:51:59 -0700 (PDT)
In-Reply-To: <1477647359860.49982@cs.auckland.ac.nz>
References: <20161025131014.5709905.2866.6563@blackberry.com> <20161025133016.GA9081@LK-Perkele-V2.elisa-laajakaista.fi> <1477456366629.49872@cs.auckland.ac.nz> <44595.1477524032@eng-mail01.juniper.net> <20161027103214.5709905.11728.6650@blackberry.com> <20161027125120.4d260334@pc1> <1477647359860.49982@cs.auckland.ac.nz>
From: Michael Scott <mike.scott@miracl.com>
Date: Fri, 28 Oct 2016 10:51:59 +0100
Message-ID: <CAEseHRpN94UWT+rPUbyxsZp8ToKYQR=3=Qn0qt_Kdn27Y6iwxg@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary=001a11448b2839d112053fe9cfda
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/nMJD7yRsvFB2W-E4_76ypbRZ9Oc>
Subject: Re: [Cfrg] Security proofs v DH backdoors
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2016 09:52:03 -0000

On Fri, Oct 28, 2016 at 10:36 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz>
wrote:

> Hanno Böck <hanno@hboeck.de> writes:
>
> >This line of debate and all the recently released papers show one very
> >concerning thing: We haven't learned how to use Diffie Hellman properly
>
> Well, we have, what it really shows is that there are still implementations
> around that use it badly.  As there are for almost everything.
>
> >But why should we have this discussion when we already know DH is on its
> way
> >out?
>
> It's going to be around for a long, long time, if not forever, for three
> reasons.  Firstly, your assumption, which I've heard from others as well,
> seems to be based on the browser/web server worldview where you can roll
> out
> an update any time you like to make the server/client do whatever you want
> it
> to.  However, if you look at real-world surveys of TLS traffic, the most
> common TLS mode is still 1.0, dating from 1999.  This means that for
> general
> web traffic, not just what Chrome, Firefox, and Edge do, there's at least a
> 15-year latency for deployment.  In terms of industry bodies, groups like
> the
> PCI council are planning to move to TLS 1.1, from ten years ago, by 2018.
> There's no indication of when they'll start looking at TLS 1.2.  Other
> industry bodies in the SCADA/embedded space are roughly the same, there's a
> gradual move from TLS 1.0 to TLS 1.1 with some mutterings about 1.2 in some
> places.
>
> Secondly, DH's replacement, the ECC algorithms, are an absolute
> non-starter in
> any kind of harsh environment.  They're the most brittle crypto you can
> possibly deploy, any fault of any kind inevitably ends up leaking the
> private
> key.  I know several industries who, despite its great trendiness, won't
> touch
> the ECC stuff because it's just too brittle to safely use.
>


Wow. As an influential opinion leader I think you really need to expand on
that last paragraph. In the first sentence you need to define "harsh
environment". The second sentence ("any fault of any kind") is manifestly
untrue. And in the third sentence what industries exactly? Thanks

Mike


>
> Finally, specifically for the Bernstein protocol suite [0] if that's what
> you're thinking of for supplanting DH, it's easy enough for someone like
> Google to decree that from now on we all have to use X, but many industries
> are heavily constrained and regulated and can't just adopt whatever new
> algorithm comes along.  Also, hardware support for crypto is almost
> universally AES, SHA-1, SHA-2, and sometimes (rarely) some bignum stuff.
> You're not going to see any move to TLS 1.3/2.0/whatever-it'll-be-called
> outside the web server/client space any time soon there, if ever.
>
> >Chrome already decided to disable it, others will follow.
>
> That's because Google can decree that from now on we're all going do be
> doing
> what Google wants.  That doesn't work in other industries.
>
> Peter.
>
> [0] No disrespect to Dan et al intended, I'm just using it as a collective
>     noun for 25519, 448, ChaCha, Poly1305, etc because I don't know of any
>     other collective term for them.
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>