IETF Logo Mail Archive

RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 29 January 2016 06:57 UTC

Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 197A31A00FE for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 28 Jan 2016 22:57:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.601
X-Spam-Level:
X-Spam-Status: No, score=-1.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gHtLWqiB742G for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Thu, 28 Jan 2016 22:57:34 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3363C1A00F4 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Thu, 28 Jan 2016 22:57:34 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id B959F85ED1; Fri, 29 Jan 2016 06:57:33 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: by mail.netbsd.org (Postfix, from userid 1347) id 63EAC85E7C; Fri, 29 Jan 2016 06:57:33 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id BD0A085EAB for <ietf-ssh@netbsd.org>; Fri, 29 Jan 2016 04:27:52 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id bXlhKF2fNJYI for <ietf-ssh@netbsd.org>; Fri, 29 Jan 2016 04:27:52 +0000 (UTC)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 92BE385E7C for <ietf-ssh@netbsd.org>; Fri, 29 Jan 2016 04:27:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1454041671; x=1485577671; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=bLWkPnSLuWfZWJDxxQho/NOyg/CEjJRw22qgocRG96c=; b=L5rmGXsCKLX1CbdKlSkEQYTZhup6ClIP1hLI5TQ43E+Lk31Gf6Apr0eK dMF/41kx5JuI5jBgPsGlA+kjBfSOng8VcEEmuV347WaRLwX02M+te5Vqr rtU13b5o7TkGPY4YGLKGCPU9dVN8p99MHHOz2PYIxvsW8IXBOS/dzv351 uoAnfibA4qD071LXIIdKzobZVd5Izq/BaCSov5CWr5nVEMa/mvFm9IBtM gRmZVGDRh/NZUtKAAPvCFjON5ttLvX9Lmld3ngfXO3qROLIp4xWamudSa pTvnYb++P1ZvDuAPIo5aC6G/Old2JmSjH3QiUMI9VF8QfLQ99rnzbanuv Q==;
X-IronPort-AV: E=Sophos;i="5.22,361,1449486000"; d="scan'208";a="65360360"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.171 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxchange10-fe4.UoA.auckland.ac.nz) ([130.216.4.171]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 29 Jan 2016 17:27:44 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.153]) by uxchange10-fe4.UoA.auckland.ac.nz ([169.254.109.63]) with mapi id 14.03.0266.001; Fri, 29 Jan 2016 17:27:44 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "Mark D. Baushke" <mdb@juniper.net>, "ietf-ssh@NetBSD.org" <ietf-ssh@NetBSD.org>, Niels Möller <nisse@lysator.liu.se>, Damien Miller <djm@mindrot.org>, denis bider <ietf-ssh3@denisbider.com>, Jeffrey Hutzelman <jhutz@cmu.edu>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Jon Bright <jon@siliconcircus.com>, Simon Tatham <anakin@pobox.com>
Subject: RE: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Thread-Topic: draft-baushke-ssh-dh-group-sha2-01 (was Re: DH group exchange)
Thread-Index: AQHRWSboSa1qbfis1UGVrrajOS+IKp8R6C5c
Date: Fri, 29 Jan 2016 04:27:43 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4BDB868@uxcn10-5.UoA.auckland.ac.nz>
References: <95389.1452676866@eng-mail01.juniper.net>, <96437.1453915164@eng-mail01.juniper.net>
In-Reply-To: <96437.1453915164@eng-mail01.juniper.net>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list

mdb@juniper.net <mdb@juniper.net> writes:

>I just noticed that the Information Assurance Directorate at the NSA has a
>new article on 'CNSA Suite and Quantum Computing FAQ' ... their URL is
>
>https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm

My response to this, on the CFRG list, was:

>On the QC stuff. Of course we have to start looking at that now. But I think
>we need to look at the problem on two separate tracks:
>
>1) Find a public key algorithm that resists QC using Shorr's algorithm.
>2) Find a mechanism that makes symmetric key feasible in place of public.

You forgot step 0:

0) Figure out whether any of this stuff is actually necessary

This is just a bunch of random numbers pulled out of thin air, just as Suite B
was in its day, and CCEP was before that.  There's no empirical argument
supporting any of this, just a huge what-if.  For all we know the entire
document could have come about from a barroom bet, "Well Bill, you had them
chasing the Suite B white elephant, Dave got them really good with Dual-EC,
now it's my turn to see how high I can make them jump.  And best of all, TAO
will love me for it because they'll have to throw out most of their already-
deployed, partially-patched-up infrastructure and start again, leading to lots
of new exploitable mistakes and errors".

If you're worried about QC, why aren't you worried about TWINKLE/TWIRL, which
is at least as feasible, if not more so, than QC, and has been around much
longer?

If the NSA wants to put forward a new white elephant to supplant Suite B and
the rest, hand them a can of paint and point them at the nearest zoo.  In the
meantime I'll stick with addressing problems that are actual problems, there's
more than enough of those to go round.

Peter.

v2.23.0 | Report a Bug | By Email