Re: [saag] AD review of draft-iab-crypto-alg-agility-06

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 27 July 2015 20:48 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 293DC1B33C4 for <saag@ietfa.amsl.com>; Mon, 27 Jul 2015 13:48:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aLGT-lxRMPUD for <saag@ietfa.amsl.com>; Mon, 27 Jul 2015 13:48:11 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFBFA1B33C0 for <saag@ietf.org>; Mon, 27 Jul 2015 13:48:10 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 8F002BEA0 for <saag@ietf.org>; Mon, 27 Jul 2015 21:48:09 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lQ-IlUAkWTuV for <saag@ietf.org>; Mon, 27 Jul 2015 21:48:08 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.46.19.103]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 63F21BE98 for <saag@ietf.org>; Mon, 27 Jul 2015 21:48:08 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1438030088; bh=CHymPyr2hpVuOdv3d9VXzBvV52l3lv4Cs22iPj2vr80=; h=Date:From:To:Subject:References:In-Reply-To:From; b=UV3UZbZSUNKU6Q/r3onM9k6UEPfISIwZQ4EEChb0CKCj9l691mAISR6UFk7ZwVRZj oBT55jXjNVRkj+ASJyRrpObzFjNF/bCsKDkHz3xpK+gkySqMy54Ft9Pi4jpiFO6yF8 fdWmYofXoM0umWVmovusRNFzY4gDrwYFSKFAu8Ag=
Message-ID: <55B69908.2030803@cs.tcd.ie>
Date: Mon, 27 Jul 2015 21:48:08 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: saag@ietf.org
References: <55A938F1.9090404@cs.tcd.ie> <CD936D80-BEA2-4918-828C-E3A392761EC5@gmail.com> <20150727194020.GD15860@localhost> <55B68C8A.3080006@cs.tcd.ie> <20150727203136.GL4347@mournblade.imrryr.org>
In-Reply-To: <20150727203136.GL4347@mournblade.imrryr.org>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/08oj69koQR9Uoo4JinpmNDUplUE>
Subject: Re: [saag] AD review of draft-iab-crypto-alg-agility-06
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2015 20:48:12 -0000

I'm not trying to argue against you or Nico but just to be
clear...

On 27/07/15 21:31, Viktor Dukhovni wrote:
> I expect that by the time an algorithm supports practical
> general-purpose offline plaintext recovery (which is a stronger
> attack than the RC4 recovery of fixed plaintexts at fixed message
> offsets sent millions of times) it will generally no longer be in
> wide use, or will be in the process of rapid retirement.

IMO, rc4 should already be consider unacceptable as I reckon
the probability of a full break whilst many ciphertexts are
still sensitive is too high. I still think that even given the
situation with email.

One difference between our positions is that I'm considering
the duration for which many plaintexts are likely still sensitive
and not only immediate decryption today (which is how I read you
and Nico's text).

Put another way, if we all agreed that rc4 can likely be routinely
deciphered in N years and if we further agreed that there are a lot
of plaintexts that will still be sensitive in N years, then there is
no great difference today between sending cleartext and rc4
ciphertext, when we consider highly capable adversaries who record
ciphertext, and we know those exist even if we do not know quite
how much ciphertext they record, for how long.

But I do recognise that there's enough scope in all of the above
for genuine differences of opinion and there is no certainty in
any of it, so we may have to live without consensus at that level
of detail.

S.