Re: [Trans] Call for adoption, draft-linus-trans-gossip-ct
Ben Laurie <benl@google.com> Thu, 22 October 2015 14:46 UTC
Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04C631B3895 for <trans@ietfa.amsl.com>; Thu, 22 Oct 2015 07:46:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r_pdNKpInX-m for <trans@ietfa.amsl.com>; Thu, 22 Oct 2015 07:46:50 -0700 (PDT)
Received: from mail-yk0-x231.google.com (mail-yk0-x231.google.com [IPv6:2607:f8b0:4002:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FD371AD04E for <trans@ietf.org>; Thu, 22 Oct 2015 07:46:50 -0700 (PDT)
Received: by ykaz22 with SMTP id z22so85024281yka.2 for <trans@ietf.org>; Thu, 22 Oct 2015 07:46:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=oXD+AXTn+xyZ9jrXGYZBVxsJYYs76R/iBv0W9iPFBI0=; b=Rd6vhqgzo4JsWG7kDCvFn13HJUXZC4anSsv5wBSN8yyR5mSGzzO99DRZxHXjOFjZcr U6qIsH8tKdHEWfI1wZxIHcGOWvGaaNf8w7F0YC0SBfnRJ0jLCpz02XsF2n906+7TRDT3 jMsXszyhVMPghEha2NbqoVdLsGN/eOsEUzSaMWu0aWyE9m5jo7SvV6c1EZ2whwUTT1Ew Pc7hXGqDsZCTs3y4HF7sx1tftJ5MeFtqhT7ut2eb/nsgpOwq4NuE9iymAfITVjWE2AR/ WiQm3oxEi1pHlCC4Ao4mSfHxAh+JNJF7KaiWtM+EwyH7Xe7ZCzKuVPOXnNCogE/BNv6G L2EA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=oXD+AXTn+xyZ9jrXGYZBVxsJYYs76R/iBv0W9iPFBI0=; b=C7bU0IM1PK58kWQst5hmPv+O724YInStcYKsD18mv7sGQyx97mUU/VakTbtlWhAMs/ 5Bvn5smL9Oqa0P3a/pl8sUgbUeivJtxHY7/E3qfcV0pYeQHN1OQuyGgnxHFHm8ihymKq wG1WUlQynLONNXov62X3cfiZf2v3tR/rGs+iabeBin4dLqgwSbIUt6WU6+MzHm78rBrt dH6qDQjLuUJUtILzHAToJC5bEzW6aN0PkUT5sUT4wjChC2itF/Z2E9QzEZ4NkBf+5B1r dOS2rFBe97h2bn5UKzzxMlKGQ1y7v1t26QLuysicyhon7sgA4BN0Kzbqzkt+G6Nn3nWX 5AfQ==
X-Gm-Message-State: ALoCoQmrVaUuiv7ydi9TviHO/rB32V6vxFkRkpDTITWe5KseSdWB/R33EndaQ3TW0upz7U6fo3Vf
X-Received: by 10.13.204.73 with SMTP id o70mr12235021ywd.337.1445525209710; Thu, 22 Oct 2015 07:46:49 -0700 (PDT)
MIME-Version: 1.0
References: <mailman.1690.1439201229.3844.trans@ietf.org> <ED9E26F0-C141-4E92-AE5F-AEBDADB737ED@gmail.com> <CABrd9SQ30+P1WggtGWs5OE0xdpTgh1Pncm0zzgnfq7ePrjWN7Q@mail.gmail.com> <F14789ED-CE96-4CEF-BE55-849D1A308A63@gmail.com>
In-Reply-To: <F14789ED-CE96-4CEF-BE55-849D1A308A63@gmail.com>
From: Ben Laurie <benl@google.com>
Date: Thu, 22 Oct 2015 14:46:40 +0000
Message-ID: <CABrd9SSjQQXbPiep4K--sraSmhRT_r2iNkSdb1-NChm9XPZENA@mail.gmail.com>
To: Bryan Ford <brynosaurus@gmail.com>
Content-Type: multipart/alternative; boundary="001a11481d4aa3d4680522b2905e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/wgEzcgj_oa6aAtDtMDQLKBot-Mw>
Cc: trans@ietf.org
Subject: Re: [Trans] Call for adoption, draft-linus-trans-gossip-ct
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2015 14:46:54 -0000
On Thu, 22 Oct 2015 at 14:45 Bryan Ford <brynosaurus@gmail.com> wrote: > On 22 Oct 2015, at 12:16, Ben Laurie <benl@google.com> wrote: > > On Thu, 22 Oct 2015 at 10:18 Bryan Ford <brynosaurus@gmail.com> wrote: > > Yes, it’s a numbers game: the number of co-signers (e.g., SCTs in this >> case) is effectively a type of security parameter, and the numeric value of >> such a security parameter is important. The security difference between >> 56-bit DES encryption and 128-bit AES encryption has just as much to do >> with the increased key length as with the algorithmic changes (though of >> course key size is a very different kind of security parameter; I wouldn’t >> want to push that analogy far). >> >> For the most security-critical parts of Internet infrastructure I >> personally, at least, would be much more comfortable with a “certificate >> co-signing security parameter” in a ballpark of 51 than a security >> parameter value of 1 or 3. ;) >> > > You are not comparing apples with apples - we choose a small number of > logs that cannot lie without risking detection. You choose a large number > and hope the majority are honest. If they choose to collude, they can get > away with it. > > > With gossip, a colluding group can just as easily collude to lie without > risking detection, for example by refusing to gossip with honest nodes, > If the victim is also colluding, then they're not really a victim... > or by presenting one consistent view of reality to the well-connected set > of honest nodes (honest monitors, auditors, etc.) and another consistent > but different view of reality to any less well-connected participants that > the colluding group can keep separated from the well-connected participants. > I agree that partitioning is a problem for gossip - however, I also think that in the long run it is very hard to keep your victims partitioned. > > On the other hand, the attacks that gossip *can* detect are just as > readily detected in the collective signing approach, because the > communication process required to produce the collective signature provides > as a side effect the same information-distribution properties that gossip > does, just in a more structured fashion. In order to collect and aggregate > the parts of the collective signature the leader must communicate the > message to be signed to all the participants, and those signature > components it collects cannot be used to create a valid collective > signature if any pair of honest nodes involved in the signing process > disagree on what message is being signed. > I don't agree - gossip is something anyone can participate in - I don't think that's true for co-signing. With co-signing, you have an elite who can elect to deceive the masses. There is no elite in gossip. > > In a gossip setting, the colluding group can refuse to talk with honest > participants, but those participants will be able to notice and complain. > In a collective signing setting, the colluding group can selectively leave > all or a selected subset of honest participants out of signatures, but > those honest participants will be able to notice this and complain, in > exactly the same way as for gossip. > > Moreover, the collective signature (at least the way we do it) leaves a > precise and unforgeable public record of exactly which participants were > and were not present and contributing to the signature in each signing > round. If the leader has committed to using a particular group of > co-signers but regularly omits a bunch of them from its collective > signatures - even though those co-signers seem to be getting along fine > with other authorities (e.g., other log servers) also using them for > collective signing - then both those co-signers and all clients who see the > resulting collective signatures have every opportunity to notice and ask > questions. In contrast, gossip does not inherently produce any > third-party-verifiable record of which nodes were present or absent, or > able or unable to connect and gossip, at any given time. So in this > respect, collective signing seems to provide the same (strong though > imperfect) detection capabilities, together with significantly greater > transparency in terms of the public record it leaves behind. > > Chrome's current policy is here: >> http://www.chromium.org/Home/chromium-security/root-ca-policy/EVCTPlanMay2015edition.pdf >> . >> >> We don't have any plans to change those numbers at present. >> >> >> Thanks, I hadn’t seen that document before. So it looks like the >> “absolute minimum” number of SCTs required is 2, which is certainly better >> than 1 but still (to me anyway) a worryingly small number. Compounding >> this, I notice that the first three log servers on the current list are run >> by Google (and in particular by one particular team at Google :) ), >> effectively presenting a “one-stop shop” for any adversary who might for >> whatever reason want to acquire the private keys of two CT log servers so >> as to be able to (for example) silently MITM-attack CT-enabled Chrome >> clients. >> > > This is why you need gossip, of course - to make this kind of attack > non-silent. BTW, you also need a CA as well as two logs. And once you get > caught, they become valueless. Oh, and, Google is not a one-stop shop, even > for logs, because the policy requires at least one SCT to not come from > Google. > > > Missed that proviso on first read, thanks. > > That aside, I do not disagree with the core idea. I wonder about its >> practicality. For example, currently we require STHs to be produced on a >> regular basis, which is necessary to ensure good behaviour. If we went to a >> multi-signing approach, and an STH was not produced on time, who would we >> blame? What would we do about that, in practice? Seems to me everyone >> involved could point fingers at everyone else. How would you address that? >> >> >> Agreed that this is an important question, hopefully addressed above: the >> log server need not necessarily allow its availability to be “held hostage” >> at all, and instead client policy could (independently) determine how many >> missing co-signers the client is willing to tolerate. >> > > Which allows the log server to misbehave and claim its co-signers were > unavailable. > > > Which would be just as immediately noticeable as if a colluding group of > log servers were to stop gossiping with non-colluding nodes and claim all > of them are unavailable. > > Whereas increasing m, the number of signers per log server, can only >>> increase security, assuming the multi-signing protocol/crypto itself isn’t >>> broken. >>> >> >> Aside from my problem above, at least one other obvious issue with >> increasing the number of signers, is you also increase latency (I suspect) >> and decrease reliability. >> >> >> Yes, you increase latency, but in our experiments we get under 5 secs of >> latency for 8,000 signers; it seems hard to imagine that being a difficulty >> for a latency-tolerant activity like signing STHs that happens at periods >> counted in minutes. >> > > Is that 8,000 geographically distributed signers? > > > Since unlike some companies ( ;) ) we don’t have 8,000 physically > geographically distributed machines we can allocate on demand to > experiments, we used 8,000 processes distributed over a DeterLab virtual > network topology that imposes 100ms RTT delays on network communication, in > order to simulate a geographically distributed network. Perhaps we should > be using 200ms or 300ms rather than 100ms RTTs to simulate a “truly global” > network (mental note to self for future experiments), but the current > 2-second signing latencies we’re getting now aren’t going to become 10 > minutes even if the underlying latencies are doubled are tripled. > > Also, our experiments are pessimistic in the sense that because we don’t > have 8,000 separate physical machines, each physical machine is running > many virtual participants, so the signing latencies we’re seeing are > despite all the participants being artificially overloaded. I conjecture > that the plot on page 35 of the slides below might stay a lot flatter > toward its right end (e.g., after 1024 participants or so where you can see > it curve upward) if those were real machines not overloaded by experimental > artifacts. But I don’t at the moment have the testbed I would need to > confirm that conjecture. ;) > > http://dedis.cs.yale.edu/dissent/pres/151009-stanford-cothorities.pdf > > Cheers > Bryan > > >
- [Trans] Call for adoption, draft-linus-trans-goss… Melinda Shore
- Re: [Trans] Call for adoption, draft-linus-trans-… Salz, Rich
- Re: [Trans] Call for adoption, draft-linus-trans-… Eran Messeri
- Re: [Trans] Call for adoption, draft-linus-trans-… Rob Stradling
- Re: [Trans] Call for adoption, draft-linus-trans-… Bryan Ford
- Re: [Trans] Call for adoption, draft-linus-trans-… Dmitry Belyavsky
- Re: [Trans] Call for adoption, draft-linus-trans-… Ben Laurie
- Re: [Trans] Call for adoption, draft-linus-trans-… Rob Stradling
- Re: [Trans] Call for adoption, draft-linus-trans-… Tom Ritter
- [Trans] Fwd: Call for adoption, draft-linus-trans… Melinda Shore
- Re: [Trans] Fwd: Call for adoption, draft-linus-t… Salz, Rich
- Re: [Trans] Fwd: Call for adoption, draft-linus-t… Tim Wicinski
- Re: [Trans] Fwd: Call for adoption, draft-linus-t… Leif Johansson
- Re: [Trans] Call for adoption, draft-linus-trans-… Bryan Ford
- Re: [Trans] Call for adoption, draft-linus-trans-… Ben Laurie
- Re: [Trans] Call for adoption, draft-linus-trans-… Tom Ritter
- Re: [Trans] Call for adoption, draft-linus-trans-… Karen Seo
- Re: [Trans] Call for adoption, draft-linus-trans-… Bryan Ford
- Re: [Trans] Call for adoption, draft-linus-trans-… Bryan Ford
- Re: [Trans] Call for adoption, draft-linus-trans-… Ben Laurie
- Re: [Trans] Call for adoption, draft-linus-trans-… Ben Laurie
- Re: [Trans] Call for adoption, draft-linus-trans-… Rob Stradling
- Re: [Trans] Call for adoption, draft-linus-trans-… Tom Ritter
- [Trans] CT "Lite" idea (was Re: Call for adoption… Rob Stradling
- Re: [Trans] Call for adoption, draft-linus-trans-… Ben Laurie
- Re: [Trans] Call for adoption, draft-linus-trans-… Bryan Ford
- Re: [Trans] Call for adoption, draft-linus-trans-… Ben Laurie
- Re: [Trans] Call for adoption, draft-linus-trans-… Bryan Ford
- Re: [Trans] Call for adoption, draft-linus-trans-… Ben Laurie