Re: [Cfrg] [TLS] 3DES diediedie

Derek Atkins <derek@ihtfp.com> Thu, 08 September 2016 15:18 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EEF812B014 for <cfrg@ietfa.amsl.com>; Thu, 8 Sep 2016 08:18:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ihtfp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GeghDyH3uFYP for <cfrg@ietfa.amsl.com>; Thu, 8 Sep 2016 08:18:53 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 531A112B019 for <cfrg@irtf.org>; Thu, 8 Sep 2016 08:18:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id CABDDE2047; Thu, 8 Sep 2016 11:18:51 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 09760-07; Thu, 8 Sep 2016 11:18:49 -0400 (EDT)
Received: from securerf.ihtfp.org (unknown [IPv6:2001:470:e448:2:ea2a:eaff:fe7d:235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id 21F09E2046; Thu, 8 Sep 2016 11:18:49 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1473347929; bh=STdYDKIHrcvTt9UsSDFf69wFM9o1NCY1Cqn4aBPCLwQ=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=iYiS8PW4FeCe2V/nUUsYgaXuh5xKpmEKjRJRfeNPzP7NlrN6EMWAk+WLVlu6ZK3+7 4oMAm5vHfdnKqd50Mbz/qCkuy0c6e5vepirM03if4I+OpQcHwqc2Q5RRiMME8uPYDE DDVRdIcfH1bzYpWJBfAAhJ35gHEaSl9J4SPjOCN4=
Received: (from warlord@localhost) by securerf.ihtfp.org (8.15.2/8.14.8/Submit) id u88FIlsV009549; Thu, 8 Sep 2016 11:18:47 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <20160906114030.18292816.41703.89024@ll.mit.edu> <57CEAE6F.1040608@secworks.se> <sjmeg4wvjut.fsf@securerf.ihtfp.org> <d1b84ec2-5b02-b285-8304-e3b393d9ee4a@cs.tcd.ie> <sjm8tv3vkzs.fsf@securerf.ihtfp.org> <a69a0ee2-c101-54ac-ed72-a23b05925e3b@cs.tcd.ie>
Date: Thu, 08 Sep 2016 11:18:47 -0400
In-Reply-To: <a69a0ee2-c101-54ac-ed72-a23b05925e3b@cs.tcd.ie> (Stephen Farrell's message of "Thu, 8 Sep 2016 12:32:57 +0100")
Message-ID: <sjmvay6to6g.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/v-5HVaE_WBQAAWTU5bkwERz2ZcI>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Joachim =?utf-8?Q?Str=C3=B6mbergson?= <joachim@secworks.se>, Hilarie Orman <hilarie@purplestreak.com>
Subject: Re: [Cfrg] [TLS] 3DES diediedie
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2016 15:18:57 -0000

Hi,

Stephen Farrell <stephen.farrell@cs.tcd.ie> writes:

> Hiya,
>
[snip]
>> I agree completely, which is why I believe that "AES is the one true
>> cipher that everything must use" is, IMHO, a Bad Idea (TM).  As Peter
>> said in another email (thank you, Peter, for the GREAT writeup!!!),
>> while we do want better crypto, what's more important is MORE crypto.
>> We want more devices to use crypto, and if there are devices where even
>> AES can't be used (for whatever reason) we should find reasonable,
>> lower-"cost" alternatives.
>
> I don't agree that we want "more crypto" without qualification.
> I'd put it like this:
>
> We want more good enough crypto and to not introduce crypto
> that is not good enough. We also do want to deprecate use of
> crypto no longer considered good enough, where possible.

Sure, but your definition of "good enough" and my definition of "good
enough" may not match.  And honestly I'd rather someone use 3DES than
nothing.  (Sure, I'd rather them use AES than 3DES)

[snip]
>> What's your definition of "weaker" crypto?
>
> I don't have a good definition. Perhaps we could say that
> anything that we'd not want to include in TLS at a given
> point in time?
>
> That is not meant to imply there are no uses at all for
> weaker crypto. But I do think the valid use-cases may be
> much much rarer than many seem to think.

See, I think there are different use-cases that can (and should) be
qualified.  Many of these constrained devices may use (D)TLS, but are
still designed for a constrained environment.  They aren't going to be
connecting to my bank (although they may phone home to their
manufacturers).

My light bulb example that I keep returning to are really only designed
to speak to the local controller(s).  They don't phone home.  Sure, they
may have IPv6, and may be running (D)TLS, but their use case is rather
limited.  They probably don't have a full OS, just an embedded
firmware.

So why does this device need to same level of security protection that I
need when I'm communicating with my bank?  Wouldn't you rather it have a
lower bar (e.g. 3DES) versus have zero security?  Honestly, that's the
fight I'm fighting here with manufacturers.  They say encryption is too
expensive, so they would rather do nothing.  I'm trying to give them
something, anything, to get the bar raised.  Even single DES is better
than nothing (although if they can do 1DES they can do 3DES).

>> I'd argue that there are definitely cases where a shorter block size is
>> just fine, even if it's easier to attack.  For example, if I have a
>> 64-bit block size and my messages are always only a single bit
>> (e.g. "door open" or "door closed"), does it matter that it's easier to
>> attack than a 128-bit block size?
>
> I don't think that's a good question tbh. The issue is that
> the same algorithm will be used for other things too, e.g.
> to protect new configs or s/w update or stored data. And if
> we're dealing with a PSK situation, it's likely many devices
> will be deployed with the same PSK.  So, yes, it might matter
> if there are thousands of doors and one PSK that basically
> never changes. And once developers have an algorithm they
> have used, they will re-use that for other things. And
> attacks only ever get better. So we need to always consider
> the worst case that we envisage can really happen, and not
> what seems like the least sensitive interactions.

Keep in mind that I'm advocating assymmetric crypto and not PSK..  And
definitely not "same PSK".

> One other aspect is that we're assuming here that devices
> are highly constrained, so we can't assume that they'll
> use some better algorithm for more sensitive things - if
> they could do that, then almost all such devices could use
> the better algorithm for everything.

This is true.

> So while I am a big fan of opportunistic security, I'm
> not keen on encompassing the use of weaker algorithms as
> a part of that. (Other than for cases where the alg and
> keys are already deployed and we have to live with it.)

So if they can't use the better algorithm (for whatever reason), what
then would you advocate?

>> Context is extremely important.  Obviously 64-bit blocks would be bad
>> for some things, but might be "just fine" for others.  If we do say "no
>> 64-bit blocks" then we get sensor manufacturers that will say "fine,
>> security is too expensive so I just wont put it in".
>> 
>> The Perfect is the enemy of the Good Enough.
>
> Yes, but once devices are connected to the Internet, then
> the requirements for "good enough" change significantly,
> and IMO that's not something that device makers have yet
> properly taken on board.

See above for my re-iterated light bulb example.  I do agree that
devices are put into situations beyond what manufacturers originally
designed.  But (and I feel like I'm sounding like a broken record here)
I'd rather see devices use any crypto than no crypto.

[snip]
>> True, this will happen too.  From where I sit I'd rather give people
>> better tools that might not reach our "perfect" security guidelines, but
>> are cheap enough that the manufacturers will implement it instead of XOR
>> (against a static "key").
>
> Figuring out sensible guidelines that are likely to be
> followed is hard, yes.

Isn't this why we're paid the big bucks?  :)

>>> So... it's tricky - I think we know what's right but we
>>> also know that that's not what "the market" is going
>>> to produce;-)
>> 
>> I think this is the main issue -- different markets have different
>> needs.  And until you're living on an 8051 or MSP430 you really don't
>> understand how constrained you can be.
>
> It's also clear that many device makers are not considering
> the real threat model when their devices are exposed to the
> Internet. I would argue that the choice of MCU needs to take
> that much more into account than has been the case, and it's
> no longer ok to only consider the functional requirements for
> the application, once the device can be connected to the
> Internet. That's a big change though.

Yes, this is also true. Education is important.

> Cheers,
> S.

-derek

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant