Re: [DNSOP] [Ext] Post quantum DNSSEC ?

william manning <chinese.apricot@gmail.com> Tue, 15 October 2019 21:44 UTC

Return-Path: <chinese.apricot@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70505120137 for <dnsop@ietfa.amsl.com>; Tue, 15 Oct 2019 14:44:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hd-CFVzP9Bys for <dnsop@ietfa.amsl.com>; Tue, 15 Oct 2019 14:44:41 -0700 (PDT)
Received: from mail-yw1-xc34.google.com (mail-yw1-xc34.google.com [IPv6:2607:f8b0:4864:20::c34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 435E512004A for <dnsop@ietf.org>; Tue, 15 Oct 2019 14:44:41 -0700 (PDT)
Received: by mail-yw1-xc34.google.com with SMTP id l64so7784668ywe.13 for <dnsop@ietf.org>; Tue, 15 Oct 2019 14:44:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vPqbZn0Rot88kHLx3aZnDKcu0LJxFGQIbxDFSxY6bk8=; b=qI4RrTKt3sEFw4IY0lBCv3B4bnfZ7uSxVcExJJHAoRUQT9CmhQERsE0wnCDJvh5dEN UlUI9ud8ZAsQMHYS+mn0KvJWJPaPr3Sd/HYpQzt/1I+XWJd9+4GeFBGB7nXSLIxYKRkX DjdkW5PUzkTfkMZAz4MgrBuXwUzV5c/KGRHGF6EGfac//p8LUKdIuzfP8ayv/NdF4yRB T1L7FZCxvxvgqfDcDexyL98iD+XGmKg7ppwBUVEZtOKUowcK44mdPfxbnE/CUD2FqFGj J3wCY1lMduOwI//69aDCnp67Lh3KzRzI0QJgvcIQHiM3B+rDKBjoZAiAFQMXN6Ghf8Vw rCLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vPqbZn0Rot88kHLx3aZnDKcu0LJxFGQIbxDFSxY6bk8=; b=ppux3ta5+m/+tgORXSqLvxmvmsSIIyydtqLm/0JksL0e20/Gg9nUCqjadFuDnXDEFq 8HH4HXamb1TYqL7EDSvyoE8m4kP2eTAluiNhD0BCAmL/rpYPgaRU0Kh4dn1IXUlY9JJC F5BPM76EJ8tRrfx6RZMUwhhL2gcMoZ5SA8FYc5UrG4wN1wjV33sGDArkAeGhIyPAsyoV Bj/hzplBxWA7oGaI6pi0dlODsqMe28e+eR0NXtpxZYHWRv54OtCRNO2pJDjDQe4UNTRD uo3zMJdwU0Pu7il9u6o2mR5HXC4VNhFgRz4m1tPmY0aDagxERT9N7a1y1kjrq0gk1W0g 424w==
X-Gm-Message-State: APjAAAW1fmICJcK5wSVJOTSXy3N3Nm9d/1xXYT9BGjj6CrQFlHfal4yv fb1VfaGKzELaoMMgFpfhxLVmHR+cjBDRr/KAGV0=
X-Google-Smtp-Source: APXvYqy3jqWKi8l+Li9dhu9q8PjfnvVkeMrwOLiakXDZJ5eWYDoOhVsp4JXLEyxRaBXxNt3b/jLhsjubgSNVrroUkt4=
X-Received: by 2002:a81:4783:: with SMTP id u125mr19410237ywa.440.1571175880144; Tue, 15 Oct 2019 14:44:40 -0700 (PDT)
MIME-Version: 1.0
References: <2bcc20b2-9de0-a808-4e2c-054ff48f35fb@icann.org> <20191015212600.58352CBB977@ary.local>
In-Reply-To: <20191015212600.58352CBB977@ary.local>
From: william manning <chinese.apricot@gmail.com>
Date: Tue, 15 Oct 2019 14:44:28 -0700
Message-ID: <CACfw2hi+jHzKb-ttnKHNduB4F2BPx0Bh9M8kaOdr=S9Au+4Usg@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Cc: dnsop <dnsop@ietf.org>, paul.hoffman@icann.org
Content-Type: multipart/alternative; boundary="000000000000373db80594f9e444"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pSzMn6XwUgyUMHRnNddzOVMFFI0>
Subject: Re: [DNSOP] [Ext] Post quantum DNSSEC ?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Oct 2019 21:44:45 -0000

this crossed my radar in 2016 during a quantum networking retreat at Torry
Pines.  Talking with some crypto people in 2017, these notes kicked off
adding a new algorithm for my test universe.
---

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3040224
https://arxiv.org/pdf/1509.02533
ieeexplore.ieee.org/iel7/6475439/6483185/06483432.pdf
https://www.semanticscholar.org/paper/Media-Landscape-in-Twitter-A-World-of-New-Conventi-An-Cha/12dec1541d7e1528d5cc5ca5216c7c2f787387db
https://www.cl.cam.ac.uk/~jgd1000/metaphors.pdf
courses.csail.mit.edu/18.337/2015/docs/50YearsDataScience.pdf
https://www.gov.uk/government/publications/the-exchange-and-protection-of-personal-data-a-future-partnership-paper

https://royalsociety.org/~/media/policy/projects/data-governance/data-management-governance.pdf

https://royalsociety.org/~/media/policy/projects/machine-learning/publications/machine-learning-report.pdf
.


The security arms race continues….
Aging Crypto is begining to show Kracks

Many years back, the observation was made that we (the industry) could
monetize security by sprinkling “security pixie dust” on everything which
would put security everywhere.  Shortly after that observation was made,
sane people admonished against the practice of putting security
everywhere.  But the money won and today there is a security option at
every point in a communications path.  A recent, high profile event was the
introduction of KRACK (1), which shows the vulnerabilities in WPA2, a
wireless link-level protocol that is used in all modern “protected” WiFi
networks & systems.  The ostensible problem is not the vulnerability
itself, but that the protocol is widely deployed and embedded in nearly all
WiFi gear made in the last 15 years.  To fix the problem, one has to
upgrade BOTH ends to a system that has not been hacked.  Or decide that
link-level encryption is not a generic panacea for security.

This is but one recent example of a history of successful attacks on
cryptography that has found its way into the systems we use and depend on
daily.  And here in lays a serious problem.  Our lives are infused with
pervasive cryptography that is broken outright or has serious, known
wealness. Not only us, but those that govern us are affected in the same
ways.

This week in Washington DC, at the Cyberweek conference, one of the items
being discussed was when does all our crypto break in a trivial fashion.
It seems that most folks had thought that changing the key size will give
us some breathing room but after this past weeks discussions, it is not so
clear that we have time. (2)  A takeaway was; “When quantum computing comes
of age, even the most secure encryption on the planet likely will be
shattered.”  By some estimates, we have already past that threshold, others
give us 60 months or so.  Still, a very short time indeed.

Why are we not better prepared?  Well NIST has been thinking about the
problem. They even held a workshop on the topic in 2015 and a request for
proposals due next month. (3)  There are plans to start a standardization
process next year.  But if all our existing systems are vulnerable, what
options are there?   I’ve asked a few security aware friends and other than
submissions to NIST (or similar work), it seems we are going to be stuck
with some varient of  the McEliece Cryptosystem  (4) (1978).  And for the
protocol folks out there, this is going to be HUGE. :)  Heads up folks.


1) https://www.krackattacks.com/
2) https://www.fedscoop.com/quantum-computing-coming-encryption-matter/
3) https://csrc.nist.gov/projects/post-quantum-cryptography
4) www.math.unl.edu/~s-jeverso2/McElieceProject.pdf
-----------------------------------------------------------------------------------------------------

On Tue, Oct 15, 2019 at 2:26 PM John Levine <johnl@taugh.com>; wrote:

> In article <2bcc20b2-9de0-a808-4e2c-054ff48f35fb@icann.org>; you write:
> >On 10/15/19 12:11 PM, John R Levine wrote:
> >> I just heard a most interesting talk at M3AAWG about postquantum crypto
> and particularly about the NIST candidate
> >algorithms.  Many of them have much larger key or signature sizes than
> any current algorithm, like 10,000 bits or
> >more.  Some are a lot slower than others.  Has anyone been looking at how
> these algorithms would or would not work
> >with DNSSEC?
> >
> >Yes. (More specifically:
> https://datatracker.ietf.org/doc/draft-hoffman-c2pq/, which is very
> casually being worked
> >on in the CFRG.)
> >
> >Or, define "work with". Falling back to TCP for getting DNSKEY records
> might not be a big deal.
>
> Depends.  A 1K key is one thing, a 50K key is another.  If you are
> rotating keys so you have multiple key records, and the keys are large
> enough, what happens when the result packet is bigger than 64K?
>
> >Or, maybe wait until NIST has gotten more through the process, given that
> key size and signature size are among the
> >many factors they are considering.
> >
> >> NIST is accepting comments and the talk said they particularly want
> comments from industry on how this would
> >affect existing applications.
>
> The talk was by Brian LaMacchia, who opined it would e useful to send
> in some comments about how various increases in key size, signature
> size, and signing or verification speed would be likely to work with
> DNSSEC.  It sounds like they're paying a lot of attention to TLS in
> their algo evaluations, a lot less to DNSSEC or DKIM or other
> protocols.
>
> I'll see if I can get his slide on the key and signature sizes for the
> candidate algorithms to be roughly as strong as a 3K RSA key.  One of
> them would need a 500,000 bit key which makes me wonder what they were
> thinking.
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>