IETF Logo Mail Archive

Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM

Jon Callas <joncallas@icloud.com> Tue, 23 November 2021 23:06 UTC

Return-Path: <joncallas@icloud.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD1753A08D9 for <saag@ietfa.amsl.com>; Tue, 23 Nov 2021 15:06:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PY5MU2DLpS79 for <saag@ietfa.amsl.com>; Tue, 23 Nov 2021 15:06:06 -0800 (PST)
Received: from mr85p00im-ztdg06021201.me.com (mr85p00im-ztdg06021201.me.com [17.58.23.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BF353A08D6 for <saag@ietf.org>; Tue, 23 Nov 2021 15:06:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1637708765; bh=vBKiMTlE5GgzxCpDcVyAib+yA30yp9lkR+TEt+eyCHg=; h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To; b=mhOWUXmvJrVBrQnUzpCXtE7PIs4pzC2Zfo65Eu6sKTYinIkRnMdIVPIF6T4FJl/tP ZNJyniiZnZa/Nd6i2nLy5nWctYB+reEdb2/RGWT0yohvQx4bCDxZNOh5APQzMSGBcC ykxOf6HYu0aAlhgCCR+h0xNI2euxGMAT79Lt1SV553Z8hIAUGIjFWXVZm7KBGy6KBl W6L6vAgxAZlSUUcg3UT/h+N967LFwMKyHSK5GbSA/B84Bptu8vu8YkbUsjNi6AQr+A lFc93scz67ZUgiOiZKMxebv7Odx6FDq3MjVyRipQc1pz463WpY8Ywxs0lMFE5rY8BY wivWrlog7cmuw==
Received: from smtpclient.apple (70-228-76-163.lightspeed.sntcca.sbcglobal.net [70.228.76.163]) by mr85p00im-ztdg06021201.me.com (Postfix) with ESMTPSA id 596D51203F3; Tue, 23 Nov 2021 23:06:03 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.20.0.1.32\))
From: Jon Callas <joncallas@icloud.com>
In-Reply-To: <CABcZeBPyNzj5NMZbSqEEJ2tdrRWvtOrtnuSvF8WdJvNoJuWYFA@mail.gmail.com>
Date: Tue, 23 Nov 2021 15:06:02 -0800
Cc: Jon Callas <joncallas@icloud.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, IETF SAAG <saag@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <FB80DFB7-90DE-4688-9F44-927C65FBA6F3@icloud.com>
References: <0c359a65-386e-8c09-4c8f-9cefb066cffc@linphone.org> <CABcZeBPME1Eos8SFQdmAGRP5smn=bfAdPVOTrxF10nU3wkEbeA@mail.gmail.com> <B8A00186-3F5E-4075-8244-B4B9F069BD5B@csperkins.org> <f0aaeb33-0bf7-c5e0-5df3-d251a4c24b9f@linphone.org> <CABcZeBNb4qEJscEHb44PjrHEQKs08R6vCZfFM0HWk67OLMZykA@mail.gmail.com> <20211123062712.GB93060@kduck.mit.edu> <CABcZeBNaiQuod2hsm0-Lm68zTiOvZnK+f8FygNuN9_KEPCZvhA@mail.gmail.com> <DBBPR08MB5915BA7BF9B7D3E115B974DBFA609@DBBPR08MB5915.eurprd08.prod.outlook.com> <CABcZeBPyNzj5NMZbSqEEJ2tdrRWvtOrtnuSvF8WdJvNoJuWYFA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.3693.20.0.1.32)
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.1.170-22c6f66c430a71ce266a39bfe25bc2903e8d5c8f:6.0.425,18.0.790,17.0.607.475.0000000 definitions=2021-11-23_08:2021-11-23_01,2021-11-23_08,2020-04-07_01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 adultscore=0 mlxlogscore=999 mlxscore=0 spamscore=0 clxscore=1011 phishscore=0 bulkscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2111230112
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/vlOb_fW1RUyISBR06X5Dv-mgG_4>
Subject: Re: [saag] PQC in ZRTP (RFC6189) and hybrid KEM
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Nov 2021 23:06:11 -0000


> On Nov 23, 2021, at 08:20, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> I think at this point we have fairly strong evidence that of in-band confirmation of SAS codes is fairly subject to impersonation via modern voice synthesis techniques.
> 

I don't quite know how to respond because on the one hand, yeah, deep fakes are only going to get better but it's not like that's a problem unique to ZRTP.

This is a place where I've always diverged with my co-authors, and think that the SAS isn't really as cool as they think it is.

However, when one argues against the SAS, there are a number things to keep in mind, because their over-enthusiasm for it tends to distort how to think about it.

In my opinion, the best thing about ZRTP is not the SAS, but its key continuity aspects. Key continuity between calls lets you know a useful thing: that the end point you're talking to now is the same endpoint you were talking to before. Regardless of how you verify the authentication with SAS or whatever, we know this from the cryptography.

This is subtle, because you can verify a call at the beginning. Or you can talk with someone and then decide you want to verify. Or you can end the call, call them back, and then verify. This flexibility makes the attacker's job a lot harder. They can't just spoof the authentication and go away, the spying infrastructure they create has to be brought up and kept active throughout a *history* of calls. This means especially that a deep-faked attacker has a hard job ahead of them.

Another thing to remember is that the SAS doesn't *have* to go through the voice channel. My co-authors, in their enthusiasm, can distract someone from using another mechanism. Sure, if the only thing you have is a voice line and nothing else, it's fine. That's not a MUST, though, it's a MAY. You can use whatever texting system you have (even SMS) with a high degree of security because it's out-of-band from the voice. I know that last flourish I made about SMS is going to annoy some people, so yeah! Use your favorite MLS messenger to send the thing securely. That works too. However, unless you verified *that* transaction by reading off its fingerprint through an out-of-band channel, then it's just as insecure as the ZRTP connection or even the SMS.

And this brings me to the last bit. The reality is that people don't verify connections. Humans just plain suck at that. I can't remember the last time I verified a Signal safety number. Most people I now kinda joke about them, especially in long-standing group chats where someone seems to be getting a new phone all the time.

It's important that we not fall into the security nihilism of saying that verification is hard, therefore this thing is worthless. The verification problem exists throughout most of our systems, not just ZRTP. I probably use a dozen WebRTC sessions a week that never really verify themselves, and for all we know have some totally YOLOed self-signed cert underneath, if anything at all.

The SAS is nice. It's cute. It's got value to it, just not what its proponents are so enthusiastic about. Key continuity is much better because it places a burden on an attacker. And in the real world, we seem to do just fine with a gazillion protocols that don't verify their trust anchors, or create a turtle-tower that extends out of sight.

	Jon

v2.23.0 | Report a Bug | By Email