Re: HTTP/2 and Pervasive Monitoring

"Poul-Henning Kamp" <phk@phk.freebsd.dk> Wed, 20 August 2014 18:40 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F9651A04E9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 20 Aug 2014 11:40:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.559
X-Spam-Level:
X-Spam-Status: No, score=-7.559 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_MONEY_PERCENT=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ttBNcRX-NcG for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 20 Aug 2014 11:40:48 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4733D1A0683 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 20 Aug 2014 11:40:45 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XKAl8-0000W2-M6 for ietf-http-wg-dist@listhub.w3.org; Wed, 20 Aug 2014 18:37:22 +0000
Resent-Date: Wed, 20 Aug 2014 18:37:22 +0000
Resent-Message-Id: <E1XKAl8-0000W2-M6@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <phk@phk.freebsd.dk>) id 1XKAkn-0000Ub-Ks for ietf-http-wg@listhub.w3.org; Wed, 20 Aug 2014 18:37:01 +0000
Received: from phk.freebsd.dk ([130.225.244.222]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <phk@phk.freebsd.dk>) id 1XKAkm-0002CL-RJ for ietf-http-wg@w3.org; Wed, 20 Aug 2014 18:37:01 +0000
Received: from critter.freebsd.dk (unknown [192.168.60.3]) by phk.freebsd.dk (Postfix) with ESMTP id D86AC1598; Wed, 20 Aug 2014 18:36:38 +0000 (UTC)
Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.14.9/8.14.9) with ESMTP id s7KIabwm023352; Wed, 20 Aug 2014 18:36:37 GMT (envelope-from phk@phk.freebsd.dk)
To: Martin Thomson <martin.thomson@gmail.com>
cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
In-reply-to: <CABkgnnVvm6vz=Tcv2n9YtH13E9-AUgdyXVY5RxLvmKkCcNSpgg@mail.gmail.com>
From: Poul-Henning Kamp <phk@phk.freebsd.dk>
References: <38BD57DB-98A9-4282-82DD-BB89F11F7C84@mnot.net> <4851.1408094168@critter.freebsd.dk> <EB5B7C64-165B-48F1-94FF-1354E917A10F@mnot.net> <5871.1408106089@critter.freebsd.dk> <A9F561E4-E5C6-4E1D-89B1-F1EDA9FA1BAC@mnot.net> <10689.1408519778@critter.freebsd.dk> <CABkgnnVvm6vz=Tcv2n9YtH13E9-AUgdyXVY5RxLvmKkCcNSpgg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <23350.1408559797.1@critter.freebsd.dk>
Content-Transfer-Encoding: quoted-printable
Date: Wed, 20 Aug 2014 18:36:37 +0000
Message-ID: <23351.1408559797@critter.freebsd.dk>
Received-SPF: none client-ip=130.225.244.222; envelope-from=phk@phk.freebsd.dk; helo=phk.freebsd.dk
X-W3C-Hub-Spam-Status: No, score=-3.7
X-W3C-Hub-Spam-Report: AWL=-3.087, LOTS_OF_MONEY=0.001, RP_MATCHES_RCVD=-0.668, T_MONEY_PERCENT=0.01
X-W3C-Scan-Sig: lisa.w3.org 1XKAkm-0002CL-RJ 16910172fa1c5871d49b3289ba970097
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP/2 and Pervasive Monitoring
Archived-At: <http://www.w3.org/mid/23351.1408559797@critter.freebsd.dk>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/26679
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

--------
In message <CABkgnnVvm6vz=Tcv2n9YtH13E9-AUgdyXVY5RxLvmKkCcNSpgg@mail.gmail.com>
, Martin Thomson writes:
>On 20 August 2014 00:29, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:

>> I don't think the algorithm matters, as long as it's not buggy, the
>> bruteforcing will be done against the keys used.
>
>Let's go with this and run with it a little.  Assume that you are
>using AES-GCM or something like it.  That's 2^64 decryptions to get a
>50/50 chance of success.

Last I looked AES had 128 bit and larger keys, so that would be 2^127 ?

If you are proposing running it with reduced key size of 64 bits,
I pressume the number would be 2^63 ?

But lets take your $170K @ 65 bit key length estimate.

If I scale that down to 32bit key length, I get 2e-5 USD, which is
pretty close to my way of estimating it:

One processing unit a 4GHz can do two 32 bit keys a second and costs
$200 a year, everything included giving 3e-6 USD per key.

Your 1e-10 number I cannot find any basis for.

>USD170K might be OK, depending on what you concern yourself with.

And you seem to concern yourself with one particular users privacy ?

That is not the topic: the topic is Pervassive Monitoring, ie: the
ability to look at (essentially) *all* traffic at little or no cost.

The Snowden leaks have the cost of the current collection at only
USD 20M.  (A number which many people don't belive is comprehensive.)

If you add 1 microdollar per HTTP connection to that, their cost
will at least double at a monitoring rate of just 650.000 connections
a second.

Is that enough ?  Maybe, maybe not.

The architecture we have been able to divine from the Snowden docs
tells us it would hit them at a very inconvenient point:  First
level triage sorting.

As I've said from the beginning:  We can argue about these numbers,
and other people than me will have better basis for deciding them.

But what is clear is that *long* before the cost of breaking the
encryption on a single HTTP connection increases to a full dollar,
Pervassive Monitoring will have ceased, and only a tiny targeted
fraction of all the traffic will be monitored.

Summary:

To stop PM, we don't need unbreakable crypto, we just need crypto
which is sufficiently expensive to break.

Too expensive to break for PM can be cheap enough to deploy for
emergency services, news and porn.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.