Re: [Cfrg] [TLS] 3DES diediedie
Derek Atkins <derek@ihtfp.com> Thu, 08 September 2016 15:18 UTC
Return-Path: <derek@ihtfp.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EEF812B014 for <cfrg@ietfa.amsl.com>; Thu, 8 Sep 2016 08:18:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ihtfp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GeghDyH3uFYP for <cfrg@ietfa.amsl.com>; Thu, 8 Sep 2016 08:18:53 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 531A112B019 for <cfrg@irtf.org>; Thu, 8 Sep 2016 08:18:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id CABDDE2047; Thu, 8 Sep 2016 11:18:51 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 09760-07; Thu, 8 Sep 2016 11:18:49 -0400 (EDT)
Received: from securerf.ihtfp.org (unknown [IPv6:2001:470:e448:2:ea2a:eaff:fe7d:235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id 21F09E2046; Thu, 8 Sep 2016 11:18:49 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1473347929; bh=STdYDKIHrcvTt9UsSDFf69wFM9o1NCY1Cqn4aBPCLwQ=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=iYiS8PW4FeCe2V/nUUsYgaXuh5xKpmEKjRJRfeNPzP7NlrN6EMWAk+WLVlu6ZK3+7 4oMAm5vHfdnKqd50Mbz/qCkuy0c6e5vepirM03if4I+OpQcHwqc2Q5RRiMME8uPYDE DDVRdIcfH1bzYpWJBfAAhJ35gHEaSl9J4SPjOCN4=
Received: (from warlord@localhost) by securerf.ihtfp.org (8.15.2/8.14.8/Submit) id u88FIlsV009549; Thu, 8 Sep 2016 11:18:47 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <20160906114030.18292816.41703.89024@ll.mit.edu> <57CEAE6F.1040608@secworks.se> <sjmeg4wvjut.fsf@securerf.ihtfp.org> <d1b84ec2-5b02-b285-8304-e3b393d9ee4a@cs.tcd.ie> <sjm8tv3vkzs.fsf@securerf.ihtfp.org> <a69a0ee2-c101-54ac-ed72-a23b05925e3b@cs.tcd.ie>
Date: Thu, 08 Sep 2016 11:18:47 -0400
In-Reply-To: <a69a0ee2-c101-54ac-ed72-a23b05925e3b@cs.tcd.ie> (Stephen Farrell's message of "Thu, 8 Sep 2016 12:32:57 +0100")
Message-ID: <sjmvay6to6g.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/v-5HVaE_WBQAAWTU5bkwERz2ZcI>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Joachim Strömbergson <joachim@secworks.se>, Hilarie Orman <hilarie@purplestreak.com>
Subject: Re: [Cfrg] [TLS] 3DES diediedie
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2016 15:18:57 -0000
Hi, Stephen Farrell <stephen.farrell@cs.tcd.ie> writes: > Hiya, > [snip] >> I agree completely, which is why I believe that "AES is the one true >> cipher that everything must use" is, IMHO, a Bad Idea (TM). As Peter >> said in another email (thank you, Peter, for the GREAT writeup!!!), >> while we do want better crypto, what's more important is MORE crypto. >> We want more devices to use crypto, and if there are devices where even >> AES can't be used (for whatever reason) we should find reasonable, >> lower-"cost" alternatives. > > I don't agree that we want "more crypto" without qualification. > I'd put it like this: > > We want more good enough crypto and to not introduce crypto > that is not good enough. We also do want to deprecate use of > crypto no longer considered good enough, where possible. Sure, but your definition of "good enough" and my definition of "good enough" may not match. And honestly I'd rather someone use 3DES than nothing. (Sure, I'd rather them use AES than 3DES) [snip] >> What's your definition of "weaker" crypto? > > I don't have a good definition. Perhaps we could say that > anything that we'd not want to include in TLS at a given > point in time? > > That is not meant to imply there are no uses at all for > weaker crypto. But I do think the valid use-cases may be > much much rarer than many seem to think. See, I think there are different use-cases that can (and should) be qualified. Many of these constrained devices may use (D)TLS, but are still designed for a constrained environment. They aren't going to be connecting to my bank (although they may phone home to their manufacturers). My light bulb example that I keep returning to are really only designed to speak to the local controller(s). They don't phone home. Sure, they may have IPv6, and may be running (D)TLS, but their use case is rather limited. They probably don't have a full OS, just an embedded firmware. So why does this device need to same level of security protection that I need when I'm communicating with my bank? Wouldn't you rather it have a lower bar (e.g. 3DES) versus have zero security? Honestly, that's the fight I'm fighting here with manufacturers. They say encryption is too expensive, so they would rather do nothing. I'm trying to give them something, anything, to get the bar raised. Even single DES is better than nothing (although if they can do 1DES they can do 3DES). >> I'd argue that there are definitely cases where a shorter block size is >> just fine, even if it's easier to attack. For example, if I have a >> 64-bit block size and my messages are always only a single bit >> (e.g. "door open" or "door closed"), does it matter that it's easier to >> attack than a 128-bit block size? > > I don't think that's a good question tbh. The issue is that > the same algorithm will be used for other things too, e.g. > to protect new configs or s/w update or stored data. And if > we're dealing with a PSK situation, it's likely many devices > will be deployed with the same PSK. So, yes, it might matter > if there are thousands of doors and one PSK that basically > never changes. And once developers have an algorithm they > have used, they will re-use that for other things. And > attacks only ever get better. So we need to always consider > the worst case that we envisage can really happen, and not > what seems like the least sensitive interactions. Keep in mind that I'm advocating assymmetric crypto and not PSK.. And definitely not "same PSK". > One other aspect is that we're assuming here that devices > are highly constrained, so we can't assume that they'll > use some better algorithm for more sensitive things - if > they could do that, then almost all such devices could use > the better algorithm for everything. This is true. > So while I am a big fan of opportunistic security, I'm > not keen on encompassing the use of weaker algorithms as > a part of that. (Other than for cases where the alg and > keys are already deployed and we have to live with it.) So if they can't use the better algorithm (for whatever reason), what then would you advocate? >> Context is extremely important. Obviously 64-bit blocks would be bad >> for some things, but might be "just fine" for others. If we do say "no >> 64-bit blocks" then we get sensor manufacturers that will say "fine, >> security is too expensive so I just wont put it in". >> >> The Perfect is the enemy of the Good Enough. > > Yes, but once devices are connected to the Internet, then > the requirements for "good enough" change significantly, > and IMO that's not something that device makers have yet > properly taken on board. See above for my re-iterated light bulb example. I do agree that devices are put into situations beyond what manufacturers originally designed. But (and I feel like I'm sounding like a broken record here) I'd rather see devices use any crypto than no crypto. [snip] >> True, this will happen too. From where I sit I'd rather give people >> better tools that might not reach our "perfect" security guidelines, but >> are cheap enough that the manufacturers will implement it instead of XOR >> (against a static "key"). > > Figuring out sensible guidelines that are likely to be > followed is hard, yes. Isn't this why we're paid the big bucks? :) >>> So... it's tricky - I think we know what's right but we >>> also know that that's not what "the market" is going >>> to produce;-) >> >> I think this is the main issue -- different markets have different >> needs. And until you're living on an 8051 or MSP430 you really don't >> understand how constrained you can be. > > It's also clear that many device makers are not considering > the real threat model when their devices are exposed to the > Internet. I would argue that the choice of MCU needs to take > that much more into account than has been the case, and it's > no longer ok to only consider the functional requirements for > the application, once the device can be connected to the > Internet. That's a big change though. Yes, this is also true. Education is important. > Cheers, > S. -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant
- Re: [Cfrg] [TLS] 3DES diediedie Viktor Dukhovni
- [Cfrg] 3DES diediedie Tony Arcieri
- Re: [Cfrg] 3DES diediedie Benjamin Kaduk
- Re: [Cfrg] 3DES diediedie Tony Arcieri
- Re: [Cfrg] 3DES diediedie Tony Arcieri
- Re: [Cfrg] [TLS] 3DES diediedie Stephen Farrell
- Re: [Cfrg] [TLS] 3DES diediedie Tony Arcieri
- Re: [Cfrg] [TLS] 3DES diediedie Peter Gutmann
- Re: [Cfrg] [TLS] 3DES diediedie Tony Arcieri
- Re: [Cfrg] [TLS] 3DES diediedie John Mattsson
- Re: [Cfrg] [TLS] 3DES diediedie Stephen Farrell
- Re: [Cfrg] [TLS] 3DES diediedie Hubert Kario
- Re: [Cfrg] [TLS] 3DES diediedie david wong
- Re: [Cfrg] [TLS] 3DES diediedie Eric Rescorla
- Re: [Cfrg] [TLS] 3DES diediedie Ira McDonald
- Re: [Cfrg] [TLS] 3DES diediedie Hubert Kario
- Re: [Cfrg] [TLS] 3DES diediedie Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] [SSH] [TLS] 3DES diediedie denis bider (Bitvise)
- Re: [Cfrg] 3DES diediedie Geoffrey Keating
- Re: [Cfrg] [SSH] [TLS] 3DES diediedie Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] [SSH] [TLS] 3DES diediedie David Jacobson
- Re: [Cfrg] [TLS] 3DES diediedie Dmitry Belyavsky
- Re: [Cfrg] [TLS] 3DES diediedie Stanislav V. Smyshlyaev
- Re: [Cfrg] [TLS] 3DES diediedie Hanno Böck
- Re: [Cfrg] [TLS] 3DES diediedie Иван Лавриков
- Re: [Cfrg] 3DES diediedie David McGrew (mcgrew)
- Re: [Cfrg] [TLS] 3DES diediedie Watson Ladd
- Re: [Cfrg] [TLS] 3DES diediedie Peter Gutmann
- Re: [Cfrg] 3DES diediedie Peter Gutmann
- Re: [Cfrg] 3DES diediedie David McGrew (mcgrew)
- Re: [Cfrg] [TLS] 3DES diediedie Karthikeyan Bhargavan
- Re: [Cfrg] 3DES diediedie Peter Gutmann
- Re: [Cfrg] [TLS] 3DES diediedie Peter Gutmann
- Re: [Cfrg] [TLS] 3DES diediedie Stephen Farrell
- Re: [Cfrg] [TLS] 3DES diediedie Peter Gutmann
- Re: [Cfrg] [TLS] 3DES diediedie Hubert Kario
- Re: [Cfrg] 3DES diediedie David McGrew (mcgrew)
- Re: [Cfrg] [TLS] 3DES diediedie Joachim Strömbergson
- Re: [Cfrg] 3DES diediedie John Mattsson
- [Cfrg] (confusing the issues) Re: [TLS] 3DES died… Rene Struik
- Re: [Cfrg] 3DES diediedie Ilari Liusvaara
- Re: [Cfrg] [TLS] (confusing the issues) Re: 3DES … Dave Garrett
- Re: [Cfrg] 3DES diediedie Jon Callas
- Re: [Cfrg] (confusing the issues) Re: [TLS] 3DES … Jon Callas
- Re: [Cfrg] 3DES diediedie Steven M. Bellovin
- Re: [Cfrg] (confusing the issues) Re: [TLS] 3DES … Rene Struik
- Re: [Cfrg] (confusing the issues) Re: [TLS] 3DES … Greg Rose
- Re: [Cfrg] 3DES diediedie Peter Gutmann
- Re: [Cfrg] 3DES diediedie Peter Gutmann
- Re: [Cfrg] 3DES diediedie David McGrew (mcgrew)
- Re: [Cfrg] 3DES diediedie Peter Gutmann
- Re: [Cfrg] [TLS] 3DES diediedie Derek Atkins
- Re: [Cfrg] 3DES diediedie Derek Atkins
- Re: [Cfrg] 3DES diediedie Hilarie Orman
- Re: [Cfrg] [TLS] 3DES diediedie Brian Sniffen
- Re: [Cfrg] [TLS] 3DES diediedie Hilarie Orman
- Re: [Cfrg] 3DES diediedie Steven M. Bellovin
- Re: [Cfrg] [TLS] 3DES diediedie Joachim Strömbergson
- Re: [Cfrg] [TLS] 3DES diediedie Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] [TLS] 3DES diediedie Hilarie Orman
- Re: [Cfrg] [TLS] 3DES diediedie Joachim Strömbergson
- Re: [Cfrg] [TLS] 3DES diediedie Kyle Rose
- Re: [Cfrg] [TLS] 3DES diediedie Richard Hartmann
- Re: [Cfrg] 3DES diediedie Derek Atkins
- Re: [Cfrg] [TLS] 3DES diediedie Hilarie Orman
- Re: [Cfrg] [TLS] 3DES diediedie Ben Laurie
- Re: [Cfrg] [TLS] 3DES diediedie Ben Laurie
- Re: [Cfrg] [TLS] 3DES diediedie Joachim Strömbergson
- Re: [Cfrg] [TLS] 3DES diediedie Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] [TLS] 3DES diediedie Joachim Strömbergson
- Re: [Cfrg] [TLS] 3DES diediedie Derek Atkins
- Re: [Cfrg] [TLS] 3DES diediedie Derek Atkins
- Re: [Cfrg] [TLS] 3DES diediedie Stephen Farrell
- Re: [Cfrg] [TLS] 3DES diediedie Salz, Rich
- Re: [Cfrg] [TLS] 3DES diediedie Ira McDonald
- Re: [Cfrg] [TLS] 3DES diediedie Watson Ladd
- Re: [Cfrg] [TLS] 3DES diediedie Ira McDonald
- Re: [Cfrg] [TLS] 3DES diediedie Dave Garrett
- Re: [Cfrg] [TLS] 3DES diediedie Ira McDonald
- Re: [Cfrg] [TLS] 3DES diediedie Philip Levis
- Re: [Cfrg] [TLS] 3DES diediedie Stephen Farrell
- Re: [Cfrg] [TLS] 3DES diediedie Tony Arcieri
- Re: [Cfrg] [TLS] 3DES diediedie Peter Gutmann
- Re: [Cfrg] [TLS] 3DES diediedie Joachim Strömbergson
- Re: [Cfrg] [TLS] 3DES diediedie Ilari Liusvaara
- Re: [Cfrg] [TLS] 3DES diediedie Joachim Strömbergson
- Re: [Cfrg] [TLS] 3DES diediedie Stephen Farrell
- Re: [Cfrg] [TLS] 3DES diediedie Ilari Liusvaara
- Re: [Cfrg] [TLS] 3DES diediedie Joachim Strömbergson
- Re: [Cfrg] [TLS] 3DES diediedie Joachim Strömbergson
- Re: [Cfrg] [TLS] 3DES diediedie Richard Hartmann
- Re: [Cfrg] [TLS] 3DES diediedie Peter Gutmann
- Re: [Cfrg] [TLS] 3DES diediedie Peter Gutmann
- Re: [Cfrg] [TLS] 3DES diediedie Salz, Rich
- Re: [Cfrg] [TLS] 3DES diediedie Derek Atkins
- Re: [Cfrg] [TLS] 3DES diediedie Tony Arcieri
- Re: [Cfrg] [TLS] 3DES diediedie Peter Gutmann
- Re: [Cfrg] [TLS] 3DES diediedie Stephen Farrell
- Re: [Cfrg] [TLS] 3DES diediedie Derek Atkins
- Re: [Cfrg] [TLS] 3DES diediedie Derek Atkins
- Re: [Cfrg] [TLS] 3DES diediedie Derek Atkins
- Re: [Cfrg] [TLS] 3DES diediedie Kyle Rose
- Re: [Cfrg] [TLS] 3DES diediedie Tony Arcieri
- Re: [Cfrg] [TLS] 3DES diediedie Ilari Liusvaara
- Re: [Cfrg] [TLS] 3DES diediedie Yoav Nir
- Re: [Cfrg] [TLS] 3DES diediedie Kyle Rose
- Re: [Cfrg] [TLS] 3DES diediedie denis bider (Bitvise)