Re: [perpass] Howdy!
Jacob Appelbaum <jacob@appelbaum.net> Fri, 13 September 2013 10:27 UTC
Return-Path: <jacob@appelbaum.net>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB1B221F9FB3 for <perpass@ietfa.amsl.com>; Fri, 13 Sep 2013 03:27:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.999
X-Spam-Level:
X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p4gJWicsCpO2 for <perpass@ietfa.amsl.com>; Fri, 13 Sep 2013 03:27:20 -0700 (PDT)
Received: from mail-ee0-f47.google.com (mail-ee0-f47.google.com [74.125.83.47]) by ietfa.amsl.com (Postfix) with ESMTP id B615621F9FAD for <perpass@ietf.org>; Fri, 13 Sep 2013 03:27:19 -0700 (PDT)
Received: by mail-ee0-f47.google.com with SMTP id d49so476591eek.34 for <perpass@ietf.org>; Fri, 13 Sep 2013 03:27:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:mime-version:to:cc:subject :references:in-reply-to:openpgp:content-type :content-transfer-encoding; bh=aEnLbF8JYFH5WnWcq732d0R/ayGtpENiUjPjGY28Etw=; b=dFekRSFG3b833aL7vPZPBHhp7yN9VeNP7ywiAGz+Rij316wu6GjFIrzHPJM+Ax2JRJ HxTAeksEsHIZrNgraU77YacT/UTBQcv00p7J3mJDzqGtbAwwcjfWE+/JTsPzYuXNZr4q q0yh++8RxPlC84bLylLmFzJMjbxa8VTaCO7Dk2eqkH17BpnE1Ma6MMnKe2L3LLeLWhOC n6XxM/Uqn+MHPzSyA1wXKKx+kMIYhmgE5yQmEultZyFnVN8HczQOb2FL/9DTS4koB9vm GethBbseA2Oj7zROvMzdd2WalGKwm6rr8vIJVYcEYNwSMyeVBAlu+tzN3bB/UjsYPhFh 6hhA==
X-Gm-Message-State: ALoCoQl8Wx+T2Ihc/1X7NE9j0Zmhu6nQu9UAsjHkxHaXX3RYwIJ/6CPkt7gad8CPuE5S/hTq0QLb
X-Received: by 10.15.99.72 with SMTP id bk48mr17435477eeb.22.1379068038736; Fri, 13 Sep 2013 03:27:18 -0700 (PDT)
Received: from 127.0.0.1 (tor21.anonymizer.ccc.de. [31.172.30.4]) by mx.google.com with ESMTPSA id b45sm13638811eef.4.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 13 Sep 2013 03:27:17 -0700 (PDT)
Message-ID: <5232D366.1000803@appelbaum.net>
Date: Fri, 13 Sep 2013 08:57:10 +0000
From: Jacob Appelbaum <jacob@appelbaum.net>
MIME-Version: 1.0
To: Theodore Ts'o <tytso@mit.edu>
References: <CAOHm=4ujOYTHO63EFWMYJBgxUWq00zezYKAJ8B4Vgf_C=xRRVg@mail.gmail.com> <5224DF25.60503@cs.tcd.ie> <7C92613E-33E8-48A6-A152-E9DBB29DEC04@softarmor.com> <522A328A.5060008@cs.tcd.ie> <522E17F9.4000206@bbn.com> <522F685B.8040106@gmx.net> <20130910185544.GF29237@thunk.org>
In-Reply-To: <20130910185544.GF29237@thunk.org>
OpenPGP: id=4193A197
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: perpass@ietf.org, Hannes Tschofenig <hannes.tschofenig@gmx.net>, Dean Willis <dean.willis@softarmor.com>
Subject: Re: [perpass] Howdy!
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Sep 2013 10:27:25 -0000
Theodore Ts'o: > On Tue, Sep 10, 2013 at 09:43:39PM +0300, Hannes Tschofenig wrote: >> >>> 1) Everything SHOULD be encrypted, unless there is an absolute >> operational requirement not to. This means "encryption by default" >> in new protocols, and not even specifying unencrypted operations >> modes unless necessary.... >> >> I guess there are two issues here, namely: >> >> * End-to-end vs. Hop-by-hop (or stuff in between) >> >> * Encryption itself is often not the problem but rather the key management > > Also, perfect forward secrecy (PFS) versus non-PFS. If we are going > to make encryption a SHOULD or a MUST, so should be PFS. Even if the > key management is a problem, or worse, let's suppose the NSA has the > private keys for a number of the major CA's, if everything is using > PFS, then an attacker who is interested in doing bulk surveillance > will have to MITM all of the traffic. That will take a large amount > of power and cooling, so it becomes a lot more expensive to do bulk > surveillance, and it will also be much, MUCH harder to do it covertly > (you can't just hide a box in a telephone closet somewhere; but rather > racks and racks of servers at Tier 1 NAP's will be required). > I completely agree. I think that MUST is a reasonable requirement for core internet protocols. > OF course, there will be some things where encryption is simply not > needed, and but data integrity is is needed. Example: time (NTP) and > routing protocols. So we need to be careful how we specify MUST. :-) > I think this is a reasonable read but I'd like to encourage dissent here. Time is a very important part of almost all cryptographic protocols - if an attacker is able to distinguish queries about time from other queries, it allows the attacker to discriminate and thus to tamper with time related protocols. This is especially true when the system in question may not have a properly sync'ed clock. I hacked together a solution for network time that gives most of these properties - tlsdate ( https://github.com/ioerror/tlsdate/ ) - and it is used by ChromeOS rather than using the traditional NTP protocol. It has some downsides (32bit time rather than 64bit time resolution) but overall, it allows for all of the properties of TLS without any of the weird downsides of the ancient NTP protocol, of which there are many... As an example - DNSSEC requires a sync'ed clock and in theory, one argument goes: no one needs query privacy in DNSSEC, after all, one just connects directly so an attacker will learn what you learned anyway, right? However, one needs query privacy to ensure that an attacker cannot tell that your DNSSEC client is currently trying to learn the time, thus all other queries are vulnerable to a replay attack or worse. So really, query privacy, even for data that appears to only need integrity is really essential. Give the attackers nothing for free - make them tamper to get even a single bit of information more. This gives us agency to detect and to take counter actions. All the best, Jacob
- [perpass] Howdy! Dean Willis
- Re: [perpass] Howdy! Stephen Farrell
- Re: [perpass] Howdy! Yoav Nir
- Re: [perpass] Howdy! Dean Willis
- Re: [perpass] Howdy! Stephen Farrell
- Re: [perpass] Howdy! Moriarty, Kathleen
- Re: [perpass] Howdy! Rene Struik
- Re: [perpass] Howdy! Stephen Kent
- Re: [perpass] Howdy! Hannes Tschofenig
- Re: [perpass] Howdy! Theodore Ts'o
- Re: [perpass] Howdy! Jacob Appelbaum
- Re: [perpass] Howdy! Dean Willis
- Re: [perpass] Howdy! Dean Willis
- Re: [perpass] Howdy! Dean Willis
- Re: [perpass] Howdy! Dean Willis
- Re: [perpass] Howdy! Randy Bush
- Re: [perpass] Howdy! Phillip Hallam-Baker
- Re: [perpass] Howdy! Stephen Farrell
- Re: [perpass] Howdy! SM
- Re: [perpass] Howdy! Jacob Appelbaum
- Re: [perpass] Howdy! Norbert Bollow
- Re: [perpass] Howdy! SM
- Re: [perpass] Howdy! Phil Karn
- Re: [perpass] Howdy! Stephen Kent
- Re: [perpass] Howdy! Stephen Farrell
- Re: [perpass] Howdy! Dean Willis
- Re: [perpass] Howdy! Dean Willis