Re: [saag] AD review of draft-iab-crypto-alg-agility-06

Nico Williams <nico@cryptonector.com> Mon, 27 July 2015 20:29 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAF991B33A7 for <saag@ietfa.amsl.com>; Mon, 27 Jul 2015 13:29:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eQcpL962bl5s for <saag@ietfa.amsl.com>; Mon, 27 Jul 2015 13:29:28 -0700 (PDT)
Received: from homiemail-a31.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 9C95A1B33A2 for <saag@ietf.org>; Mon, 27 Jul 2015 13:29:28 -0700 (PDT)
Received: from homiemail-a31.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a31.g.dreamhost.com (Postfix) with ESMTP id 4B95120204C; Mon, 27 Jul 2015 13:29:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=qOnTs69p+v4Dtg CAbiKGQs57aXQ=; b=t1e8Ua9dB88+v8f5GVMupFuLGy8iPZfEDar+dSXNSOTwYj R/nllNaRxmt2lsJ22U9BCR/ohnBMWQN6u/DsVrfRx0g8FNy0JrlzwfTYyCNn2k8X kdDpP3VbJgOpSeLdp5rfMP5wmtovDPv2emlThX/5Jg3PvEPbu8efgEqgG1YRM=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a31.g.dreamhost.com (Postfix) with ESMTPA id BD9D7202043; Mon, 27 Jul 2015 13:29:27 -0700 (PDT)
Date: Mon, 27 Jul 2015 15:29:27 -0500
From: Nico Williams <nico@cryptonector.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <20150727202926.GA29423@localhost>
References: <55A938F1.9090404@cs.tcd.ie> <CD936D80-BEA2-4918-828C-E3A392761EC5@gmail.com> <20150727194020.GD15860@localhost> <55B68C8A.3080006@cs.tcd.ie>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <55B68C8A.3080006@cs.tcd.ie>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/e7pffXLRSC5NWlngmzY1PYmL994>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] AD review of draft-iab-crypto-alg-agility-06
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2015 20:29:29 -0000

On Mon, Jul 27, 2015 at 08:54:50PM +0100, Stephen Farrell wrote:
> 
> Hiya,
> 
> <hats-off>
> 
> On 27/07/15 20:40, Nico Williams wrote:
> > The key thing is that weak crypto must not lead to real-time exploitable
> > downgrade attacks.
> 
> I think this nicely captures a point where we can have a real
> disagreement about OS.
> 
> I would prefer if we could agree that:
> 
>    OS use of weaker crypto must not allow feasible off-line
>    deciphering of ciphertext, no matter the adversary within
>    the likely duration for which the average plaintext is
>    sensitive.

Not quite right.  How about:

   OS use of weaker crypto must not make downgrade attacks feasible on
   non-OS implementations.  In particular the Logjam attack (or variants
   of it) must be infeasible.

   [Insert suitable reference to / description of the Logjam attack.]

Because even for OS applications, really, really weak crypto is still
better than cleartext (the identity function being the weakest crypto).

The key is that offering really weak crypto at all must not compromise
non-OS users of the same protocol.

> According to the above, 1DES and export ciphers would be completely
> out of the question. And rc4 is getting really really close.

In my construction the only crypto that's off-limits is that which
permits the Logjam attack.

> <hat-back-on>
> 
> I'm not sure we'll reach rough consensus on either side of this
> argument though so we may be reduced to silence on the hard part of
> the question.

Well, look, I made a specific argument as to OS being a migration
attempt that will be harmed by spurious failures.  That needs to be
addressed.  With that addressed, if we end up on the rough side then so
be it, but that argument must be acknowledged and addressed -- it would
not be right to just ignore it.

I'd go further: even if we decide to reject this argument, it should be
acknowledged in the I-D and the rationale for rejecting it should be
included, because implementors and future researchers/engineers may
benefit from having that argument and counter-arguments easily
available.

Nico
--