On 10/03/2011 01:37 PM, Jon Callas wrote:
At the risk of feeding the conspiracy angle, I note that there is
only one stream cipher for SSL/TLS (RC4). All the others in common
use are CBC modes, with that same predictable IV weakness as IPsec
(i.e. BEAST). There are no DHE cipher suites defined for RC4. So
if you want PFS, you have to accept predictable IVs. If you want
resistance to BEAST, you have to give up PFS.
Personally, I don't interpret this as anything more than the IETF
process and some vendor biases back in the 90s. But it shows that
designing for this concept of 'agility' is important, in
particular for reasons you don't know at the time.
Oh, please.
I'm sorry, Marsh, but this is just silly, suggesting that there are
vendor biases against stream ciphers and agility.
Hmmm, I wasn't trying to say that exactly. Mainly I thought it was a
little ironic. Let me try to clarify.
I think there were, and still are, "biases" among vendors like everyone
else. This is Situation Normal, to suggest otherwise is to say that
every party acts perfectly rational and with complete information.
Understanding how we make decisions when faced with imperfect logic or
information is critical to making our own best decisions and
interpreting those of others. The technique of "putting one's self in
another's shoes" is particularly helpful.
After all, if we look through the library of publicly-available,
well-trusted stream ciphers there is, ummmm, well, there's always,
urrrrr, well.
Right.
The document best describing SSLv3 is:
http://www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt
It has a date of November 18, 1996 on it, this was probably the date on
which the draft was uploaded to the IETF. This draft was allowed to expire.
RC4 http://en.wikipedia.org/wiki/RC4 is the only stream cipher defined.
As you point out, there weren't exactly a lot to choose from. RC4 had
been a poorly kept trade secret of RSA until September 1994 when someone
posted some source code for an equivalent implementation on the net. For
some reason, RSA seems to have refused to acknowledge its child in the
algorithm itself, yet they claim ownership of the name RC4.
The authors of the draft302 document undoubtedly found the situation
difficult. Evidence of their struggle surfaces in the body, where
citations are made "DES[DES], RC4[RC4], etc.", yet there is no actual
entry for [RC4] in the References section. The Glossary puts it thusly:
RC2, RC4 Proprietary bulk ciphers from RSA Data Security, Inc. (There
is no good reference to these as they are unpublished works; however,
see [RSADSI]). RC2 is block cipher and RC4 is a stream cipher.
Later specs would not fare much better.
http://tools.ietf.org/html/rfc2246 TLS 1.0 January 1999
RC4
A stream cipher licensed by RSA Data Security [RSADSI]. A
compatible cipher is described in [RC4].
...
[RC4] Thayer, R. and K. Kaukonen, A Stream Cipher Encryption
Algorithm, Work in Progress.
http://tools.ietf.org/html/rfc4346 TLS 1.1 April 2006 and
http://tools.ietf.org/html/rfc5246 TLS 1.2 August 2008:
RC4
A stream cipher invented by Ron Rivest. A compatible cipher is
described in [SCH].
...
[SCH] B. Schneier. "Applied Cryptography: Protocols, Algorithms,
and Source Code in C, 2nd ed.", Published by John Wiley &
Sons, Inc. 1996.
The IETF really likes to have the RFCs describe things well enough that
they can actually be implemented and interoperable. They also really
like to have intellectual property disclosures along with the things
they standardize too.
Putting myself in those spec authors' shoes, I think they were probably
wishing the RC4 problem would just go away somehow. But it couldn't for
two good reasons:
* RC4 was (and still is) preferred by many sites for performance
reasons. DES was specifically designed for a hardware implementation.
* RC4 was the only defined stream cipher. In fact, the RC4-based cipher
suites were the only non 64 bit block size CBC cipher modes at all!
Dropping RC4 would effectively amount to dropping a significant bit of
the standard's functionality.
From 1999 onward, defining a new cipher suite for using Diffie-Hellman
key exchange would have been straightforward matter of writing it up and
allocating the code point. But it would have been a largely pointless
exercise unless Microsoft or Mozilla implemented it. Or worse, possibly
the author would have been accused of contributing to the "unnecessary
proliferation of ciphersuites" [RFC 3268]
What would have been the demand for it? Security-minded endpoints
wanting PFS would prefer triple-DES or, later, AES. Performance-minded
sites wouldn't have touched EDH with a ten foot pole. Or so the thinking
probably went.
Take a look at the RFC 3268, the one which allocates the code points for
AES based ciphersites.
http://tools.ietf.org/html/rfc3268 June 2002
Overview
At present, the symmetric ciphers supported by TLS are RC2, RC4,
IDEA, DES, and triple DES. The protocol would be enhanced by the
addition of AES [AES] ciphersuites, for the following reasons:
1. RC2, RC4, and IDEA are all subject to intellectual property
claims. RSA Security Inc. has trademark rights in the names RC2
and RC4, and claims that the RC4 algorithm itself is a trade
secret. Ascom Systec Ltd. owns a patent on the IDEA algorithm.
Reason numero uno. The other reasons given are interesting too. None of
them really seem too concerned with the prospect of RC4 being less
secure than AES.
So yeah, in summary, I'd say there was some "vendor bias" in the process
going on. Not against stream ciphers in general, but against RC4 and its
uncooperative vendor in particular.
On 10/03/2011 01:37 PM, Jon Callas wrote:
Oh, I know! Counter mode! Yeah, that's it.
Yeah that would have come in handy about now.
http://www.dial911anddie.com/dtls/tlsctr.html
As I understand it, people weren't comfortable with using DES or 3DES in
a way that looked so much like a related-plaintext attack. Or maybe they
simply didn't see much of a need to improve upon CBC:
http://www.ietf.org/mail-archive/web/tls/current/msg00337.html
On the agility front, most people seem to be against it. Weren't we
in a huge no-choices-are-the-only-security mood a few weeks ago?
In SSL/TLS the thing you really can't have agility on is the HMAC that
authenticates the handshake messages negotiating all the other
specifics. If there's a choice of algorithm there, the attacker gets to
choose the weakest one to attack. In TLS 1.2 this was changed from a
combination of MD5 and SHA-1 to SHA-256.
But there have been multiple generations of ciphers to have come in and
fallen out of favor over the lifespan of SSL/TLS. Cipher suite agility
is one reason the protocol survives today.
Stream ciphers are hard. They're hard to build correctly, hard to
use correctly, and have been the red-headed-stepchild of cipher
design for really good reasons.
They're not as amenable to cryptanalysis with the standard
linear/differential framework developed for DES.
Time and power are objectively measurable (in $) whereas security beyond
the minimum needed to resist standard attacks is largely subjective. So
in practice the designer is going to have a harder time arguing for any
additional computational expense made for the sake of security.
Remember WEP? The most damning
problem in it to my mind was the order-2^24 attack caused by using a
stream cipher (and a 24-bit pseudo-IV).
Well the problem was the specific stream cipher RC4 and the way it was
used, not stream ciphers in general. The problem with WEP was so bad it
allowed for key recovery, not just a many-megabyte distinguisher.
Unlike, say, the way that block ciphers in general require additional
complexity (and things to go wrong) in the form of CBC mode :-)
TLS does a really good job of deriving pseudorandom keys for every new
connection. Even resumed sessions get new cipher and MAC keys in each
direction. My understanding is that this makes it not vulnerable to the
same issues as WEP, even though it does use the initial bytes out of RC4
instead of discarding them per modern recommendations.
Any stream cipher that gets created has to answer this really good
question: Why are you better than AES-CTR?
I know some secure websites that would love to be able to choose AES-CTR
right now. Why can't they?
Probably some of the same reasons there's only one stream cipher to
choose from.
The next question would
be why it's better than Serpent-CTR, or Twofish-CTR, or heck why not
use Threefish-CTR?
Just some example answers for RC4, I'm not sure how well they generalize
to stream ciphers:
RC4 may be faster for you.
RC4 maintains an internal state size of around 1600 bits using 272 bytes
of storage. That's a lot for a symmetric cipher! Those who are concerned
with the collision properties of small block ciphers may consider that
an advantage.
The general algorithm is even well-defined as large as you'd like to
make it. If you were to make it larger than a memory chip, you could
define a work factor in terms of external memory transactions like
scrypt. RC4 probably comes closest to a maximizing this (random memory
lookup cost)/(other stuff that can be accelerated by ASIC) ratio.
Of course right now, the best thing to do stream-cipher-wise is to
use GCM mode, with is in TLS 1.2, but hardly deployed at all, no
doubt because of bias against wanting to use something that's
authenticated, right?
I've never heard of such a bias. Maybe it exists and I've never heard of
it, or maybe you're just pulling my leg.
After all, wouldn't the surveillance state
want us all to be vulnerable to CBC attacks like BEAST, and people
who are preventing that must be in cahoots with the NSA, right?
But of course, GCM mode is part of Suite B, and that's the NSA's
push for using an authenticated data stream. So that means that the
people who are pushing for stream ciphers are also in cahoots with
the surveillance state by pushing for authenticated modes, too!
In case anyone missed it, the sarcasm bits should have been showing
up in the UTF-8 over the last couple of paragraphs at some point or
other.
Come on. This discussion has descended past whacko, which is where
it went once the "broken by design" discussion started. Yeah,
security is hard, but it's software. We know how to do that, once we
understand the problems.
No, SSL/TLS is a protocol and implementations. Sometimes the important
parts are actually in hardware and sometimes they're in software in so
many machines nobody can break interoperability with 0.01% of them.
I don't believe we understand the problems. If we did, we wouldn't have
guys in Argentina decrypting PayPal cookies transmitted over
properly-encrypted TLS as a stage trick.
It's hard for me to imagine a first-rate engineer with an unbiased mind
knowing all the issues today sitting down with a clean sheet of paper
and coming up with CBC as a new design. Yet it continues to be regarded
as some kind of gold standard. Why? Because we love Mother AES and
Grandmother DES so much and CBC is such an improvement over ECB that
surely it's "good enough"? Because people who propose alternatives are
alternately ignored or accused of "inventing their own crypto", "vanity
crypto", or "wasting our precious cipher suite code points"?
The wrong questions have been asked for so
long in this long discussion that I think the only reasonable people
are the ones ignoring the whole thing.
Yeah. I wish those reasonable people would participate more. :-)
- Marsh
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography