IETF Logo Mail Archive

Re: [Cfrg] New guidance from NSA on cryptographic algorithms

Mike Hamburg <mike@shiftleft.org> Thu, 28 January 2016 17:54 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 161B81ACDAB for <cfrg@ietfa.amsl.com>; Thu, 28 Jan 2016 09:54:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.555
X-Spam-Level: *
X-Spam-Status: No, score=1.555 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lqn604AkFObh for <cfrg@ietfa.amsl.com>; Thu, 28 Jan 2016 09:54:46 -0800 (PST)
Received: from astral.shiftleft.org (199-241-202-70.PUBLIC.monkeybrains.net [199.241.202.70]) by ietfa.amsl.com (Postfix) with ESMTP id B0D781A9029 for <cfrg@irtf.org>; Thu, 28 Jan 2016 09:54:46 -0800 (PST)
Received: from [10.104.253.100] (unknown [166.170.37.64]) (Authenticated sender: mike) by astral.shiftleft.org (Postfix) with ESMTPSA id 3756D9FD6D; Thu, 28 Jan 2016 09:54:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shiftleft.org; s=sldo; t=1454003686; bh=W/DkwuIT6ao+YY/ElPqcd8s0+Ou6knIfeRFDqzWjJAc=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=Hulh1Ko1Wtp1UbY4dk8mKgf1h9ZXBwhyHDSmDpIxbaUoYqEX2Y1B4PAlJcXPj6TRQ oW8UdLADCzKmdbXaouw0tJs6kbQTK4yUAxEphCEgjYJmkbuckrfgnRvOoMoYs9MjdR xv7ylFwl+dHD9l79kZeUapZ69xGaPDqFE99mSYTk=
Content-Type: multipart/signed; boundary="Apple-Mail-944D38D5-DA1E-4622-B4C2-979DD17CEFEB"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (1.0)
From: Mike Hamburg <mike@shiftleft.org>
X-Mailer: iPhone Mail (13D15)
In-Reply-To: <56AA4616.5020108@huelsing.net>
Date: Thu, 28 Jan 2016 09:54:45 -0800
Content-Transfer-Encoding: 7bit
Message-Id: <1BB06C1A-C48F-41DE-86A7-9EF636AF559A@shiftleft.org>
References: <7C5502DA-0F6C-49CC-8D8A-5ED563109662@vigilsec.com> <7FEEF4D2-DCEB-47E4-9159-034BB5209844@vigilsec.com> <CAMm+LwhXHsnTitXAUZjBQ4BEtoWFk9DJ6gMEnTf-JQXya0s1Nw@mail.gmail.com> <20160127173529.GA8791@LK-Perkele-V2.elisa-laajakaista.fi> <D2CE6F5E.26147%uri@ll.mit.edu> <CAMm+LwiJ89gGSt7bntAOHNY9ef1kQMfgsDf6fvhruKqXwLipCQ@mail.gmail.com> <alpine.GSO.1.10.1601272219010.26829@multics.mit.edu> <56A9EA71.7070208@cs.tcd.ie> <CAMm+LwjFLQtePKKdLKWo6YqhDCCWDQcZfcFRGwTXWgk7mj6JyQ@mail.gmail.com> <56AA4616.5020108@huelsing.net>
To: "A. Huelsing" <ietf@huelsing.net>
X-Virus-Scanned: clamav-milter 0.98.7 at astral
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/o9YdAyeAfK85-hSds2kkfP17HPg>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] New guidance from NSA on cryptographic algorithms
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jan 2016 17:54:48 -0000


Sent from my phone.  Please excuse brevity and typos.

> On Jan 28, 2016, at 08:47, A. Huelsing <ietf@huelsing.net> wrote:
> 
> 
> 
>> On 01/28/16 16:04, Phillip Hallam-Baker wrote:
>> On Thu, Jan 28, 2016 at 5:16 AM, Stephen Farrell
>> <stephen.farrell@cs.tcd.ie> wrote:
>>> 
>>>> On 28/01/16 03:25, Benjamin Kaduk wrote:
>>>> There is also the question of what the realm topology would look like --
>>>> in other contexts there was talk of a central "clearinghouse" realm that
>>>> would share keys with anyone that asked, leaving trust decisions to the
>>>> end parties.  But that is not the only possible model...
>>> That topic ("realm topology"), including who trusts whom for what,
>>> might be a fine thing for a small group of folks to try sketch out in
>>> case we needed such. The content might be initial attempts to answer
>>> the question "what if we had to use Kerberos everywhere we now use
>>> (EC)DH or RSA key transport, what'd that look like at Internet scale?"
>>> That work might identify bits of work that could be taken up by the
>>> IETF kitten WG later on.
>>> Let us imagine that Alice has a shared secret with three distribution
>>> centers run by the likes of Comodo, Symantec, etc. that have been
>>> established in case of future need. There are 5 billion Internet users
>>> and approx 50% have that type of backup plan but no applications are
>>> going to use it at all until the need is proven.
> 
> I am honestly slightly confused that this is truly considered a possible
> solution that needs analysis. A Kerberos-based web-security model would
> mean that the trusted third parties can listen to any "secured"
> communication between a user and a service. While this would already be
> possible in todays Web-PKI setting (which is horrible enough), the new
> issue is that no one could ever detect this attack in the new setting.
> This would be the de-facto abolishment of Internet privacy.
> 
> So you would honestly want to sell privacy just because signatures and
> ciphertexts (for public key encryption) would slightly grow when using
> post-quantum crypto? (Compared to the increase in size of user data like
> an average Webpage over the last years the increase in size for
> pq-crypto is really small.)
> 
> -- Andreas

This seems like it would only be useful in the event that PQ public key encryption turns out to be infeasible, or if we can't find a scheme we trust. Remember, we're very confident that hash-based signatures are PQ-secure, but not quite as much about the encryption or key exchange options.

-- Mike



> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email