Re: [Cfrg] NSA sabotaging crypto standards
"Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu> Fri, 07 February 2014 16:40 UTC
Return-Path: <prvs=7115ef9fce=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BA2B1A01B9 for <cfrg@ietfa.amsl.com>; Fri, 7 Feb 2014 08:40:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.237
X-Spam-Level:
X-Spam-Status: No, score=-4.237 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MISSING_MID=0.497, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.535, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dd2JGkSDn9w6 for <cfrg@ietfa.amsl.com>; Fri, 7 Feb 2014 08:40:12 -0800 (PST)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id DDF831A0177 for <cfrg@irtf.org>; Fri, 7 Feb 2014 08:40:11 -0800 (PST)
Received: from LLE2K7-HUB02.mitll.ad.local (LLE2K7-HUB02.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id s17Gdque005780; Fri, 7 Feb 2014 11:39:52 -0500
From: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
To: "'watsonbladd@gmail.com'" <watsonbladd@gmail.com>, "'nmav@gnutls.org'" <nmav@gnutls.org>
Date: Fri, 07 Feb 2014 11:39:51 -0500
Thread-Topic: [Cfrg] NSA sabotaging crypto standards
Thread-Index: Ac8kIa1hB41QAyuURjGFOwuxVmdO1QAAYmZA
In-Reply-To: <CACsn0ckOL8xdp5z7DdB9wyHhFpax0DhVXjsUMuGj39HgKk4YBA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-02-07_06:2014-02-07, 2014-02-07, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1402070082
Cc: "'cfrg@irtf.org'" <cfrg@irtf.org>
Subject: Re: [Cfrg] NSA sabotaging crypto standards
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2014 16:40:14 -0000
X-Message-ID:
Message-ID: <20140418010542.2560.6422.ARCHIVE@ietfa.amsl.com>
Don Johnson, for one. Carl Meyer. (Yes, those guys who invented Lucifer and DES ciphers.) You keep forgetting (or simply aren't old enough to be aware?) of how things were done back when the "Cryptography: The New Dimension" book was published. The standard was "MAC, then Encrypt", and it had reasons for doing things in that order. In fact, SNMP was the first IETF protocol (circa 1992-1994) to diverge from that approach, and it took some flak for not doing what was the conventional wisdom of that day. Since then the priorities and the attacks changed, and now "Encrypt-then-MAC" is the standard. Watson, I'd like to join other suggesting that you become less combative here. I'm not a "peacenik" myself, but any patience has a limit. -- Regards, Uri Blumenthal Voice: (781) 981-1638 Cyber Systems and Technology Fax: (781) 981-0186 MIT Lincoln Laboratory Cell: (339) 223-5363 244 Wood Street Email: <uri@ll.mit.edu> Lexington, MA 02420-9185 Web: http://www.ll.mit.edu/CST/ MIT LL Root CA: <https://www.ll.mit.edu/labcertificateauthority.html> DSN: 478-5980 ask Lincoln ext.1638 ----- Original Message ----- From: Watson Ladd [mailto:watsonbladd@gmail.com] Sent: Friday, February 07, 2014 11:28 AM To: Nikos Mavrogiannopoulos <nmav@gnutls.org> Cc: cfrg@irtf.org <cfrg@irtf.org> Subject: Re: [Cfrg] NSA sabotaging crypto standards On Fri, Feb 7, 2014 at 8:11 AM, Nikos Mavrogiannopoulos <nmav@gnutls.org> wrote: > On 02/07/2014 04:59 PM, Watson Ladd wrote: > >> But let's go into detail about how well the cryptographers did in TLS. >> In 1995 Phil Rogaway tells everyone to use encrypt-then-MAC. > > I believe you are oversimplifying things. Indeed Rogaway suggested > encrypt-then-MAC, but other cryptographers were suggesting > MAC-then-Encrypt (authenticate what is meant not what is sent). There > was also no attack known for MAC-then-encrypt. Show me one cryptographer who recommended MAC-then-Encrypt. Also, absence of known attacks is not the same as absence of attacks. Encrypt-then-MAC was the conservative choice. > > In general it is very easy to see the obvious solution 20 years later, > but the challenge is to properly decide at the right time. It was obvious then: encrypt-then-MAC was known secure, while MAC-then-encrypt was not. Any excuse vanishes with Bellare-Nampare (2000). Of course, even if we take the best interpretation, the TLS WG frittered away 9 years after being informed of an attack. Sincerely, Watson Ladd > > regards, > Nikos > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin _______________________________________________ Cfrg mailing list Cfrg@irtf.org http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-03.t… internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Dan Harkins
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… David McGrew
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… David McGrew
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Dan Harkins
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Paul Lambert
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Dan Harkins
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Yoav Nir
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Mike Hamburg
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Dan Harkins
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Robert Ransom
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-dragonfly-… Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] 2^40. I can't exhibit it, but it exist… Paul Lambert
- Re: [Cfrg] 2^40. I can't exhibit it, but it exist… Michael Hamburg
- Re: [Cfrg] 2^40. I can't exhibit it, but it exist… Watson Ladd
- [Cfrg] publishing dragonfly (was: Re: 2^40. I can… David McGrew
- Re: [Cfrg] publishing dragonfly (was: Re: 2^40. I… Eggert, Lars
- Re: [Cfrg] publishing dragonfly (was: Re: 2^40. I… Manger, James
- Re: [Cfrg] publishing dragonfly (was: Re: 2^40. I… Eggert, Lars
- [Cfrg] NSA sabotaging crypto standards Manger, James
- Re: [Cfrg] NSA sabotaging crypto standards Alexandre Anzala-Yamajako
- Re: [Cfrg] how can CFRG improve cryptography in t… Rob Stradling
- Re: [Cfrg] NSA sabotaging crypto standards Eggert, Lars
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- Re: [Cfrg] NSA sabotaging crypto standards Paul Hoffman
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- Re: [Cfrg] NSA sabotaging crypto standards Paul Hoffman
- Re: [Cfrg] NSA sabotaging crypto standards David McGrew
- Re: [Cfrg] NSA sabotaging crypto standards Dan Harkins
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- Re: [Cfrg] how can CFRG improve cryptography in t… David McGrew
- Re: [Cfrg] NSA sabotaging crypto standards Nikos Mavrogiannopoulos
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- Re: [Cfrg] NSA sabotaging crypto standards Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] NSA sabotaging crypto standards Watson Ladd
- [Cfrg] how can CFRG improve cryptography in the I… David McGrew
- Re: [Cfrg] how can CFRG improve cryptography in t… Daniel Kahn Gillmor
- Re: [Cfrg] NSA sabotaging crypto standards Blumenthal, Uri - 0558 - MITLL
- Re: [Cfrg] how can CFRG improve cryptography in t… Hannes Tschofenig
- Re: [Cfrg] how can CFRG improve cryptography in t… Rene Struik
- Re: [Cfrg] how can CFRG improve cryptography in t… Stephen Farrell
- Re: [Cfrg] how can CFRG improve cryptography in t… dan
- Re: [Cfrg] how can CFRG improve cryptography in t… Watson Ladd
- Re: [Cfrg] how can CFRG improve cryptography in t… Daniel Kahn Gillmor
- Re: [Cfrg] how can CFRG improve cryptography in t… David McGrew
- Re: [Cfrg] how can CFRG improve cryptography in t… Stephen Farrell
- Re: [Cfrg] how can CFRG improve cryptography in t… Tom Ritter
- Re: [Cfrg] how can CFRG improve cryptography in t… Igoe, Kevin M.
- Re: [Cfrg] how can CFRG improve cryptography in t… Hannes Tschofenig
- Re: [Cfrg] how can CFRG improve cryptography in t… Hannes Tschofenig
- Re: [Cfrg] how can CFRG improve cryptography in t… Hannes Tschofenig
- Re: [Cfrg] how can CFRG improve cryptography in t… David McGrew
- Re: [Cfrg] how can CFRG improve cryptography in t… Paul Lambert
- Re: [Cfrg] how can CFRG improve cryptography in t… Watson Ladd
- Re: [Cfrg] how can CFRG improve cryptography in t… Rene Struik
- Re: [Cfrg] how can CFRG improve cryptography in t… Geoffrey Waters
- Re: [Cfrg] how can CFRG improve cryptography in t… S Moonesamy
- Re: [Cfrg] how can CFRG improve cryptography in t… David McGrew