Re: [cryptography] the spell is broken
On 04/10/13 22:58, Jeffrey Goldberg wrote: On 2013-10-04, at 4:24 AM, Alan Braggins alan.bragg...@gmail.com wrote: Surely that's precisely because they (and SSL/TLS generally) _don't_ have a One True Suite, they have a pick a suite, any suite approach? And for those of us having to choose between preferring BEAST and RC4 for our webservers, it doesn’t look like we are really seeing the expected benefits of “negotiate a suite”. I’m not trying to use this to condemn the approach; it’s a single example. But it’s a BIG single example. Well yes, for most browsers and servers it's pick a suite - sorry, we haven't added AES-GCM yet, you have a choice of one flawed stream cipher or a load of block ciphers all in flawed MAC-then-Encrypt mode. I wasn't suggesting that this choice is a huge benefit over picking One True Suite, just commenting on how Firefox comes to pick Camellia. (The supposed agility does mean that when people get round to implementing TLS 1.2 and AES-GCM, or if Salsa20 gets added, it can be used without having to define a new One True Suite. But that only helps if new suites actually get adopted before attacks are found on all the old ones. And if an attacker can't easily force a downgrade to SSL3.0 without the user being warned) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On 4/10/13 10:52 AM, Peter Gutmann wrote: Jon Callas j...@callas.org writes: In Silent Text, we went far more to the one true ciphersuite philosophy. I think that Iang's writings on that are brilliant. Absolutely. The one downside is that you then need to decide what the OTS is going to be. For example Mozilla (at least via Firefox) seems to think it involves Camellia (!!!?!!?). Thanks for those kind words, all. Perhaps some deeper background. When I was writing those hypotheses, I was very conscious that there was *no silver bullet*. I was trying to extrapolate what we should do in a messy world? We all know that too many ciphersuites is a mess. We also know that only one suite is vulnerable to catastrophic failure, and two or three suites is vulnerable to downgrade attacks, bugs in the switching, and expansion attacks in committee. A conundrum! Perhaps worse, we know that /our work is probably good/ but we are too few! We need ways to make cryptoplumbing safe for general software engineers, not just us. Not just hand out received wisdom like use TLS or follow NIST. If we've learnt anything recently, it is that standards and NISTs and similar are not always or necessarily the answer. There are many bad paths. I was trying to figure out what the best path among those bad paths was. From theory, I heard no clarity, I saw noise. But in history I found clues, and that is what informs those hypotheses. If one looks at the lifecycle of suites (or algorithms, or protocols, or products) then one sees that typically, stuff sticks around much longer than we want. Suites live way past their sell-by date. Once a cryptosystem is in there, it is there to stay until way past embarrassing. Old, algorithms, old suites are like senile great-aunts, they hang around, part of the family, we can't quite see how to push them off, and we justify keeping her for all sorts of inane reasons. Alternatively, if one looks at the history of failures, as John Kelsey pointed to a few days ago, one sees something surprising: rarely is a well-designed, state of the art cryptosuite broken. E.g., AES/CBC/HMAC as a suite is now a decade old, and still strong. Where things go wrong is typically outside the closely designed envelope. More, the failures are like an onion: the outside skin is the UI, it's tatty before it hits the store. Take the outer layer off, and the inner is quite good, but occasionally broken too. If we keep peeling off the layers, our design looks better and better Those blemished outer onion layers, those breaks, wherever they are, provide the next clue in the puzzle. Not only security issues, but we also have many business issues, features, compliance ... all sorts of stuff we'd rather ignore. E.g., I'm now adding photos to a secure datagram protocol -- oops! SSL took over a decade for SNI, coz it was a feature-not-bug. Examples abound where we've ignored wider issues because it's SOPs, Someone-Else's-Problem. Regardless of what we think or want, if we are really being responsible for the end-user result, we would be faced with pressures to do wholesale fixes. And these fixes will come more from the outside of the onion than from inside. Therefore, I claim: The cryptoplumber will be pressured to replace the system well before needing to replace any particular crypto component. Add in more issues: Resources -- I haven't got a team to spend on tweaking. Better knowledge over time -- we know so much more now. Incompatibility nightmares. Then, it becomes clearer that the big picture is rarely about a cryptosuite, it's about the whole darn system. Hence, I say: Plan on replacing the whole lot, when it is needed. Which leads to the corollary: Do a good job: make it Good as well as True! And you likely won't need a second. And another corollary: Prepare the next generation in background time. In your sleep, on the train, on honeymoon... Be advanced, be ready! In the rarest of circumstances that you do need to replace a cryptosuite, just replace the whole darn lot. It'll be about time, anyway. One True Suite works until that suite is no longer true, and then you're left hanging. One way to deal with this that got discussed some time ago over dinner (dining geeks, not cryptographers) is to swap at random among a small number of probably-OK suites and/or algorithms, a sort of probabilistic-security defence against the OTS having a problem. It's not like there's a shortage of them in... well, SSH, SSL/TLS, PGP, S/MIME, etc, anything really. For some reason, I'm wondering what the optimal method for a random shuffle of dinner choices/plates is, and how the vegetarians are going to respond... iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On Sat, Oct 5, 2013 at 3:13 PM, Erwann Abalea eaba...@gmail.com wrote: 2013/10/4 Paul Wouters p...@cypherpunks.ca [...] People forget the NSA has two faces. One side is good. NIST and FIPS and NSA are all related. One lesson here might be, only use FIPS when the USG requires it. That said, a lot of FIPS still makes sense. I'm surely not going to stick with md5 or sha1. We're still using HMAC-SHA1 for most TLS ciphersuites, RSA(MD5||SHA1) for TLS signatures (until TLS1.2), and RSA(SHA1) to sign (EC)DHE parameters. SHA1 is still there. There are alternatives, it doesn't hurt to get them in place. Yes, like the IETF brainpool drafts. RFC5639 standardized the curves, RFC7027 allows them to be used for TLS. They're no more drafts. Do you know if there's a standard name and OID assigned to Dr. Bernstein's gear? IETF only makes one mention of 25519 in the RFC search, and its related to TLS and marked TBD. Lack of a mailing list for NACl is crippling. (Sorry to wander a bit). Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
Jon Callas j...@callas.org writes: In Silent Text, we went far more to the one true ciphersuite philosophy. I think that Iang's writings on that are brilliant. Absolutely. The one downside is that you then need to decide what the OTS is going to be. For example Mozilla (at least via Firefox) seems to think it involves Camellia (!!!?!!?). One True Suite works until that suite is no longer true, and then you're left hanging. One way to deal with this that got discussed some time ago over dinner (dining geeks, not cryptographers) is to swap at random among a small number of probably-OK suites and/or algorithms, a sort of probabilistic-security defence against the OTS having a problem. It's not like there's a shortage of them in... well, SSH, SSL/TLS, PGP, S/MIME, etc, anything really. Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On 04/10/13 08:52, Peter Gutmann wrote: Jon Callas j...@callas.org writes: In Silent Text, we went far more to the one true ciphersuite philosophy. I think that Iang's writings on that are brilliant. Absolutely. The one downside is that you then need to decide what the OTS is going to be. For example Mozilla (at least via Firefox) seems to think it involves Camellia (!!!?!!?). Surely that's precisely because they (and SSL/TLS generally) _don't_ have a One True Suite, they have a pick a suite, any suite approach? Weird/vanity/local ciphers are preferred in the sense that NSS assumes that if you put a cipher that no-one normal uses in your list of acceptable ciphers, you probably really wanted to use it. http://crypto.stackexchange.com/a/6548/5249 https://bug430875.bugzilla.mozilla.org/attachment.cgi?id=319703 So when servers and browsers that aren't required to use it by the Japanese government include it just because it's lying around and why not, it gets chosen over AES for no particular reason. But that's not the same as making it part of the One True Suite. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On 2013-10-04, at 4:24 AM, Alan Braggins alan.bragg...@gmail.com wrote: Surely that's precisely because they (and SSL/TLS generally) _don't_ have a One True Suite, they have a pick a suite, any suite approach? And for those of us having to choose between preferring BEAST and RC4 for our webservers, it doesn’t look like we are really seeing the expected benefits of “negotiate a suite”. I’m not trying to use this to condemn the approach; it’s a single example. But it’s a BIG single example. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On Fri, Oct 4, 2013 at 4:58 PM, Jeffrey Goldberg jeff...@goldmark.org wrote: On 2013-10-04, at 4:24 AM, Alan Braggins alan.bragg...@gmail.com wrote: Surely that's precisely because they (and SSL/TLS generally) _don't_ have a One True Suite, they have a pick a suite, any suite approach? And for those of us having to choose between preferring BEAST and RC4 for our webservers, it doesn’t look like we are really seeing the expected benefits of “negotiate a suite”. I’m not trying to use this to condemn the approach; it’s a single example. But it’s a BIG single example. That's because so many ciphersuites shared the same damned problems. When we went through the chained CBC problems in SSHv2 at least we had CTR modes to fallback on. There's a lesson here. I'll make it two for now: a) algorithm agility *does* matter; those who say it's ETOOHARD should do some penitence; b) algorithm agility is useless if you don't have algorithms to choose from, or if the ones you have are all in the same family. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On 2013-10-04, at 5:19 PM, Nico Williams n...@cryptonector.com wrote: There's a lesson here. I'll make it two for now: a) algorithm agility *does* matter; those who say it's ETOOHARD should do some penitence; Mea culpa! (Actually I never spoke up on this before) But I do think that difficulty of implementation matters enormously in what gets adopted. There are plenty of application developers who will respond to too high demands with, “ah, I don’t need all of that stuff; I’ll write my own based on Enigma.” ETOOHARD is an errno that has a lot of impact on a lost of software that people use, and so should be given some respect. b) algorithm agility is useless if you don't have algorithms to choose from, or if the ones you have are all in the same family”. Yep. And even though that was the excuse for including Dual_EC_DRBG among the other DBRGs, doesn’t take away from the what you say. I would add a third. c) The set of suites need to be maintained over time, with a clear way to signal deprication and to bring new things in. If we are stuck with the same set of suites that we had 15 years ago, everything in there may age badly. Cheers, -j ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On Fri, Oct 4, 2013 at 6:55 PM, Jeffrey Goldberg jeff...@goldmark.org wrote: b) algorithm agility is useless if you don't have algorithms to choose from, or if the ones you have are all in the same family”. Yep. And even though that was the excuse for including Dual_EC_DRBG among the other DBRGs, doesn’t take away from the what you say. I've never seen this reason given as an excuse for having Dual_EC (though I can believe it). I was referring to ciphersuites anyways; one does not negotiate RNGs, after all! (But, yes, RNGs frameworks should be pluggable.) I would add a third. c) The set of suites need to be maintained over time, with a clear way to signal deprication and to bring new things in. If we are stuck with the same set of suites that we had 15 years ago, everything in there may age badly. Legacy is a difficult problem. We should be less afraid to cut old things off, but... it always proves too risky, so instead we hobble along until the risk of continuing to allow very old legacy code to interop overwhelms the risk of disabling interop with said old code. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On Thu, Oct 3, 2013 at 10:32 PM, James A. Donald jam...@echeque.com wrote: On 2013-10-04 11:41, Jeffrey Walton wrote: We could not get rid of Trustwave in the public sector (so much for economics). What is wrong with trustwave? The company operates in an industry where trust is a commodity. The company violated the trust,which essentially means they have no product. Rewarding bad behavior was the last thing that should have happened. There's no way we can get rid of the US agency responsible for crypto standards If no one pays attention to their standards, we have gotten rid of them. Well, that's going to be a tough sell for US Federal US DoD, and a number of private sector organizations, such as some in US Financial. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On 2013-10-05 10:44, Jeffrey Walton wrote: On Thu, Oct 3, 2013 at 10:32 PM, James A. Donald jam...@echeque.com wrote: On 2013-10-04 11:41, Jeffrey Walton wrote: We could not get rid of Trustwave in the public sector (so much for economics). What is wrong with trustwave? The company operates in an industry where trust is a commodity. The company violated the trust,which essentially means they have no product. Rewarding bad behavior was the last thing that should have happened. Trustwave should have had its certificate authority revoked from browsers, but it is not in the CA business. It is in the spying business, not in the trust business, but in the distrust business. The scandal is not that it abused its CA authority, but that it was given CA authority. Trustwave spies. That is its job. Soldiers kill people and break things. That is their job. Trustwave's behavior is not scandalous. Mozilla playing footsie with trustwave is scandalous. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On 3/10/13 01:23 AM, Jon Callas wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Oct 2, 2013, at 12:26 PM, coderman coder...@gmail.com wrote: On Wed, Oct 2, 2013 at 10:38 AM, Jared Hunter feralch...@gmail.com wrote: Aside from the curve change (and even there), this strikes me as a marketing message rather than an important technical choice. The message is we react to a deeper class of threat than our users understand. it is simpler than that. to signal integrity, and provide assurance, it is common not just to avoid impropriety, but to avoid the _appearance_ of impropriety. this change, while not materially affecting security (the weakest link in SilentCircle was never the crypto) succeeds in conveying the message of integrity as paramount. so yes, a marketing message, but a simple one. i have no problem with this as long as they're not implying that AES or SHA-2 are broken in some respect. Thank you very much for that assessment. I'm not implying at all that AES or SHA-2 are broken. If P-384 is broken, I believe the root cause is more that it's old than it was backdoored. But it doesn't matter what I think. This is a trust issue. A friend of mine offered this analogy -- what if it was leaked that the government replaced all of a vaccine with salt water because some nasty jihadis get vaccinated. This is serious and pretty horrifying. If you're a responsible doctor, and source your vaccines from the same place, even if you test them yourself you're stuck proving a negative and in a place where stating the negative can look like you're part of the conspiracy. Right, good analogy. Proving the negative is the trap that google, Apple, Facebook, etc are in. I see this as a way out of the madness. Yes, it's marketing if by marketing you mean non-technical. By pushing this out, we're letting people who believe there's a problem have a reasonable alternative. I would say it is risk management. As you say, we no longer have confidence in proving the negative because we are faced with a confirmed positive. Over on the other list, I thought about it more, and came to these conclusions: 1. the interference happened. 2. a key component was the perversion of a cryptography supplier. 3. NSA can influence suppliers that export and those that are large government contractors. 4. Therefore we can no longer have the confidence (prove the negative) in US exporters of crypto. 5. Avoid all USA crypto. This is far worse than BSAFE or NIST -- failure of confidence impacts Java's JCA and Microsoft's CAPI. Questions have even been raised about Linux's RNG. Which means most everyone in the application world is in trouble deep. If we, the crypto community, decide that the P-384+AES+SHA2 cipher suite is just fine, we can walk the decision back. It's just a software change. I have faith in AES. I played a small part in the project, it went well. We didn't need to change our Rijndael code at all, just rename it to AES. I have faith in SHA1, SHA2, and SHA3. They play relatively non-delicate parts in properly designed protocols, and their margin of safety is proven in the MD5/SHA1 history. PK algorithms are a different story... I certainly agree that choosing NIST EC curves raises questions about your entire process. Not for the American market, but the world market. Let me also add that I wouldn't fault anyone for deciding differently. We, the crypto community, need to work together with security and respecting each other's decisions even if we make different decisions and do different things. I respect the alternate decision, to stay the course. Dark clouds ahead. It's back to 1990s. I don't think they really had a grip on how much damage they could do. I wonder if NIST has a grip on how to recover this situation? iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On Wed, Oct 2, 2013 at 5:49 PM, James A. Donald jam...@echeque.com wrote: ... So, people who actually know what they are doing are acting as if they know, or have good reason to suspect, that AES and SHA-2 are broken. James this is not true. i challenge you to find reputable positions backing this assertion. where know what they are doing and reputable mean cryptographers who design and implement block ciphers and secure digests. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On 2/10/13 20:38 PM, Jared Hunter wrote: Aside from the curve change (and even there), this strikes me as a marketing message rather than an important technical choice. The message is we react to a deeper class of threat than our users understand. There is a wider concept here. The NSA has done stuff. Are we going to sit around and accept it? RSA did. They accepted what they were told by NIST and by their government purchasing contacts, without challenge. They ignored the warnings from the cryptographers. Now look where that got that them. Remember Arthur Anderson? The signal of the conviction in court collapsed the oldest most respected audit firm within weeks. That's what RSA is facing... Fair enough, but I'd hardly stop using AES or the larger SHA-2 variants on the back of recent news. So a supplier of integrity is also faced with a much wider question. It isn't just whether AES is scrunched or SHA-2 is fleeced. It's about who the supplier trusts and who the supplier is perceived to trust. In distancing itself from NIST in as many ways as it can think of, Silent Circle is saying we call the shots in our products. The upshot here is that some companies of good product are going to respond, and they are going to punish NIST and RSA and other suppliers by various and many means. Or, they are not. Which says what? Signals matter in security, we've got precious little else we can do with the security business than send out the right signals, because for the most part, our product can't be audited, can't be verified, and must be relied upon, without any foundation of trust except these are the good guys. Where do you stand? What signal do you send? iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On 2013-10-03 19:16, coderman wrote: On Wed, Oct 2, 2013 at 5:49 PM, James A. Donald jam...@echeque.com wrote: ... So, people who actually know what they are doing are acting as if they know, or have good reason to suspect, that AES and SHA-2 are broken. James this is not true. i challenge you to find reputable positions backing this assertion. where know what they are doing and reputable mean cryptographers who design and implement block ciphers and secure digests. http://silentcircle.wordpress.com/2013/09/30/nncs/ Jon Callas is a cryptographer who designs and implements block ciphers and secure digests - the skein hash and three fish. He does not believe that AES and SHA-2 rest are necessarily broken - but neither does he believe that they are not broken. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On Thu, Oct 3, 2013 at 4:28 AM, James A. Donald jam...@echeque.com wrote: ... He does not believe that AES and SHA-2 rest are necessarily broken - but neither does he believe that they are not broken. there is a significant difference between avoiding a cipher on principle, or association, or abundance of caution, or to avoid proving a negative, and avoiding a cipher because it is broken. perhaps i am being pedantic, but the details matter! the subterfuge and fail associated with Dual_EC_DRBG is a league apart from the lack of transparency around P-192 to P-521 curves/constants which in turn is entirely different from the meddling in cryptographic protocols like IPsec and SSL/TLS which is in turn very different from secret back|bugdoors in specific vendor cryptographic products and implementations, and so forth. this is complex; too often simplified to ingenuous elliptic curves are broken or NIST approved systems are backdoor'ed or AES and SHA-2 are broken. please don't propagate mis-information and mis-understanding via careless terms and qualifiers; we have paid professionals in the intelligence community for that! ;) ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On 2013-10-03 21:56, coderman wrote: On Thu, Oct 3, 2013 at 4:28 AM, James A. Donald jam...@echeque.com wrote: ... He does not believe that AES and SHA-2 rest are necessarily broken - but neither does he believe that they are not broken. there is a significant difference between avoiding a cipher on principle, or association, or abundance of caution, or to avoid proving a negative, and avoiding a cipher because it is broken. To avoid proving a negative Means to avoid the need to prove it is not broken And why do we need to prove it is not broken? Because we do not trust the people who issued it. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On Oct 2, 2013, at 6:23 PM, Jon Callas j...@callas.org wrote: [snipped quoted text] I'm not implying at all that AES or SHA-2 are broken. If P-384 is broken, I believe the root cause is more that it's old than it was backdoored. But it doesn't matter what I think. This is a trust issue. First, thanks for providing more insight into the decision here. I guess my point was that it's a confluence of trust issues: user trust, business stakeholder trust, and technical/cryptographic trust. And in part because it does matter what you think, relatively informed people have drawn strong and variable conclusions from the news that Silent Circle ditched AES and SHA-2 in favor of Twofish and Skein. [snipped interesting doctor analogy; Jeffrey's response to it was solid.] I see this as a way out of the madness. Yes, it's marketing if by marketing you mean non-technical. By pushing this out, we're letting people who believe there's a problem have a reasonable alternative. If we, the crypto community, decide that the P-384+AES+SHA2 cipher suite is just fine, we can walk the decision back. It's just a software change. I didn't mean marketing as a pejorative or as 'non-technical', but as a blend of brand signaling and (highly technical, in this case) product management in response to user demand. To that, and on positioning Twofish/Skein as an alternative: - Did users of Silent Circle threaten to leave if you stuck with AES and SHA-2? - Can users of Silent Circle choose to continue using AES and SHA-2? While it may be easy to roll back this software change in the future, wouldn't switching back be even more problematic (signaling-wise) than switching away? One of the biggest issues we're wrestling with, I think, is that the crypto community already decided that AES and SHA-2 are just fine. From where implementors are sitting, it decided good and hard. So what now? a) Maybe some new process will re-validate AES and SHA-2. The peer review will somehow get peer-ier or review-ier, and the NSA has magic math meme will suffer. - AND/OR - b) Celebrity cryptographers will make pronouncements that will enjoy uptake among implementors and their trusted advisors. The Silent Circle decision encourages NSA has magic thinking, and unintentionally promotes [b]. And maybe NSA does have anti-AES magic. But if they do, we've seen zero evidence that they're using it. Are they just rooting boxes, forcing people to give up private keys, and sabotaging RNGs as a smoke screen or performance optimization? Let me also add that I wouldn't fault anyone for deciding differently. We, the crypto community, need to work together with security and respecting each other's decisions even if we make different decisions and do different things. I respect the alternate decision, to stay the course. Jon Interesting times. Thanks again- -Jared ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On 2013-10-04 02:03, Jared Hunter wrote: One of the biggest issues we're wrestling with, I think, is that the crypto community already decided that AES and SHA-2 are just fine. In large part because we trusted NIST. If we do not trust NIST ... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On 2013-10-04 00:13, Jeffrey Goldberg wrote: So unless you and Silent Circle have information that the rest of us don�t about AES and SHA-2, I�m actually pissed off at this action. It puts more pressure on us to follow suit, even though such a move would be pure security theater. You have to get off the NIST curves. If getting of the NIST curves, might as well get off AES and SHA-2 as well. If you are not using the NIST curves, the need to change is less urgent. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On 2013-10-03, at 1:28 PM, James A. Donald jam...@echeque.com wrote: On 2013-10-04 00:13, Jeffrey Goldberg wrote: So unless you and Silent Circle have information that the rest of us don’t about AES and SHA-2, I’m actually pissed off at this action. It puts more pressure on us to follow suit, even though such a move would be pure security theater. You have to get off the NIST curves. If getting of the NIST curves, might as well get off AES and SHA-2 as well. Fair point. As we aren’t doing any public key stuff, we don’t need to hunt down new curves or go back to DH or anything like that. And as you say, if you are changing something, it isn’t too hard to chance other things at the same time. But (and given that my previous message got MIME-mangled, I’ll repeat some points) the thought that Jon and Silent Circle are putting into curve replacement looks much more serious than the thought going into AES and SHA-2 replacement, which reek of security theater. I’ll grant that a priori any SHA-3 finalist will be an improvement on SHA-2, so really it’s the just AES move that reeks of security theater. If you are going to drop in a replacement for AES (same blocksize, same key sizes) then you should look at this as an opportunity to find the best replacement possible. Maybe AES with increased rounds and improved key schedule. That would have the advantage of taking advantage of a lot of existing hardware. Or maybe there are better alternatives. But picking Twofish out of a hat just seems like security isn’t the issue, but perception. If you are not using the NIST curves, the need to change is less urgent. Agreed, but for me the “less urgent” is “next to nil”. (Beyond the existing reasons for moving away from SHA-2.). But fine, I acknowledge your point, and perhaps I’m just whining because I’m lazy and this would be a difficult change to implement. Cheers, -j ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Oct 3, 2013, at 7:13 AM, Jeffrey Goldberg jeff...@goldmark.org wrote: Jeff, You might call it security theatre, but I call it (among other things) protest. I have also called it trust, conscience, and other things including emotional. I'm willing to call it marketing in the sense that marketing often means non-technical. I disagree with security theatre because in my opinion security theatre is *empty* or *mere* trust-building, but I don't fault you for being upset. I don't blame you for venting in my direction, either. I will, however, repeat that I believe this is something gentlepersons can disagree on. A decision that's right for me might not be right for you and vice-versa. Since the AES competition, NIST has been taking a world-wide role in crypto standards leadership. Overall, it's been a good thing, but one could have one's disagreements with a number of things (and I do), but it's been a good *standards* process. A good standard, however, is not necessarily the *best*, it's merely agreed upon. A standard that is everyone's second choice is better than a standard that is anyone's first choice. I don't think there are any problems with AES, but I think Twofish is a better choice. During the AES competition, the OpenPGP community as a whole, and I and my PGP colleagues put Twofish into OpenPGP *independently* of the then-unselected AES. It was thus our vote for it. When Phil, Alan, and I were putting ZRTP together, we put in Twofish as an option (RFC 6189, section 5.1.3). Thus in my opinion, if you know my long-standing opinions on ciphers, this shouldn't be a surprise. I think Twofish is a better algorithm than Rijndael. ZRTP also has in it an option for using Skein's one-pass MAC instead of HMAC-SHA1. Why? Because we think it's more secure in addition to being a lot faster, which is important in an isochronous protocol. Silent Phone already has Twofish in it, and is already using Skein-MAC. In Silent Text, we went far more to the one true ciphersuite philosophy. I think that Iang's writings on that are brilliant. As a cryptographer, I agree, but as an engineer, I want options. I view those options as a form of preparedness. One True Suite works until that suite is no longer true, and then you're left hanging. To be fair, there are few options in ZRTP -- it's only AES or Twofish and SHA1-HMAC or Skein-MAC, so the selection matrix is small when compared to OpenPGP. We have One True Elliptic Curve -- P-384, and options for AES-CCM in either 128 or 256 bits and paired with SHA-256 or SHA-512 as hash and HMAC as appropriate. There's a third option, AES-256 paired with Skein/Skein-MAC, which I don't think is in the code, merely defined as a cipher suite. I can't remember. So we have to add Twofish there, but it's in Silent Phone now. Now let me go back to my comment about standards. Standards are not about what's *best*, they're about what's *agreed*, and part of what's agreed on is that they're good enough. When one is part of a standards regime, one sublimates one's personal opinions to the collective good of the standard. That collective good of the standard is also security theatre in the sense that one uses it because it's the thing uses to be part of the community. I think Twofish is better than AES. I believe that Skein is better than SHA-2. I also believe in the value of standards. The problem one faces with the BULLRUN documents gives a decision tree. The first question is whether you think they're credible. If you don't think BULLRUN is credible, then there's an easy conclusion -- stay the course. If you think it is credible, then the next decision is whether you think that the NIST standards are flawed, either intentionally or unintentionally; in short, was BULLRUN *successful*. If you think they're flawed, it's easy; you move away from them. The hard decision is the one that comes next -- I can state it dramatically as Do you stand with the NSA or not? which is an obnoxious way to put it, as there are few of us who would say, Yes, I stand with the NSA. You can phrase less dramatically it as standing with NIST, or even less dramatically as standing with the standard. You can even state it as whether you believe BULLRUN was successful, or lots of other ways. Moreover, it's not all-or-nothing. Bernstein and Lange have been arguing that the NIST curves are flawed since before Snowden. Lots of people have been advocating moving to curve 25519. I want a 384-or-better curve because my One True Curve has been P-384. If I'm going to move away from the NIST/NSA curve (which seems wise), what about everything else? Conveniently, I happen to have alternates for AES and SHA-2 in my back pocket, where they've been *alternates* in my crypto going back years. They're even in part of the software, sublimated to the goodness of the standard. The work is merely pulling them to the
Re: [cryptography] the spell is broken
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I agree fully Jon, I short, I feel that all trust for NIST has to be broken. It doesn't matter if AES or SHA-2 is broken or not broken. You cannot go into a security environment with a tool that is known to be compromised (NIST) and just hope and pray that the pieces you are using aren't the compromised pieces. There are alternatives, it doesn't hurt to get them in place. On 03/10/2013 3:31 PM, Jon Callas wrote: On Oct 3, 2013, at 7:13 AM, Jeffrey Goldberg jeff...@goldmark.org wrote: Jeff, You might call it security theatre, but I call it (among other things) protest. I have also called it trust, conscience, and other things including emotional. I'm willing to call it marketing in the sense that marketing often means non-technical. I disagree with security theatre because in my opinion security theatre is *empty* or *mere* trust-building, but I don't fault you for being upset. I don't blame you for venting in my direction, either. I will, however, repeat that I believe this is something gentlepersons can disagree on. A decision that's right for me might not be right for you and vice-versa. Since the AES competition, NIST has been taking a world-wide role in crypto standards leadership. Overall, it's been a good thing, but one could have one's disagreements with a number of things (and I do), but it's been a good *standards* process. A good standard, however, is not necessarily the *best*, it's merely agreed upon. A standard that is everyone's second choice is better than a standard that is anyone's first choice. I don't think there are any problems with AES, but I think Twofish is a better choice. During the AES competition, the OpenPGP community as a whole, and I and my PGP colleagues put Twofish into OpenPGP *independently* of the then-unselected AES. It was thus our vote for it. When Phil, Alan, and I were putting ZRTP together, we put in Twofish as an option (RFC 6189, section 5.1.3). Thus in my opinion, if you know my long-standing opinions on ciphers, this shouldn't be a surprise. I think Twofish is a better algorithm than Rijndael. ZRTP also has in it an option for using Skein's one-pass MAC instead of HMAC-SHA1. Why? Because we think it's more secure in addition to being a lot faster, which is important in an isochronous protocol. Silent Phone already has Twofish in it, and is already using Skein-MAC. In Silent Text, we went far more to the one true ciphersuite philosophy. I think that Iang's writings on that are brilliant. As a cryptographer, I agree, but as an engineer, I want options. I view those options as a form of preparedness. One True Suite works until that suite is no longer true, and then you're left hanging. To be fair, there are few options in ZRTP -- it's only AES or Twofish and SHA1-HMAC or Skein-MAC, so the selection matrix is small when compared to OpenPGP. We have One True Elliptic Curve -- P-384, and options for AES-CCM in either 128 or 256 bits and paired with SHA-256 or SHA-512 as hash and HMAC as appropriate. There's a third option, AES-256 paired with Skein/Skein-MAC, which I don't think is in the code, merely defined as a cipher suite. I can't remember. So we have to add Twofish there, but it's in Silent Phone now. Now let me go back to my comment about standards. Standards are not about what's *best*, they're about what's *agreed*, and part of what's agreed on is that they're good enough. When one is part of a standards regime, one sublimates one's personal opinions to the collective good of the standard. That collective good of the standard is also security theatre in the sense that one uses it because it's the thing uses to be part of the community. I think Twofish is better than AES. I believe that Skein is better than SHA-2. I also believe in the value of standards. The problem one faces with the BULLRUN documents gives a decision tree. The first question is whether you think they're credible. If you don't think BULLRUN is credible, then there's an easy conclusion -- stay the course. If you think it is credible, then the next decision is whether you think that the NIST standards are flawed, either intentionally or unintentionally; in short, was BULLRUN *successful*. If you think they're flawed, it's easy; you move away from them. The hard decision is the one that comes next -- I can state it dramatically as Do you stand with the NSA or not? which is an obnoxious way to put it, as there are few of us who would say, Yes, I stand with the NSA. You can phrase less dramatically it as standing with NIST, or even less dramatically as standing with the standard. You can even state it as whether you believe BULLRUN was successful, or lots of other ways. Moreover, it's not all-or-nothing. Bernstein and Lange have been arguing that the NIST curves are flawed since before Snowden. Lots of people have been advocating moving to
Re: [cryptography] the spell is broken
On Thu, 3 Oct 2013, Kelly John Rose wrote: I short, I feel that all trust for NIST has to be broken. It doesn't matter if AES or SHA-2 is broken or not broken. You cannot go into a security environment with a tool that is known to be compromised (NIST) and just hope and pray that the pieces you are using aren't the compromised pieces. Reasoning that way, you're very quickly left with not but a tin foil hat. Let's say we agree on twofish. then NIST/NSA certifies it for FIPS. Are we than taking that as proof it is compromised and figure out something else? People forget the NSA has two faces. One side is good. NIST and FIPS and NSA are all related. One lesson here might be, only use FIPS when the USG requires it. That said, a lot of FIPS still makes sense. I'm surely not going to stick with md5 or sha1. There are alternatives, it doesn't hurt to get them in place. Yes, like the IETF brainpool drafts. The IETF is an independant body but only as good as the academic and open cryptography community. And for those crypto people complaining on the lack of crypto knowledge within the IETF, you have no excuse not to participate. IETF carefully tries to not invent crypto. Paul ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
Not quite. If people agree on Twofish and a generalized standard outside of NIST, then if NIST picks it up and agrees as well there isn't much concern. The problem is with older existing standards or if NIST provides unexplained changes or magic values to the standard. On 03/10/2013 4:04 PM, Paul Wouters wrote: Reasoning that way, you're very quickly left with not but a tin foil hat. Let's say we agree on twofish. then NIST/NSA certifies it for FIPS. Are we than taking that as proof it is compromised and figure out something else? -- Kelly John Rose Mississauga, ON Phone: +1 647 638-4104 Twitter: @kjrose Document contents are confidential between original recipients and sender. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On 2013-10-04 07:31, Jon Callas wrote: absolutely, this is an emotional response. It's protest. Intellectually, I believe that AES and SHA2 are not compromised. Emotionally, I am angry and I want to distance myself from even the suggestion that I am standing with the NSA. As Coderman and Iang put it, I want to*signal* my fury. I am so pissed off about this stuff that I don't*care* about baby and bathwater, wheat and chaff, or whatever else. I also want to signal reassurance to the people who use my system that yes, I actually give a damn about this issue. By moving away from anything NIST has touched he deprives the NSA of leverage to insert backdoors, contributing to the general good, from which his company, and thus himself also benefits. By opposing the NSA, he gives his company credibility that they will not secretly play footsy with the NSA behind closed doors, reassuring his customers and contributing to the particular good of his company and himself. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On 10/03/2013 03:22 PM, James A. Donald wrote: By moving away from anything NIST has touched he deprives the NSA of leverage to insert backdoors, NSA can act through people outside NIST too. By focusing on NIST we miss the larger problem. Any cryptographer or security engineer can be compromised (or more likely, make a mistake). A good standard uses a public process, is well understood, has been examined by outside experts, and has no magic values. Following good standards hygiene will reduce the instances of flawed standards, both the accidental and the on purpose kind. We will end up less secure if the current fear of NIST has people throw out good standards and replace them with less studied ones or worse, home grown stuff. Eric ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On 2013-10-04 08:04, Paul Wouters wrote: Reasoning that way, you're very quickly left with not but a tin foil hat. Let's say we agree on twofish. then NIST/NSA certifies it for FIPS. Are we than taking that as proof it is compromised and figure out something else? If people were adopting twofish Jon Callas did so, reason to believe in twofish. If people were adopting twofish because NIST was doing it, that would be reason to doubt twofish. If all shall follow Jon Callas as unelected president for life of symmetric cryptography then NIST is powerless, therefore irrelevant. If it does not set standards, cannot corrupt them. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
James A. Donald jam...@echeque.com writes: By moving away from anything NIST has touched he deprives the NSA of leverage to insert backdoors, Just as a bit of a counterpoint here, how far do you want to go down this rathole? Someone recently pointed me to the latest CERT vuln. summary (because of a few interesting entries there): https://www.us-cert.gov/ncas/bulletins/SB13-273 Now this is just a single weeks' worth, and yet look at all the remote-code- execution and seize-control-of-device issues in just that seven-day stretch. The NSA doesn't really need to backdoor crypto when the barn door isn't just propped wide open, it's entirely missing in some cases. (I completely support Jon's position in terms of being seen to do the right thing, but there are more things to worry about than just backdoored crypto). Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
Jon, first of all thank you for your extremely thoughtful note. I suspect that we will find that we don’t actually disagree about much, and also my previous rant was driven by the general anger and frustration that all of us are experiencing. That is, I amy have been misdirecting my anger at the whole situation at you, a fellow victim. On 2013-10-03, at 4:31 PM, Jon Callas j...@callas.org wrote: You might call it security theatre, but I call it (among other things) protest.” I would put it more strongly than that. I think that NIST needs to be punished. Even if Dual_EC_DRBG were their only lapse, any entity that has allowed themselves to be used that way should be forced to exit the business of being involved in making recommendations on cryptography. I don’t have to think that they are bad people or even that they could have prevented what happened. But I think there needs to be an unambiguous signal to every other (potential) standards body about what happens if you even think of allowing for the sabotage of crypto. I imagine that everyone is looking at public protocols for picking curves now. Everyone is looking at how every step in the establishment of a recommendation can be made provably transparent. That is all a good thing, and it does require that NIST pay dearly. But it isn’t a trust issue. I don’t “trust” the NIST less than I trust any other standard’s body. The need to be put out of the crypto business as a signal and deterrent to others, but not because they are inherently less trustworthy. But not using AES is a protest that hurts only ourselves. It doesn’t punish where punishment is needed. I have also called it trust, conscience, and other things including emotional. I'm willing to call it marketing in the sense that marketing often means non-technical. Agreed. I disagree with security theatre because in my opinion security theatre is *empty* or *mere* trust-building, I still think the term is appropriate, and indeed I think that your sentence about conscience and emotions actually reinforces my claim that it is theater. But I think that it is largely a definitional question which isn’t worth pursuing. I’m using the term in a slightly different way than you are. but I don't fault you for being upset. I don't blame you for venting in my direction, either. I will, however, repeat that I believe this is something gentlepersons can disagree on. A decision that's right for me might not be right for you and vice-versa. Absolutely! Although I still stand by my “security theater” statement, I think I also mean it less pejoratively than it came across. Anyone (including me and the company that I work for) who has moved to 256 bit symmetric keys is engaging in “security theater” in my sense of the word. It’s nothing to be particularly proud of, but it doesn’t make us the TSA either. Since the AES competition, NIST has been taking a world-wide role in crypto standards leadership. Yep. And (sadly) that has go. As I said, they need to pay a heavy price so that it is absolutely clear that some behaviors are beyond the pale. A good standard, however, is not necessarily the *best*, it's merely agreed upon. That’s true. I think Twofish is a better algorithm than Rijndael. OK. I was flat out wrong. I was ignorant of your longstanding view of ciphers. I’m not competent to really have an opinion about whether your judgement is correct there, but that isn’t relevant. I thought Twofish was pulled out of a hat. I was wrong. And I also apologize for accusing you of pulling Twofish out of hat. ZRTP also has in it an option for using Skein's one-pass MAC instead of HMAC-SHA1. Why? Because we think it's more secure in addition to being a lot faster, which is important in an isochronous protocol. I agree that if you are changing ciphersuites, it’s as good a time as any to move to a SHA-3 candidate. And as there some questions that need to be answered about official SHA-3, I’m happy with Skein. Again, I’m not competent to judge the relative merits of SHA-3 candidates. Silent Phone already has Twofish in it, and is already using Skein-MAC. Ah. So yes, we are in very different starting places. Your choice seems very reasonable. In Silent Text, we went far more to the one true ciphersuite philosophy. I think that Iang's writings on that are brilliant. As a cryptographer, I agree, but as an engineer, I want options. I think I am in a different position. I’m neither an engineer nor a cryptographer. I’m the guy who can kinda sorta read bits of the cryptography literature and advise the engineers on what to do with respect to using these tools. And what we decide affects the security of a very large number of users. So for me, the “one true ciphersuite” notion was ideal. I could pay attention and follow the consensus advice. You may be competent to, say, pick Skein over Blake for some particular purpose, but I’m not.
Re: [cryptography] the spell is broken
On Thu, Oct 3, 2013 at 9:26 PM, Jeffrey Goldberg jeff...@goldmark.org wrote: ... I would put it more strongly than that. I think that NIST needs to be punished. Even if Dual_EC_DRBG were their only lapse, any entity that has allowed themselves to be used that way should be forced to exit the business of being involved in making recommendations on cryptography. I don’t have to think that they are bad people or even that they could have prevented what happened. But I think there needs to be an unambiguous signal to every other (potential) standards body about what happens if you even think of allowing for the sabotage of crypto. We could not get rid of Trustwave in the public sector (so much for economics). There's no way we can get rid of the US agency responsible for crypto standards (government is not held responsible for the act or accountable after the act). Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On 2013-10-04 11:41, Jeffrey Walton wrote: We could not get rid of Trustwave in the public sector (so much for economics). What is wrong with trustwave? They are smart people, unlike the world bank economists who do not know the difference between negative feedback and positive feedback, or the IEEE 802.11 There's no way we can get rid of the US agency responsible for crypto standards If no one pays attention to their standards, we have gotten rid of them. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On 2013-10-04 11:26, Jeffrey Goldberg wrote: But not using AES is a protest that hurts only ourselves. I have always been inclined to believe that that twofish is better than AES. Refusing to use AES, or making it the non default choice, is rejecting NIST as a standards body. We need to reject NIST as a standards body. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] the spell is broken
http://www.infoworld.com/print/228000 October 02, 2013 Silent Circle moves away from NIST cryptographic standards, cites NSA concerns The company plans to replace AES and SHA-2 with Twofish and Skein in its encrypted communication services By Lucian Constantin | IDG News Service Silent Circle, a provider of encrypted mobile Voice over Internet Protocol (VoIP) and text messaging apps and services, will stop using the Advanced Encryption Standard (AES) cipher and Secure Hash Algorithm 2 (SHA-2) hash functions as default cryptographic algorithms in its products. [ Build and deploy an effective line of defense against corporate intruders with InfoWorld's Encryption Deep Dive PDF expert guide. Download it today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ] We are going to replace our use of the AES cipher with the Twofish cipher, as it is a drop-in replacement, Silent Circle CTO Jon Callas said Monday in a blog post. We are going to replace our use of the SHA-2 hash functions with the Skein hash function. We are also examining using the Threefish cipher where that makes sense. The company also plans to stop using P-384, one of the elliptic curves recommended by the NIST for use in elliptic curve cryptography (ECC). ... Silent Circle plans to replace the P-384 elliptic curve with one or more curves that are being designed by cryptographers Daniel Bernstein and Tanja Lange, who have argued in the past that Suite B elliptic curves are weak. If the Suite B curves are intentionally bad, this would be a major breach of trust and credibility, Callas said. Even in a passive case -- where the curves were thought to be good, but NSA cryptanalysts found weaknesses they have since exploited -- it would create a credibility gap of the highest order, and would be the smoking gun that confirms the Guardian articles. ... Silent Circle's new decision to move away from AES, SHA-2 and the P-384 curve doesn't mean that these standards are insecure, Callas said in the blog post. It doesn't mean we think less of our friends at NIST, whom we have the utmost respect for; they are victims of the NSA's perfidy, along with the rest of the free world. For us, the spell is broken. We're just moving on. ... Asked why Twofish and Skein in particular were chosen to be the new default choices for Silent Circle's products, Callas said via email that both algorithms come from trusted sources, including himself in the case of Skein. Twofish was a finalist in the NIST's selection of the AES cipher, and the team that developed it included people that Silent Circle's co-founders personally know and trust, he said. A number of the same people produced Skein -- which was a SHA-3 finalist -- and I am a member of the Skein team. For Silent Circle this was a decision of conscience, Callas said. Our primary responsibility is to protect our customers, especially in the face of uncertainty. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Callas' blog post: http://silentcircle.wordpress.com/2013/09/30/nncs/ On 10/2/2013 8:41 AM, ianG wrote: http://www.infoworld.com/print/228000 October 02, 2013 Silent Circle moves away from NIST cryptographic standards, cites NSA concerns The company plans to replace AES and SHA-2 with Twofish and Skein in its encrypted communication services By Lucian Constantin | IDG News Service -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (MingW32) iQEcBAEBAgAGBQJSTEn3AAoJEDMbeBxcUNAe3UwIAJ+wd6V5fPRYjVsGf7xqdOT0 jdqeLLwASqMP1VXdOXpg5ETpF32EzTsOMw8Nd7ODnSsvOWXrzT4rvrO12IN9lEB5 3Sx62A89FhudcuXAXUWGJeCUYAN0m/uJs4Tpe/KcpRhSU88nWYBH8I7ySYnU95Gc VmP3RyrXnxIQ3k9aMsUpoMwWhKxDuLV+jPFpsUgl9orvYdoWT1REVGzxjrWr+YY1 JC/tSya9NpXEP1g+Me3KAlgC0gLufA5KNRM1J1Zss+ltWO2OHnGWOSjINRdvv8Fk fPj65YeJqfvYdK6bM+ThPEzAUlcN93WwIMsYKKJ80KdD7/Td/Xsm9VaUsP2orgU= =l+17 -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
Aside from the curve change (and even there), this strikes me as a marketing message rather than an important technical choice. The message is we react to a deeper class of threat than our users understand. Fair enough, but I'd hardly stop using AES or the larger SHA-2 variants on the back of recent news. -Jared On Oct 2, 2013, at 12:29 PM, d.nix d@comcast.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Callas' blog post: http://silentcircle.wordpress.com/2013/09/30/nncs/ On 10/2/2013 8:41 AM, ianG wrote: http://www.infoworld.com/print/228000 October 02, 2013 Silent Circle moves away from NIST cryptographic standards, cites NSA concerns The company plans to replace AES and SHA-2 with Twofish and Skein in its encrypted communication services By Lucian Constantin | IDG News Service -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (MingW32) iQEcBAEBAgAGBQJSTEn3AAoJEDMbeBxcUNAe3UwIAJ+wd6V5fPRYjVsGf7xqdOT0 jdqeLLwASqMP1VXdOXpg5ETpF32EzTsOMw8Nd7ODnSsvOWXrzT4rvrO12IN9lEB5 3Sx62A89FhudcuXAXUWGJeCUYAN0m/uJs4Tpe/KcpRhSU88nWYBH8I7ySYnU95Gc VmP3RyrXnxIQ3k9aMsUpoMwWhKxDuLV+jPFpsUgl9orvYdoWT1REVGzxjrWr+YY1 JC/tSya9NpXEP1g+Me3KAlgC0gLufA5KNRM1J1Zss+ltWO2OHnGWOSjINRdvv8Fk fPj65YeJqfvYdK6bM+ThPEzAUlcN93WwIMsYKKJ80KdD7/Td/Xsm9VaUsP2orgU= =l+17 -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yeah, it may well be just marketing. The one thing that gives me pause is that Callas and Schneier are both part of the team that worked on the systems they have chosen to migrate to (Twofish, Skein), and Schneier is one of the very few people to see the Snowden docs (or some subset thereof). Might be reading too much into things but... Jon may be on this list; I know he's on one or more of the others I follow. On 10/2/2013 10:38 AM, Jared Hunter wrote: Aside from the curve change (and even there), this strikes me as a marketing message rather than an important technical choice. The message is we react to a deeper class of threat than our users understand. Fair enough, but I'd hardly stop using AES or the larger SHA-2 variants on the back of recent news. -Jared On Oct 2, 2013, at 12:29 PM, d.nix d@comcast.net wrote: Callas' blog post: http://silentcircle.wordpress.com/2013/09/30/nncs/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (MingW32) iQEcBAEBAgAGBQJSTGr6AAoJEDMbeBxcUNAe65QIAIfXd0WX4Mu5PQfk36TF/Hi5 OWNXBSGEJT+CmgM4ljCqUYaMXa8XqgJ9JFzjGbUTRWiS//w6VZSPuzOyFk1ZEP3g 1ECOqbGAHqxHTbo+HdgvIeytTahYxqvEqAmQE6AMuOhVhvE59RyVanjL85jNupdj RUixSWaaWLfRG29wF+TmYVOI2oXhMpF/FA6GR3uKVI0ZCkfzEM5twX3Ed2tlSmFT aVwH+TkpEehf7nHRosyON4KnmUv9ZG1x17BOcRYOqaAvhCKLXwGElPcR7UPIiQqP y2FIIYT6mncMnQOUf2GWELoxsl2RqiDBBlvDjuG5LGkns7L1U5E86OVGqVrQ7d4= =m5HN -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Correction; Callas worked on Threefish, not Twofish, however the Schneier connection still holds given their past and present associations... On 10/2/2013 11:50 AM, d.nix wrote: Yeah, it may well be just marketing. The one thing that gives me pause is that Callas and Schneier are both part of the team that worked on the systems they have chosen to migrate to (Twofish, Skein), and Schneier is one of the very few people to see the Snowden docs (or some subset thereof). Might be reading too much into things but... Jon may be on this list; I know he's on one or more of the others I follow. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (MingW32) iQEcBAEBAgAGBQJSTG8MAAoJEDMbeBxcUNAePyoH/0hSqNeBD/76wQ1VUApeSdsd 3By5A/+I/PNcpEKA0cGdp+cnN84zL+gH+nlQqptDXFBAOA6MvKYR5rUtz0/E5L7/ mOnEUgn9pZ1RpG2g/FC3KuBKW6zbak/fQR89meJViWpjDZO7JWpVkmURSH1FoSVO jceJ4+smanXobvbH3iYG0pZpEa4G/S+ZvS4ADPARU+mU/KWc2eK6CNLAvhriqX1X O9GcxbqzCOFLAOI5J5GjLyv3NgsmbqCGZ6braGywiyFbD+emp1EhTaCoKmhPK82q jZJ4sLeaoRmv8/VEiwOdxoKkdjuArNLLguNF2nksE9I3cvpQilzLEeZI2Ap3q8Q= =QJnp -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On Wed, Oct 2, 2013 at 10:38 AM, Jared Hunter feralch...@gmail.com wrote: Aside from the curve change (and even there), this strikes me as a marketing message rather than an important technical choice. The message is we react to a deeper class of threat than our users understand. it is simpler than that. to signal integrity, and provide assurance, it is common not just to avoid impropriety, but to avoid the _appearance_ of impropriety. this change, while not materially affecting security (the weakest link in SilentCircle was never the crypto) succeeds in conveying the message of integrity as paramount. so yes, a marketing message, but a simple one. i have no problem with this as long as they're not implying that AES or SHA-2 are broken in some respect. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Oct 2, 2013, at 12:26 PM, coderman coder...@gmail.com wrote: On Wed, Oct 2, 2013 at 10:38 AM, Jared Hunter feralch...@gmail.com wrote: Aside from the curve change (and even there), this strikes me as a marketing message rather than an important technical choice. The message is we react to a deeper class of threat than our users understand. it is simpler than that. to signal integrity, and provide assurance, it is common not just to avoid impropriety, but to avoid the _appearance_ of impropriety. this change, while not materially affecting security (the weakest link in SilentCircle was never the crypto) succeeds in conveying the message of integrity as paramount. so yes, a marketing message, but a simple one. i have no problem with this as long as they're not implying that AES or SHA-2 are broken in some respect. Thank you very much for that assessment. I'm not implying at all that AES or SHA-2 are broken. If P-384 is broken, I believe the root cause is more that it's old than it was backdoored. But it doesn't matter what I think. This is a trust issue. A friend of mine offered this analogy -- what if it was leaked that the government replaced all of a vaccine with salt water because some nasty jihadis get vaccinated. This is serious and pretty horrifying. If you're a responsible doctor, and source your vaccines from the same place, even if you test them yourself you're stuck proving a negative and in a place where stating the negative can look like you're part of the conspiracy. I see this as a way out of the madness. Yes, it's marketing if by marketing you mean non-technical. By pushing this out, we're letting people who believe there's a problem have a reasonable alternative. If we, the crypto community, decide that the P-384+AES+SHA2 cipher suite is just fine, we can walk the decision back. It's just a software change. Let me also add that I wouldn't fault anyone for deciding differently. We, the crypto community, need to work together with security and respecting each other's decisions even if we make different decisions and do different things. I respect the alternate decision, to stay the course. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFSTJzTsTedWZOD3gYRAtsxAJ9CPoZjv+shNwID/ip+9KOcWK/JrQCeKuNv rZmdU8syRIb+6KmX3xqEHt8= =W3/0 -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
On 2013-10-03 04:50, d.nix wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yeah, it may well be just marketing. The one thing that gives me pause is that Callas and Schneier are both part of the team that worked on the systems they have chosen to migrate to (Twofish, Skein), and Schneier is one of the very few people to see the Snowden docs (or some subset thereof). So, people who actually know what they are doing are acting as if they know, or have good reason to suspect, that AES and SHA-2 are broken. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] the spell is broken
For reflection: What percent of domestic and global communications are protected from the collection of plaintext or session information by AES? Who has the capability and the desire to avoid going dark on that portion of data flows? Is this an example of a high-value target for corruption? If the promulgation of a flawed Dual_EC_DRBG was influenced, tolerated or supported by NIST and/or NSA in 2006, can we be sure that AES (FIPS PUB 197, 2001) was immune to those behaviors? If it was immune, was that due to a lack of funding, a lack of will, or a lack of technical acumen? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
