Re: IESG meeting thoughts

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 20 May 2016 16:05 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49AD812DD92 for <ietf@ietfa.amsl.com>; Fri, 20 May 2016 09:05:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.198, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nbSbVy4lpg2h for <ietf@ietfa.amsl.com>; Fri, 20 May 2016 09:05:12 -0700 (PDT)
Received: from mail-qg0-x235.google.com (mail-qg0-x235.google.com [IPv6:2607:f8b0:400d:c04::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8AA312DD38 for <ietf@ietf.org>; Fri, 20 May 2016 09:04:15 -0700 (PDT)
Received: by mail-qg0-x235.google.com with SMTP id w36so62699910qge.3 for <ietf@ietf.org>; Fri, 20 May 2016 09:04:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=hdE8gMqSVee7WN3cFns0JvNoTAl9RK5TFzPhuQvoRA4=; b=VdA0BZblwmCvQHzThr0/tmwiEmZk8Gq+5BuzIQa5xdj3pqKndyj9cqReiY5RkMXxN2 RUpPLVB7fqIoxfp8hA6IoW6+xkhLhZn5Bhwzzu6Thf+zepqmsdf+3LsKUkocarM9NfFc d6Rg0+5xQ0MMxYaXzAKjN6d6s7x6XmRSkRgk/U8hUn2/LcRsa7UEo1heF//U26wSRc6F Gx0i5POAvWIBD1eMWH2Z3lKcy2Zwu6VY+nfFdUzrYRAYwrV08C2zBeasvm31TXCqC8VX ME2y1KLdNRPgnm39ZYwTrUVs/QgCo4ljW0zXaptGw+AFU528znhkjzWB2CnEy7XQO41f 8FuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=hdE8gMqSVee7WN3cFns0JvNoTAl9RK5TFzPhuQvoRA4=; b=SwhlxzYqIxmAw+/z4IR5oO+OsHLCQajd7Yl3Q0vHiwxPIERhm/EA2+tyvHM4R66q+S EDfrbEJXYbZGQ98II99zGPWgwoHBw2QvBy3aHyKzmVh6mbMlEUoAh9/PH2butRN1eaPw eidJfxIDEkDBE8/A+OEeLe7M5VAfxQP1RgtthmefsXDjklf/rc7IQQ1nbLuza+huV1fP 5YylGkkOjFE/kALJrc6mB3sL25DO8t1LtPnWRHSNbAUxyhqb5q8WYyTE4laRIDrz3f0r +HTuA4EJOZbnAqnTYTyOqSZx6bULppw134wIyi8awGiX0waqD8vCdTu54rUPCaeaswnh RbYA==
X-Gm-Message-State: AOPr4FXofyhUF7xuOBCD7137N454Xsf0DR76GGQrr7SJ9oOnIo2pd0/oHTEjfdZnToFXw/NSCMFrjFnRP7plJg==
MIME-Version: 1.0
X-Received: by 10.140.41.200 with SMTP id z66mr4083343qgz.20.1463760254693; Fri, 20 May 2016 09:04:14 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.55.25.105 with HTTP; Fri, 20 May 2016 09:04:14 -0700 (PDT)
In-Reply-To: <20160520041400.GG19530@localhost>
References: <1F81DAB9-AEE8-4250-B10D-C50E2FA66C3E@ietf.org> <573AE765.4010807@bwijnen.net> <573AEAFA.3000905@cs.tcd.ie> <5625.1463497891@obiwan.sandelman.ca> <ccc46108-1bad-02bd-4c38-bc111bbc8445@gmail.com> <573BA1F0.7000408@cs.tcd.ie> <CAMm+Lwjmj6YVv=0xgtpQOcacpz78ou+=wOVYErt2R3k12p+DJg@mail.gmail.com> <20160520041400.GG19530@localhost>
Date: Fri, 20 May 2016 12:04:14 -0400
X-Google-Sender-Auth: ytt7KCLr-x1xMMEZCEV_cg2xX7g
Message-ID: <CAMm+LwhF2gbCZFTgpHub=pPArgwLx0DYczhEeOkO4Fp7F2bVSw@mail.gmail.com>
Subject: Re: IESG meeting thoughts
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: multipart/alternative; boundary=001a11c13b840477890533483ead
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/2c4JNsEGmUWD3S9HybFqUnc-USA>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, "ietf@ietf.org list" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 May 2016 16:05:21 -0000

On Fri, May 20, 2016 at 12:14 AM, Nico Williams <nico@cryptonector.com>
wrote:

> On Tue, May 17, 2016 at 08:04:17PM -0400, Phillip Hallam-Baker wrote:
> > Crypto doesn't actually solve any of your security problems. Not one,
> > zilch, zero.
> >
> > What cryptography does is to reduce the size of your information security
> > problem. It can reduce it in size from megabytes or even terrabytes to a
> > 128 bit key or deciding whether or not to trust one of millions of Web
> > sites to whether or not to trust the 50 WebPKI CAs (or ICANN if you are
> > feeling really brave). But that is all cryptography does for you. It
> > reduces the size of your security problem.
> >
> > You still have to work out how to keep that key secure or make sure you
> > have the right trust anchor. Reducing problems in size is good but you
> > still have to solve them.
>
> Yes, indeed.  However, you can make HW that protects a small secret like
> that really well, and that's what the dust up between the FBI and Apple
> was about.  It turns out that Apple can make that HW even better, and
> they even might.  The better that piece of hardware, the more expensive
> to defeat it, the less likely it is that it will be defeated by
> criminals -- and tyrants, but also legitimate state actors; HW and SW
> doesn't know the difference.
>

The point I am driving at is that security is a property of the system and
the role of cryptography is to reduce the system to manageable size so that
the problem becomes solvable.

I think that during the cryptowars a lot of us, myself included got way to
invested in crypto and failed to see the broader picture. We also got
rather too invested in public key over symmetric. Yes, public key is cool
but it doesn't reduce the role of symmetric to being a mere support
infrastructure like we suggested in the 90s.



> Now, of course *convenience* is the achilles heel of any plan to secure
> even a small secret.  Thus we see courts demanding that people unlock
> their mobile devices (and why should this surprise anyone?  there's
> nothing special about crypto in this regard).
>

And I think Apple's approach is broken because they failed to put the
device beyond their power in the first place.

I am not going to pledge to go to jail rather than release the keys that
unlock the Mathematical Mesh. Nor am I going to pledge not to release the
keys if someone puts a gun to my head or my children's head.

Therefore to make the Mesh secure, I have to put it beyond my capability to
compromise it. That is the approach Apple should have taken.


What that leaves of course is the possibility of a backdoor built into the
hardware or the algorithms. A choice of DH modulus that has been cracked,
an RNG that is broken. But those types of backdoor would greatly compromise
everyone's national security, including the US. 99% of the civil service
would end up using the compromised devices which are made in China anyhow,

That said, see the techniques I demonstrated for hardening key generation.



> But dead people don't care about convenience, which is how one murderous
> terrorist bastard managed to single-handedly greatly increase the tempo
> of the current crypto war.  One wonders whether that was their plan!
>

I doubt it. They physically destroyed all the phones that they might have
used in their attack.

The 1990s cryptowar was led by the NSA. I have recently spoken to people
who are in the very top ranks of that organization and I really do not
think they are leading the effort this time. What worries them today is
that they are losing the defensive side of cyber-engagement. Whatever
happens, US cyber command is never going to disable or destroy an ISIS
nuclear power plant because they haven't got any. We have hundreds and they
are all connected to the net in multiple ways in spite of all the airgap
requirements.



> The important thing is to provide a clear and correct understanding of
> the issues to the bureaucrats and politicians, and also of the
> trade-offs implied by any proposed policy.  And the public too (but
> that's much harder).
>

Well my contribution there is that I will shortly be giving a course
'Cryptography for Everyone'. It looks like the live course is
oversubscribed but the material will be on the Web as a series of free
podcasts.

First thing is to set the baseline for what cryptography is about. Yes we
all learn C.I.A. stands for Confidentiality, Integrity and something
starting with A.

But currently it takes us a decade of experience in the field to understand
that security is really all about integrity, not confidentiality and then
another decade to realize that it is availability.