Re: [Cfrg] general guidance for web programmers?

"David McGrew (mcgrew)" <mcgrew@cisco.com> Mon, 08 October 2012 21:47 UTC

From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: Zooko Wilcox-O'Hearn <zooko@zooko.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] general guidance for web programmers?
Thread-Index: AQHNpZWJ0Fd1zjMn5EOOtQSd77Gl2JewAncA
Date: Mon, 08 Oct 2012 21:46:59 +0000
Message-ID: <747787E65E3FBD4E93F0EB2F14DB556B0F4FE82A@xmb-rcd-x04.cisco.com>
In-Reply-To: <CANdZDc6wTeJbXU7Z8RxPJNVefTiJ9PYsX7XW9RKiNkEtBmqhrQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/14.2.1.120420
Content-Type: text/plain; charset="euc-kr"
Content-ID: <C3C65F3CF56B6847957F5A03FC951875@cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: Re: [Cfrg] general guidance for web programmers?
Precedence: list

Hi Zooko,

On 10/8/12 4:43 PM, "Zooko Wilcox-O'Hearn" <zooko@zooko.com> wrote:

>Dear people of CFRG:
>
>I'm participating in the W3C working group on Web Crypto. (By the way,
>thank you very much to those who replied to my earlier request for
>feedback on the WebCrypto draft.)
>
>An issue facing the W3C working group is how and to what degree we
>include guidance about which algorithms are recommended or which are
>known to be flawed. The first issue that we face is what to say about
>ECB mode. I propose ¹ that the WebCrypto standard include some text
>warning that ECB mode is *not* an encryption mode, like CBC and CTR
>modes, which can be used to encrypt arbitrary sensitive plaintext.

I saw your proposal in the WC WG, and I think it is a good idea.

>
>Others on the WebCrypto Working Group are very reluctant to start
>writing down advice of this kind ² , because where will it end? It can
>get very complicated. Why should we be the ones who have to explain to
>programmers to use SHA-2-256 instead of SHA-1, and how to avoid
>length-extension attacks if they're going to use SHA-2-256, and how to
>safely use RSA PKCS#1 v1.5, and how to generate nonces, counters, and
>IVs correctly, and how strong integrity really is almost always
>necessary in addition to confidentiality, and so on.
>
>Anyway, we're not necessarily the experts on all those details, and
>new attacks are coming along all the time that we would have to
>scramble to integrate into our advice.
>
>So, we have conflicting desires here. On the one hand, we don't want
>to attempt to explain everything that needs explaining, but on the
>other hand experience shows that simply providing a bare API without
>documentation really does lead to the deployment of insecure systems
>that compromise people's safety. (See my post to the web-crypto
>mailing list ¹ for an interesting recent example in which the design
>of the crypto API made the difference between secure and insecure web
>sessions.)
>
>Okay, so here's a good solution: the WebCrypto spec can refer to
>documents published by some other experts, such as CFRG, which guides
>programmers on which algorithms are recommended, as well as what are
>the requirements for the use of a given algorithm to secure. I very
>much like section 3 of the cipher catalog ³, and I wonder if it would
>make sense for the WebCrypto standard to refer to that.
>
>The use of ECB mode itself isn't addressed in the cipher catalog. Are
>there other similar publications from CFRG that would address that
>issue?

I like the idea of publishing well-reviewed crypto advice in the form of
RFCs like the cipher catalog.

To my thinking, what is striking about cipher catalog is that it is fairly
limited in scope, yet at the same time it is fairly large.  That suggests
that we need to carefully scope this work and not bite off more than we
can chew.   A comparison of modes of operation seems like it could be its
own RFC.   I think it would be reasonable to include encryption,
authentication, and authenticated encryption modes for block ciphers, as
well has HMAC (which could be thought of as a mode of operation for a hash
function, and at any rate seems to belong in a comparison of
authentication modes).   I would even offer to review this document.

>
>(As an aside, I rather like the pithiness of OWASP's take on the
>subject ⁴: “This mode should not be used under any circumstances.”.)

:-)

>
>What about the dangers of RSA PKCS#1 v1.5? Or at least, a catalog of
>public key algorithms which advises one to use safer algorithms in
>place of that one?

Public key algorithms would be another great topic.

Speaking as CFRG co-chair, I would be in favor of these RFCs as long as
each one had a team of authors/contributors, and we can get some people
signed up as reviewers.

>
>Thanks very much for any help you can offer.

Thanks for the suggestion and the explanation of the WebCrypto WG issues.

David

>
>Regards,
>
>Zooko
>
>¹ http://lists.w3.org/Archives/Public/public-webcrypto/2012Oct/0018.html
>
>² http://lists.w3.org/Archives/Public/public-webcrypto/2012Sep/0188.html
>
>³ http://tools.ietf.org/html/draft-irtf-cfrg-cipher-catalog-00
>
>⁴ http://owasp.com/index.php/Glossary#Electronic_Code_Book_mode
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>http://www.irtf.org/mailman/listinfo/cfrg

Re: [Cfrg] general guidance for web programmers? David McGrew (mcgrew)
[Cfrg] general guidance for web programmers? Zooko Wilcox-O'Hearn