Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
As an opponent of DNSSEC opt-in back in the day, I think this is a poor example of NSA influence in the standards process. I do not challenge PHB's theory that the NSA has plants in the IETF to discourage moves to strong crypto, particularly given John Gilmore's recent message on IPSEC, but I doubt that the NSA had any real influence on the DNSSEC opt-in debacle of 2003. First, DNSSEC does not provide confidentiality. Given that, it's not clear to me why the NSA would try to stop or slow its deployment. Insecure DNS deployments are probably in the top five attack vectors for remotely compromising internal network topologies, even those sporting split DNS configurations. As you were ...deeply involved in the IETF's DNSEXT working group then I presume you know this. For example, DNS cache poisoning attacks, local ARP cache spoofing attacks to redirect DNS queries and responses, redirection of operating system update and patching services that map to fully qualified domain names such as windowsupdate.microsoft.com, etc. Correct me if I am wrong, but in my humble opinion the original intent of the DNSSEC framework was to provide for cryptographic authenticity of the Domain Name Service, not for confidentiality (although that would have been a bonus). Lastly, the US DoD was funding some amount of work on DNSSEC at the time (i.e., my own participation). During that timeframe, significant progress was being made on the deployability of DNSSEC, and I think the DoD funding helped. Depending on your whims, you could either credit DoD for helping or blame them for not providing even more funding, which might have made for faster progress. There are many different camps within the DoD. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
If so, then the domain owner can deliver a public key with authenticity using the DNS. This strikes a deathblow to the CA industry. This threat is enough for CAs to spend a significant amount of money slowing down its development [0]. How much more obvious does it get [1] ? The PKI industry has been a sham since day one, and several root certs have been compromised by the proverbial bad guys over the years (for example, the Flame malware incident used to sign emergency Windows Update packages which mysteriously only affected users in Iran and the Middle East, or the Diginotar debacle, or the Tunisian Ammar MITM attacks etc). This of course is assuming that the FBI doesn't already have access to all of the root CAs so that on domestic soil they can sign updates and perform silent MITM interception of SSL and IPSEC-encrypted traffic using transparent inline layer-2 bridging devices that are at every major Internet peering point and interconnect, because that would be crazy talk. However, some form of authenticity and integrity is better than zero, which is what the majority of the current DNS system offers, and it is point and click trivial to perform MITM attacks with unauthenticated DNS, especially on local area network segments which are rarely protected with more than the Windows firewall. Even without a centralized PKI, stateless port 53 UDP DNS could benefit from some type of cryptographic security, but as with any standard seemingly related to privacy or confidentiality we are left with this DNSSEC quagmire of meetings and proposed meetings to talk about the next meeting to discuss how the committee will propose the next request for comment, ad nauseum. Bitcoin for example doesn't need hundreds of private companies with elaborate PKI documentation authentication services which are in reality just mental placebos for Joe Consumer when he updates his monthly Brazzers subscription, and it's doing just fine as the runner up for the next global world monetary standard. So with that said, I would still place my wager on the FBI being the source of these various privacy enhancing service delays and not some secret cabal of PKI execs that are engaging in standards committee subterfuge. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Bruce Schneier has gotten seriously spooked
On 09/07/2013 02:53 PM, Ray Dillinger wrote: Is he referring to the standard set of ECC curves in use? Is it possible to select ECC curves specifically so that there's a backdoor in cryptography based on those curves? I know that hardly anybody using ECC bothers to find their own curve; they tend to use the standard ones because finding their own involves counting all the integral points and would be sort of compute expensive, in addition to being involved and possibly error prone if there's a flaw in the implementation. Take a trip down memory lane and research the historical roots of the Data Encryption Standard, especially the pre-DES Lucifer standard with IBM. Some hints would be the last minute reduction to 56-bit, as well as the replacement S-Boxes that were mandated for use by IBM before Lucifer became the DES. And then if you were in the Beltway region back in '98, you might also remember the entire federal government freaking out about EFF's Deep Crack, which almost overnight caused 56-bit DES to be deprecated in favor of 3DES. But then there were the complaints about the computational expensiveness of 3DES, so our superheros at NIST jumped in with the Advanced Encryption Standard contest and here were are again. In the '90s there were a few papers written about optimal DES S-Box calculation; they disappeared from publication. There was also a fellow who released a software application used for alternate DES S-Box generation, that got yanked as well. I am not suggesting black helicopters or extrajudicial renditions, just that once they were on the Internet and then a few weeks later they were not online anymore, anywhere. An oldie but goodie in this category of discussion is SANS' S-Box Modifications and Their Effect in DES-like Encryption Systems, Joe Gargiulo, July 25, 2002. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
On 09/07/2013 04:20 PM, Phillip Hallam-Baker wrote: Before you make silly accusations go read the VeriSign Certificate Practices Statement and then work out how many people it takes to gain access to one of the roots. The Key Ceremonies are all videotaped from start to finish and the auditors have reviewed at least some of the ceremonies. So while it is not beyond the realms of possibility that such a large number of people were suborned, I think it drastically unlikely. Add to which Jim Bizdos is not exactly known for being well disposed to the NSA or key escrow. Hacking CAs is a poor approach because it is a very visible attack. Certificate Transparency is merely automating and generalizing controls that already exist. But we can certainly add them to S/MIME, why not. VeriSign is one single certificate authority. There are many, many more certificate authorities spread across the world, and unless you can guarantee an air-gapped network with tightly constrained physical security controls and a secret videotaped bohemian ceremony such as the one you reference above at each and every one of those CAs, then maybe it's not such a silly accusation to think that root CAs are routinely distributed to multinational secret services to perform MITM session decryption on any form of communication that derives its security from the CA PKI. To whit: ...Mozilla maintains a list of at least 57 trusted root CAs, though multiple commercial CAs or their resellers may share the same trusted root). [http://en.wikipedia.org/wiki/Certificate_authority]http://en.wikipedia.org/wiki/Certificate_authority Another relevant read: http://www.quora.com/SSL-Certificates/How-many-intermediate-Certificate-Authorities-are-there# ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
On 09/07/2013 05:03 PM, Phillip Hallam-Baker wrote: Good theory only the CA industry tried very hard to deploy and was prevented from doing so because Randy Bush abused his position as DNSEXT chair to prevent modification of the spec to meet the deployment requirements in .com. DNSSEC would have deployed in 2003 with the DNS ATLAS upgrade had the IETF followed the clear consensus of the DNSEXT working group and approved the OPT-IN proposal. The code was written and ready to deploy. I told the IESG and the IAB that the VeriSign position was no bluff and that if OPT-IN did not get approved there would be no deployment in .com. A business is not going to spend $100million on deployment of a feature that has no proven market demand when the same job can be done for $5 million with only minor changes. And this is exactly why there is no real security on the Internet. Because the IETF and standards committees and working groups are all in reality political fiefdoms and technological monopolies aimed at lining the pockets of a select few companies deemed worthy of authenticating user documentation for purposes of establishing online credibility. There is no reason for any of this, and I would once again cite to Bitcoin as an example of how an entire secure online currency standard can be created and maintained in a decentralized fashion without the need for complex hierarchies of quasi-political commercial interests. Encrypting SMTP is trivial, it's all about the standard to make it happen. Encrypting IPv6 was initially a mandatory part of the spec, but then it somehow became discretionary. The nuts and bolts of strong crypto have been around for decades, but the IETF and related standards powers to be are more interested in creating a global police state than guaranteeing some semblance of confidential and privacy for Internet users. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Bruce Schneier has gotten seriously spooked
On 09/07/2013 07:32 PM, Brian Gladman wrote: I don't have experience of how the FBI operates so my comments were directed specifcally at NSA/GCHQ interests. I am doubtful that very large organisations change their direction of travel very quickly so I see the huge investments being made in data centres, in the tapping of key commmunications cables and core network routers and 'above our heads', as evidence that this approach still works well for NSA and GCHQ. And I certainly don't think that volume is a problem yet since they have been able to invest heavily to develop the techniques that they use to see through lightweight protection and to pull out 'needles from haystacks'. Of course, you might well be right about the future direction they will have to travel because increasing volume in combination with better end to end protection must be a nightmare scenario for them. But I don't see this move happening all that soon because a surprisingly large amount of the data in which they have an interest crosses our networks with very little protection. And it seems even that which is protected has been kept open to their eyes by one means or another. Brian As a perennial optimist I would hope that global surveillance efforts were focused solely on core communication peering and network access points. Unfortunately, the realist (and technologist) in me says otherwise. It is not possible to view or intercept local area network communications from a core network router. For example, if I wanted to catch some U.S. senator fornicating with his neighbor's wife for purposes of blackmail fodder, then access to a core network router wouldn't do me much good. However, if I had access to that senator's premise router by way of a lawful intercept backdoor, then perhaps I could for example observe that senator and his mistress' comings and goings by capturing a 720p video feed from the Xbox camera in his living room. Or by remotely enabling the speaker phone microphone on a Cisco VoIP device. Or maybe I could enable the microphone and video camera on a LAN-connected laptop to listen in on ambient conversations and to observe a live video feed from the room where the laptop is sleeping. Etc, etc. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
