Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
OK how about this: If a person at Snowden's level in the NSA had any access to information that indicated the existence of any program which involved the successful cryptanalysis of any cipher regarded as 'strong' by this community then the Director of National Intelligence, the Director of the NSA and everyone involved in those decisions should be fired immediately and lose their pensions. What was important in Ultra was the fact that the Germans never discovered they were being intercepted and decrypted. They would have strengthened their cipher immediately if they had known it was broken. So either the NSA has committed an unpardonable act of carelessness (beyond the stupidity of giving 50,000 people like Snowden access to information that should not have been shared beyond 500) or the program involves lower strength ciphers that we would not recommend the use of but are still there in the cipher suites. I keep telling people that you do not make a system more secure by adding the choice of a stronger cipher into the application. You make the system more secure by REMOVING the choice of the weak ciphers. I would bet that there is more than enough DES traffic to be worth attack and probably quite a bit on IDEA as well. There is probably even some 40 and 64 bit crypto in use. Before we assume that the NSA is robbing banks by using an invisibility cloak lets consider the likelihood that they are beating up old ladies and taking their handbags. On Thu, Sep 5, 2013 at 3:58 PM, Perry E. Metzger pe...@piermont.com wrote: I would like to open the floor to *informed speculation* about BULLRUN. Informed speculation means intelligent, technical ideas about what has been done. It does not mean wild conspiracy theories and the like. I will be instructing the moderators (yes, I have help these days) to ruthlessly prune inappropriate material. At the same time, I will repeat that reasonably informed technical speculation is appropriate, as is any solid information available. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography -- Website: http://hallambaker.com/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] ADMIN: Please, please, please don't top post.
I hate to ask this yet again, but: Please, please, please don't top post. Please, please, please edit down your replies. If your mobile device, say, doesn't let you do otherwise, it can probably wait half an hour until you get to a machine with a keyboard. -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
On Thu, Sep 5, 2013 at 4:57 PM, Perry E. Metzger pe...@piermont.com wrote: On Thu, 5 Sep 2013 16:53:15 -0400 Perry E. Metzger pe...@piermont.com wrote: Anyone recognize the standard? Please say it aloud. (I personally don't recognize the standard offhand, but my memory is poor that way.) There is now some speculation in places like twitter that this refers to Dual_EC_DRBG though I was not aware that was widely enough deployed to make a huge difference here, and am not sure which international group is being mentioned. I would be interested in confirmation. I believe it is Dual_EC_DRBG. The ProPublica storyhttp://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryptionsays: Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.” This appears to describe the NIST SP 800-90 situation pretty precisely. I found Schneier's contemporaneous article to be good at refreshing my memory: http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 - Tim ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
On 09/05/2013 01:57 PM, Perry E. Metzger wrote: and am not sure which international group is being mentioned. ISO. Not that narrows it down much. Eric ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
On 5 Sep 2013 at 16:11, Phillip Hallam-Baker wrote: I would bet that there is more than enough DES traffic to be worth attack and probably quite a bit on IDEA as well. There is probably even some 40 and 64 bit crypto in use. Indeed -- would you (or any of us) guess that NSA could break TDES these days? /Bernie\ -- Bernie Cosell Fantasy Farm Fibers mailto:ber...@fantasyfarm.com Pearisburg, VA -- Too many people, too few sheep -- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
The NYT article is pretty informative: (http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html) Because strong encryption can be so effective, classified N.S.A. documents make clear, the agency’s success depends on working with Internet companies — by getting their voluntary collaboration, forcing their cooperation with court orders or surreptitiously stealing their encryption keys or altering their software or hardware. N.S.A. documents show that the agency maintains an internal database of encryption keys for specific commercial products, called a Key Provisioning Service, which can automatically decode many messages. If the necessary key is not in the collection, a request goes to the separate Key Recovery Service, which tries to obtain it. How keys are acquired is shrouded in secrecy, but independent cryptographers say many are probably collected by hacking into companies’ computer servers, where they are stored Also interesting: Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology, the United States’ encryption standards body, and later by the International Organization for Standardization, which has 163 countries as members. Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.” “Eventually, N.S.A. became the sole editor,” the memo says. Anyone recognize the standard? Eric ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
First, I don't think it has anything to do with Dual EC DRGB. Who uses it? My impression is that most of the encryption that fits what's in the article is TLS/SSL. That is what secures most encrypted content going online. The easy way to compromise that in a passive attack is to compromise servers' private keys, via cryptanalysis or compromise or bad key generation. For server side TLS using RSA, guessing just the client's random values ought to be enough to read the traffic. For active attacks, getting alternative certs issued for a given host and playing man in the middle would work. Where do the world's crypto random numbers come from? My guess is some version of the Windows crypto api and /dev/random or /dev/urandom account for most of them. What does most of the world's TLS? OpenSSL and a few other libraries, is my guess. But someone must have good data about this. My broader question is, how the hell did a sysadmin in Hawaii get hold of something that had to be super secret? He must have been stealing files from some very high ranking people. --John ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 What surprises me is that anyone is surprised. If you believed OpenBSD's Theo de Raadt and Gregory Perry back in late 2010, various government agencies (in this specific case the FBI- though one wonders if they were the originating agency) have been looking to introduce weaknesses wholesale into closed AND open source software and OS infrastructures for some time. Over a decade in his example. (See: http://marc.info/?l=openbsd-techm=129236621626462w=2) Those of us old enough might marvel at the fact that going back to the late 1980s a huge dust up was caused by the allegations that Swiss firm Crypto AG introduced backdoors into their products at the behest of Western (read: United States and the BND) intelligence agencies, products that, at the time, were in widespread use by foreign governments who, one presumes, could not afford to field their own national cryptology centers to protect their own infrastructure (or were just lazy and seduced by a Swiss flag on the corporate domicile of Crypto AG). For the unwashed on the list, Wikipedia (and Der Spiegel) relate the story of (probably) hapless Crypto AG salesman Hans Buehler's 1992 arrest by the Iranian authorities after those allegations came to light, and the fact that Crypto AG paid a $1m ransom for him (but then later billed him for the $1m--you stay classy, Crypto AG). (See: http://en.wikipedia.org/wiki/Crypto_AG) But fear not. Governments and NGOs around the world will be pleased to know that Crypto AG lives on and continues to provide superior crypto and security solutions to foreign institutions of all kinds, including: National security councils, national competence centres, e-government authorities, encryption authorities, national banks, ministries of defence, combined/joint commands, cyber commands, air forces, land forces, naval forces, special forces, military intelligence services, defence encryption authorities, ministries of foreign affairs and numerous international organisations, ministries of the interior, presidential guards, critical infrastructure authorities, homeland security authorities, intelligence services, police forces, and cyber forces. (See: http://www.crypto.ch/ - The inclusion of a shot of the Patrouille Suisse is an especially nice touch. I often drive by their offices in Steinhausen and was stunned to realize a few years ago that they are thriving- I can only imagine what the mortgage on that place costs). I expect that today many of us feel quite naive at being shocked by those penetration revelations (sorry, allegations) given that it seems highly probable now that anyone using any sort of Microsoft, Cisco, Google, Facebook, Yahoo, YouTube, Skype, AOL or Apple product has now been elevated to a collection priority that seemed confined to the Irans of the world in the 1990s and early 2000s. Perry wondered after the unpardonable carelessness of the NSA in giving 50,000 Snowden's access to a Powerpoint with all the Prism partners. I would argue that the NSA had good cause to think no one would notice or care given how many people who should know MUCH MUCH better still send Crypto AG scads of money. And going back to the days of toad.com hasn't this always been the story? Security is expensive. Most people (and some governments) are cheap. There's something about the present political climate in the United States that really interests me. Mere mention of the word fascism in any context other than sarcasm seems to brand one quite instantly as a tin-foil nutjob. Granted, I think the world fascism is as overused as the word communism, but it bears mentioning that the usurpation of corporate entities and industry by the state to its own purposes is one of the classic tenants of fascism. I'm sure the list's readers sense where I'm going with this by now. It is hard to escape noticing that the NSA and its sister and orbital agencies have long since broken the traditional firewall and morphed themselves into domestic surveillance agencies. But the United States is late to the party here. In the world of finance it was long understood that certain state-dominated Russian firms were front-running a number of U.S. economic indicators prior to release. The rumor at the time was that this activity stopped cold after a security audit at the offending U.S. agencies. It's possible that the story was apocryphal, but I sort of doubt it. The economic intelligence apparatus of foreign intelligence services was the place to be if you wanted to find yourself in the good graces of your nation-state. (It's not an accident that Nikolay Patolichev, once the Soviet Union's Foreign Trade Minister, led the pack having been awarded the Order of Lenin twelve times). Of course, drafting otherwise independent-appearing private enterprises to the purposes of the state was popular then (the CIA would routinely interview U.S. businessmen and businesswomen after trips to jurisdictions
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
On Thu, 5 Sep 2013 19:14:53 -0400 John Kelsey crypto@gmail.com wrote: First, I don't think it has anything to do with Dual EC DRGB. Who uses it? It did *seem* to match the particular part of the story about a subverted standard that was complained about by Microsoft researchers. I would not claim that it is the most important part of the story. My impression is that most of the encryption that fits what's in the article is TLS/SSL. Yes, and if they have a real hole there they're exploiting, that is quite disturbing. If they're merely using a hodge-podge of techniques to get keys, it is less worrying. Where do the world's crypto random numbers come from? My guess is some version of the Windows crypto api and /dev/random or /dev/urandom account for most of them. I'm starting to think that I'd probably rather type in the results of a few dozen die rolls every month in to my critical servers and let AES or something similar in counter mode do the rest. A d20 has a bit more than 4 bits of entropy. I can get 256 bits with 64 die rolls, or, if I have eight dice, 16 rolls of the group. If I mistype when entering the info, no harm is caused. The generator can be easily tested for correct behavior if it is simply a block cipher. What does most of the world's TLS? OpenSSL and a few other libraries, is my guess. But someone must have good data about this. My broader question is, how the hell did a sysadmin in Hawaii get hold of something that had to be super secret? He must have been stealing files from some very high ranking people. I believe there was already discussion in the press on that latter point, but I think it is less germane to our discussion here and would prefer that we avoid speculating on things that are only of human/gossip interest. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Opening Discussion: Speculation on BULLRUN
I would like to open the floor to *informed speculation* about BULLRUN. Informed speculation means intelligent, technical ideas about what has been done. It does not mean wild conspiracy theories and the like. I will be instructing the moderators (yes, I have help these days) to ruthlessly prune inappropriate material. At the same time, I will repeat that reasonably informed technical speculation is appropriate, as is any solid information available. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
On Thu, 5 Sep 2013 16:53:15 -0400 Perry E. Metzger pe...@piermont.com wrote: Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.” “Eventually, N.S.A. became the sole editor,” the memo says. Anyone recognize the standard? Please say it aloud. (I personally don't recognize the standard offhand, but my memory is poor that way.) There is now some speculation in places like twitter that this refers to Dual_EC_DRBG though I was not aware that was widely enough deployed to make a huge difference here, and am not sure which international group is being mentioned. I would be interested in confirmation. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] The Guardian: US and UK spy agencies defeat privacy and security on the internet
Quoting: US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden. The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
On Thu, 05 Sep 2013 13:33:48 -0700 Eric Murray er...@lne.com wrote: The NYT article is pretty informative: (http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html) [...] Also interesting: Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology, the United States’ encryption standards body, and later by the International Organization for Standardization, which has 163 countries as members. Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.” “Eventually, N.S.A. became the sole editor,” the memo says. Anyone recognize the standard? Please say it aloud. (I personally don't recognize the standard offhand, but my memory is poor that way.) BTW, I will now openly speculate if the deeply undeployable key management protocols for IPSec that originated at the NSA were an accident. I had enough involvement not to feel overly strongly that this is what happened, but it does lead one to wonder strongly. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
On Thu, 5 Sep 2013 15:58:04 -0400 Perry E. Metzger pe...@piermont.com wrote: I would like to open the floor to *informed speculation* about BULLRUN. Here are a few guesses from me: 1) I would not be surprised if it turned out that some people working for some vendors have made code and hardware changes at the NSA's behest without the knowledge of their managers or their firm. If I were running such a program, paying off a couple of key people here and there would seem only rational, doubly so if the disclosure of their involvement could be made into a crime by giving them a clearance or some such. 2) I would not be surprised if some of the slow speed at which improved/fixed hashes, algorithms, protocols, etc. have been adopted might be because of pressure or people who had been paid off. At the very least, anyone whining at a standards meeting from now on that they don't want to implement a security fix because it isn't important to the user experience or adds minuscule delays to an initial connection or whatever should be viewed with enormous suspicion. Whether I am correct or not, such behavior clearly serves the interest of those who would do bad things. 3) I would not be surprised if random number generator problems in a variety of equipment and software were not a very obvious target, whether those problems were intentionally added or not. 4) Choices not to use things like Diffie-Hellman in TLS connections on the basis that it damages user experience and the like should be viewed with enormous suspicion. 5) Choices not to make add-ons available in things like chat clients or mail programs that could be used for cryptography should be viewed with suspicion. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
On Thu, Sep 5, 2013 at 3:58 PM, Perry E. Metzger pe...@piermont.com wrote: I would like to open the floor to *informed speculation* about BULLRUN. Informed speculation means intelligent, technical ideas about what has been done. It does not mean wild conspiracy theories and the like. I will be instructing the moderators (yes, I have help these days) to ruthlessly prune inappropriate material. At the same time, I will repeat that reasonably informed technical speculation is appropriate, as is any solid information available. http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security • The NSA spends $250m a year on a program which, among other goals, works with technology companies to covertly influence their product designs. I believe this confirms my theory that the NSA has plants in the IETF to discourage moves to strong crypto. -- Website: http://hallambaker.com/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Bruce Schneier in The Guardian on BULLRUN etc.
Quite worth reading. There is some speculation in there about various weaknesses that may have been added as well. http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Thoughts about keys
On 2013-09-04 13:12:21 +0200 (+0200), Ilja Schmelzer wrote:
There is already a large community of quite average users which use
Torchat, which uses onion-Adresses as Ids, which are 512 bit hashs if
I remember correctly.
Typical ways of communication in this community are look for my
torchat-id at forum example.net, I'm examplenick there.
[...]
You could do the same with OpenPGP keys too (look for my key at any
modern keyserver, I'm fu...@yuggoth.org there) but that misses the
possibility that in the future someone might upload a trojan key
claiming to be me and use it to sign and send them a spoofed
nefarious message, source code release tarball, git tag, whatever.
Handing them a copy of the key fingerprint gives them a means to
confirm the key they just pulled from the server is really the same
person who showed them a passport at the conference the month
before.
If there's no way for anyone to impersonate examplenick at forum
example.net then, sure, maybe simpler... but that forum is probably
not a distributed, highly available, cryptographically-verifiable
pool of key distribution API servers either.
--
{ PGP( 48F9961143495829 ); FINGER( fu...@cthulhu.yuggoth.org );
WWW( http://fungi.yuggoth.org/ ); IRC( fu...@irc.yuggoth.org#ccl );
WHOIS( STANL3-ARIN ); MUD( kin...@katarsis.mudpy.org:6669 ); }
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Hashes into Ciphers (was Re: FIPS, NIST and ITAR questions)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Aloha! Stephan Neuhaus wrote: On 2013-09-04 16:37, Perry E. Metzger wrote: Phil Karn described a construction for turning any hash function into the core of a Feistel cipher in 1991. So far as I can tell, such ciphers are actually quite secure, though impractically slow. Pointers to his original sci.crypt posting would be appreciated, I wasn't able to find it with a quick search. I remember having reviewed a construction by Peter Gutmann, called a Message Digest Cipher, at around that time, which also turned a hash function into a cipher. I do remember that at that time I thought it was quite secure, but I was just a little puppy then. Schneier reviews this construction in Applied Cryptography and can't find fault with it, but doesn't like it on principle (using the hash function for something for which it is not intended). Isn't this whole discussion basically the gist of DJB vs USA? https://en.wikipedia.org/wiki/Snuffle And today we have Salsa20 as a PRNG/stream cipher in eSTREAM. The Salsa family of functions including ChaCha are compression functions in counter mode to generate a keystream. - -- Med vänlig hälsning, Yours Joachim Strömbergson - Alltid i harmonisk svängning. -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlIoUmoACgkQZoPr8HT30QF6BwCgrbIFVv/ETFWjGGUxi27h6bWb 7usAoKNYs9PO1ENGD8jeSje3i6Hm+xml =8rT0 -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Google's Public Key Size (was Re: NSA and cryptanalysis)
On Wed, Sep 4, 2013 at 3:54 PM, Paul Hoffman paul.hoff...@vpnc.org wrote: On Sep 4, 2013, at 2:15 PM, Andy Steingruebl stein...@gmail.com wrote: As of Jan-2014 CAs are forbidden from issuing/signing anything less than 2048 certs. For some value of forbidden. :-) This is why you're seeing Mozilla and Google implementing these checks for compliance with the CABF Basic Requirements in code - Andy ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Google's Public Key Size (was Re: NSA and cryptanalysis)
On Sep 4, 2013, at 2:15 PM, Andy Steingruebl stein...@gmail.com wrote: As of Jan-2014 CAs are forbidden from issuing/signing anything less than 2048 certs. For some value of forbidden. :-) --Paul Hoffman ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] NY Times: NSA Foils Much Internet Encryption
Quoting: The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents. The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show. http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
On Thu, Sep 5, 2013 at 4:41 PM, Perry E. Metzger pe...@piermont.com wrote: On Thu, 5 Sep 2013 15:58:04 -0400 Perry E. Metzger pe...@piermont.com wrote: I would like to open the floor to *informed speculation* about BULLRUN. Here are a few guesses from me: 1) I would not be surprised if it turned out that some people working for some vendors have made code and hardware changes at the NSA's behest without the knowledge of their managers or their firm. If I were running such a program, paying off a couple of key people here and there would seem only rational, doubly so if the disclosure of their involvement could be made into a crime by giving them a clearance or some such. Or they contacted the NSA alumni working in the industry. 2) I would not be surprised if some of the slow speed at which improved/fixed hashes, algorithms, protocols, etc. have been adopted might be because of pressure or people who had been paid off. At the very least, anyone whining at a standards meeting from now on that they don't want to implement a security fix because it isn't important to the user experience or adds minuscule delays to an initial connection or whatever should be viewed with enormous suspicion. Whether I am correct or not, such behavior clearly serves the interest of those who would do bad things. I think it is subtler that that. Trying to block a strong cipher is too obvious. Much better to push for something that is overly complicated or too difficult for end users to make use of. * The bizare complexity of IPSEC. * Allowing deployment of DNSSEC to be blocked in 2002 by blocking a technical change that made it possible to deploy in .com. * Proposals to deploy security policy information (always send me data encrypted) have been consistently filibustered by people making nonsensical objections. 3) I would not be surprised if random number generator problems in a variety of equipment and software were not a very obvious target, whether those problems were intentionally added or not. Agreed, the PRNG is the easiest thing to futz with. It would not surprise me if we discovered kleptography at work as well. 4) Choices not to use things like Diffie-Hellman in TLS connections on the basis that it damages user experience and the like should be viewed with enormous suspicion. 5) Choices not to make add-ons available in things like chat clients or mail programs that could be used for cryptography should be viewed with suspicion. I think the thing that discouraged all that was the decision to make end user certificates hard to obtain (still no automatic spec) and expire after a year. -- Website: http://hallambaker.com/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] NSA and cryptanalysis
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Aloha! Jerry Leichter wrote: On Sep 1, 2013, at 2:11 PM, Perry E. Metzger wrote: On Sun, 1 Sep 2013 07:11:06 -0400 Jerry Leichter leich...@lrw.com wrote: Meanwhile, just what evidence do we really have that AES is secure? The fact that the USG likes using it, too. We know they *say in public* that it's acceptable. But do we know what they *actually use*? That's also evidence for eliptic curve techniques btw. Same problem. (Slightly tangential but on topic I hope) Am I the only surprised that the NSA designed block ciphers SIMON and SPECK is vulnerable to differential attacks? http://eprint.iacr.org/2013/543 If I understand the history correctly NSA supported the development of DES as well as SHA-0/SHA-1 and their contributions shows knowledge about differential attacks at least as far back as 1977. - -- Med vänlig hälsning, Yours Joachim Strömbergson - Alltid i harmonisk svängning. -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlIoTj4ACgkQZoPr8HT30QH91gCg4aRb6tf1d6a5mOnBrF0/GP6c NwIAnRuB99lNpz04/WG0trIQU9ZKnW9A =4r0M -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
On Thu, 05 Sep 2013 16:43:59 -0400 Bernie Cosell ber...@fantasyfarm.com wrote: On 5 Sep 2013 at 16:11, Phillip Hallam-Baker wrote: I would bet that there is more than enough DES traffic to be worth attack and probably quite a bit on IDEA as well. There is probably even some 40 and 64 bit crypto in use. Indeed -- would you (or any of us) guess that NSA could break TDES these days? The articles make it sound much more like implementation flaws that have been intentionally placed in software and hardware, and a select few bad protocols and standards. I'm not going to say that it is impossible that they can break 3DES at this point, but it doesn't sound like that's what is being discussed here. -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Is ECC suspicious?
In this posting: http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance Bruce Schneier casts some doubt on the use of ECC 5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it's harder for the NSA to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can. Now, this certainly was a problem for the random number generator standard, but is it an actual worry in other contexts? I tend not to believe that but I'm curious about opinions. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
Bruce Schneier explains the Dual_EC_DRBG attack: http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
Hi all, If you read the articles carefully, you'll note that at no point does the NSA appear to have actually broken the *cryptography* in use. It's hard to get concrete details from such vague writing and no access to the the original documents, but it sounds like they've mostly gotten a lot of backdoors in *systems* (not algorithms, though they may have tried that with Dual_EC_DRBG in NIST SP 800-90 in 2006 ... which lasted barely a year before public cryptographers flagged it). Basically, the summary of this new information appears to be best given by Paul Kocher, who noted that the NSA had pushed for a backdoor key escrow system with the Clipper Chip, was denied, ... and they went and did it anyway, without telling anyone. In this case, it wasn't a mandated key escrow backdoor, but through a combination of targeted interception and strong-arming companies like Google and Microsoft, they got enough. It's the same old story of crypto in the real world: Don't attack the algorithm; Attack the system. Better story here: http://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html On Thu, Sep 5, 2013 at 3:58 PM, Perry E. Metzger pe...@piermont.com wrote: I would like to open the floor to *informed speculation* about BULLRUN. Informed speculation means intelligent, technical ideas about what has been done. It does not mean wild conspiracy theories and the like. I will be instructing the moderators (yes, I have help these days) to ruthlessly prune inappropriate material. At the same time, I will repeat that reasonably informed technical speculation is appropriate, as is any solid information available. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography -- Lance James http://soundcloud.com/lancejames Office: 760-262-4141 l lan...@securescience.netan...@gmail.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Is ECC suspicious?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 5, 2013, at 4:09 PM, Perry E. Metzger pe...@piermont.com wrote: Now, this certainly was a problem for the random number generator standard, but is it an actual worry in other contexts? I tend not to believe that but I'm curious about opinions. If there is a place to worry, it would be about the specific curves. I had a lively dinner-table conversation with Dan Bernstein and Tanja Lange at CRYPTO this year, and Dan pointed out that there's been a lot of work on cryptanalysis of specific curves and curve families. We know, for example that anything over GF(p^n) is seeming dodgy, but GF(p) seems okay. There are recent Eurocrypt papers on said. The Suite B curves were picked some time ago. Maybe they have problems. I have a small amount of raised eyebrow because the greatest bulwark we have against the SIGINT capabilities of any intelligence agency are that agency's IA cousins. I don't think that the Suite B curves would have been intentionally weak. That would be a shock. However, if the SIGINT guys (e.g.) discovered a weakness that gave P-256 something les than 128 bits of security, they might just sit on it. Certainly, even if they wanted to release that, there would be politics compounded by security compartments. Learning that they sat on a weakness would might be a shock, but it wouldn't be a surprise. If there is an issue, that's the place it would be. Not ECC as a technology, but specific curves. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFSKRprsTedWZOD3gYRAqEnAKDrFOI4v8DnYxZdPEbFHflTRktwcACg28/f hyvPYuLAdM+58z0rTxg9Fss= =EnSi -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] tamper-evident crypto? (was: BULLRUN)
I don't have any hard information or even any speculation about BULLRUN, but I have an observation and a question: Traditionally it has been very hard to exploit a break without giving away the fact that you've broken in. So there are two fairly impressive parts to the recent reports: (a) Breaking some modern, widely-used crypto, and (b) not getting caught for a rather long time. To say the same thing the other way, I was always amazed that the Nazis were unable to figure out that their crypto was broken during WWII. There were experiments they could have done, such as sending out a few U-boats under strict radio silence and comparing their longevity to others. So my question is: What would we have to do to produce /tamper-evident/ data security? As a preliminary outline of the sort of thing I'm talking about, you could send an encrypted message that says The people at 1313 Mockingbird Lane have an enormous kiddie porn studio in their basement. and then watch closely. See how long it takes until they get raided. Obviously I'm leaving out a lot of details here, but I hope the idea is clear: It's a type of honeypot, adapted to detecting whether the crypto is broken. Shouldn't something like this be part of the ongoing validation of any data security system? Also . on 09/05/2013 04:35 PM, Perry E. Metzger wrote: A d20 has a bit more than 4 bits of entropy. I can get 256 bits with 64 die rolls, or, if I have eight dice, 16 rolls of the group. You can get a lot more entropy than that from your sound card, a lot more conveniently. http://www.av8n.com/turbid/ If I mistype when entering the info, no harm is caused. I'm not so sure about that. Typos are not random, and history proves that seemingly minor mistakes can be exploited. The generator can be easily tested for correct behavior if it is simply a block cipher. I wouldn't have said that. As Dykstra was fond of saying: Testing can show the presence of bugs; testing can never show the absence of bugs. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] tamper-evident crypto? (was: BULLRUN)
On Thu, 05 Sep 2013 16:56:38 -0700 John Denker j...@av8n.com wrote: The generator can be easily tested for correct behavior if it is simply a block cipher. I wouldn't have said that. As Dykstra was fond of saying: Testing can show the presence of bugs; testing can never show the absence of bugs. The point is that a deterministic generator operating off of a seed can be validated -- you can assure yourself reasonably easily that the thing is indeed AES in counter mode. A hardware generator can have horrible flaws that are hard to detect without a lot of data from many devices. (The recent break of the Taiwanese national ID card system should be a lesson on that too.) I will remind everyone that the key generation ceremony for the Clipper devices used a deterministic generator for precisely this reason even given that the keys were being escrowed. See Dorothy Denning's old report on that for a reminder. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
[This drifts from the thread topic; feel free to attach a different subject line to it] On Sep 5, 2013, at 4:41 PM, Perry E. Metzger wrote: 3) I would not be surprised if random number generator problems in a variety of equipment and software were not a very obvious target, whether those problems were intentionally added or not. Random number generators make for a very interesting target. Getting decent amounts of entropy on conventional machines is very difficult. Servers have almost no random variation in their environments; desktops somewhat more; modern laptops, yet more. Virtualization - now extremely common on the server side - makes things even harder. But even laptops don't have much. So we're left trying to distill enough randomness for security - a process that's error-prone and difficult to check. So ... along comes Intel with a nice offer: Built-in randomness on their latest chips. Directly accessible to virtual machines, solving the very difficult problems they pose. The techniques used to generate that randomness are published. But ... how could anyone outside a few chip designers at Intel possibly check that the algorithm wasn't, in some way, spiked? For that matter, how could anyone really even check that the outputs of the hardware Get Random Value instruction were really generated by the published algorithm? Randomness is particularly tricky because there's really no way to test for a spiked random number generator (unless it's badly spiked, of course). Hell, every encryption algorithm is judged by its ability to generate streams of bits that are indistinguishable from random bits (unless you know the key). Now, absolutely, this is speculation. I know of no reason to believe that the NSA, or anyone else, has influenced the way Intel generates randomness; or that there is anything at all wrong with Intel's implementation. But if you're looking for places an organization like the NSA would really love to insert itself - well, it's hard to pick a better one. Interestingly, though, there's good news here as well. While it's hard to get at sources of entropy in things like servers, we're all carrying computers with excellent sources of entropy in our pockets. Smartphones have access to a great deal of environmental data - accelerometers, one or two cameras, one or two microphones, GPS, WiFi, and cell signal information (metadata, data, signal strength) - more every day. This provides a wealth of entropy, and it's hard to see how anyone could successfully bias more than a small fraction of it. Mix these together properly and you should be able to get extremely high quality random numbers. Normally, we assume code on the server side is better and should take the major role in such tasks as providing randomness. Given what we know now about the ability of certain agencies to influence what runs on servers, *in general*, we need to move trust away from them. The case is particularly strong in the case of randomness. Of course, there's a whole other layer of issue introduced by the heavily managed nature of phone software. -- Jerry ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
On Sep 5, 2013, at 7:14 PM, John Kelsey wrote: My broader question is, how the hell did a sysadmin in Hawaii get hold of something that had to be super secret? He must have been stealing files from some very high ranking people. This has bothered me from the beginning. Even the first leaks involved material that you would expect to only be available to highly trusted people *well up in the organization* - they were slides selling capabilities to managers and unlikely to be shown to typical employees, cleared or not. My immediate impression was that we were looking at some disgruntled higher-up. The fact that these are coming from a sysadmin - who would never have reason to get legitimate access to pretty much *any* of the material leaked so far - is a confirmation of a complete breakdown of NSA's internal controls. They seem to know how to do cryptography and cryptanalysis and all that stuff - but basic security and separation of privileges and internal monitoring ... that seems to be something they are just missing. Manning got to see all kinds of material that wasn't directly related to his job because the operational stuff was *deliberately* opened up in an attempt to get better analysis. While he obviously wasn't supposed to leak the stuff, he was authorized to look at it. I doubt the same could be said of Snowden. Hell, when I had a data center manager working for me, we all understood that just because root access *let* you look at everyone's files, you were not *authorized* to do so without permission. One of the things that must be keeping the NSA guys up night after night is: If Snowden could get away with this much without detection, who's to say what the Chinese or the Russians or who knows who else have managed to get? Have they spiked the spikers, grabbing the best stuff the NSA manages to find? -- Jerry ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] ADMIN: less Snowden, more Crypto
On Thu, 5 Sep 2013 20:30:40 -0400 Jerry Leichter leich...@lrw.com wrote: On Sep 5, 2013, at 7:14 PM, John Kelsey wrote: My broader question is, how the hell did a sysadmin in Hawaii get hold of something that had to be super secret? He must have been stealing files from some very high ranking people. This has bothered me from the beginning. Even the first leaks Admin hat on: As interesting as the overall speculation might be in a human interest sort of way, I'd prefer if we avoided it, unless it points to interesting lessons for making the world more secure going forward or to something similarly worthwhile. Yes, this is irresistible gossip for many of us, but I don't know that it is interesting beyond that, and our traffic levels are quite high right now already. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
On Fri, 06 Sep 2013 12:13:48 +1200 Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Perry E. Metzger pe...@piermont.com writes: I would like to open the floor to *informed speculation* about BULLRUN. Not informed since I don't work for them, but a connect-the-dots: 1. ECDSA/ECDH (and DLP algorithms in general) are incredibly brittle unless you get everything absolutely perfectly right. I'm aware of the randomness issues for ECDSA, but what's the issue with ECDH that you're thinking of? 2. The NSA has been pushing awfully hard to get everyone to switch to ECDSA/ECDH. Yes, and 24 hours ago I would have said that was because they themselves depended on the use of commercial products with such algorithms available (as in Suite B.) Now I'm less sure. Wasn't Suite B promulgated in the 2005-2006 period? Yes, though it doesn't sound like Suite B is what the article meant when discussing standards. Peter (who choses RSA over ECC any time, follow a few basic rules and you're safe with RSA while ECC is vulnerable to all manner of attacks, including many yet to be discovered). Many people out there seem to claim the opposite of course. The current situation doesn't give us a definitive way to resolve such an argument. RSA certainly appears to require vastly longer keys for the same level of assurance as ECC. -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] tamper-evident crypto? (was: BULLRUN)
John Denker j...@av8n.com writes: To say the same thing the other way, I was always amazed that the Nazis were unable to figure out that their crypto was broken during WWII. There were experiments they could have done, such as sending out a few U-boats under strict radio silence and comparing their longevity to others. Cognitive dissonance. We have been..., sorry Ve haff been reassured zat our cipher is unbreakable, so it must be traitors, bad luck, technical issues, Peter. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Suite B after today's news
Consider the Suite B set of algorithms: AES-GCM AES-GMAC IEEE Elliptic Curves (256, 384, and 521-bit) Traditionally, people were pretty confident in these. How are people's confidence in them now? Curious, (first-time caller) Dan McD. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
BULLRUN seems to be just an overarching name for several wide programs to obtain plaintext of passively encrypted internet communications by many different methods. While there seem to be many non-cryptographic attacks included in the BULLRUN program, of particular interest is the cryptographic attack mentioned in the Snowden papers and also hinted at in earlier US congressional manouverings for NSA funding. The most obvious target of attack is some widespread implementation of SSL/TLS, and while it might just be an attack against a reduced keyspace, eg password-guessing or RNG compromise, I wonder whether NSA have actually made a big cryptographic break against some cipher, and if so, against what? Candidate ciphers are: 3DES RC4 AES and key establishment mechanisms: RSA DH ECDH I don't think a break in another cipher or KEM would be widespread enough to matter much. Assuming NSA (or possibly GCHQ) have made a big break: I don't think it's against 3DES or RC4, though the latter is used a lot more than people imagine. AES? Maybe, but a break in AES would be a very big deal. I don't know whether hiding that would be politically acceptable. RSA? Well, maybe indeed. Break even a few dozen RSA keys per month, and you get a goodly proportion of all internet encrypted traffic. It's just another advance on factorisation. If you can break RSA you can probably break DH as well. ECDH? Again quite possible, especially against the curves in use - but perhaps a more widespread break against ECDH is possible as well. The math says that it can be done starting with a given curve (though we don't know how to do it), and you only need to do the hard part once per curve. My money? RSA. But even so, double encrypting with two different ciphers (and using two different KEMs) seems a lot more respectable now. -- Peter Fairbrother ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
Perry E. Metzger pe...@piermont.com writes: I would like to open the floor to *informed speculation* about BULLRUN. Not informed since I don't work for them, but a connect-the-dots: 1. ECDSA/ECDH (and DLP algorithms in general) are incredibly brittle unless you get everything absolutely perfectly right. 2. The NSA has been pushing awfully hard to get everyone to switch to ECDSA/ECDH. Wasn't Suite B promulgated in the 2005-2006 period? Peter (who choses RSA over ECC any time, follow a few basic rules and you're safe with RSA while ECC is vulnerable to all manner of attacks, including many yet to be discovered). ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] tamper-evident crypto? (was: BULLRUN)
Sent from my difference engine On Sep 5, 2013, at 9:22 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: John Denker j...@av8n.com writes: To say the same thing the other way, I was always amazed that the Nazis were unable to figure out that their crypto was broken during WWII. There were experiments they could have done, such as sending out a few U-boats under strict radio silence and comparing their longevity to others. Cognitive dissonance. We have been..., sorry Ve haff been reassured zat our cipher is unbreakable, so it must be traitors, bad luck, technical issues, Not necessarily Anyone who raised a suspicion was risking their life. Peter. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why human-readable IDs (was Re: Email and IM are ideal candidates for mix networks)
Perry E. Metzger pe...@piermont.com writes: I can think of no circumstances where I would voluntarily use LDAP as the solution to any problem of any sort. Our direct competitor has asked us to recommend a technology for whatever it is that LDAP is meant to be the solution for. What should we recommend to them?. (Bit of an artificial example, but between that and Corba you can really mess up someone's business). Peter. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Implementations, attacks on DHTs, Mix Nets?
[Apparently a pile of my mail got dropped, the following few messages are re-sends] The Doctor dr...@virtadpt.net writes: It might be a reasonable way of protecting PGP key information in DNS records so that someone doesn't try inserting their own when it's looked up. And that's the problem with DNS, it's the only global distributed database that we've got, so everyone wants to use it as the universal substrate for, well, anything. We'd just need to get draft-ietf-dnsind-kitchen-sink-02.txt adopted and people could cram anything they liked into the DNS. Peter. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] NSA and cryptanalysis
John Kelsey crypto@gmail.com writes: If I had to bet, I'd bet on bad rngs as the most likely source of a breakthrough in decrypting lots of encrypted traffic from different sources. If I had to bet, I'd bet on anything but the crypto. Why attack when you can bypass [1]. Peter. [1] From Shamir's Law [2], crypto is bypassed, not penetrated. [2] Well I'm going to call it a law, because it deserves to be. [3] This is a recursive footnote [3]. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Keeping backups (was Re: Separating concerns
Phillip Hallam-Baker hal...@gmail.com writes: To backup the key we tell the device to print out the escrow data on paper. Let us imagine that there there is a single sheet of paper which is cut into six parts as follows: You read my mind :-). I suggested more or less this to a commercial provider a month or so back when they were trying to solve the same problem. Specifically it was if you lose your key/password/whatever, you can't call the helpdesk to get your data back, it's really gone, which was causing them significant headaches because users just weren't expecting this sort of thing. My suggestion was to generate a web page in printable format with the key shares in standard software-serial-number form (X-X-X etc) and tell people to keep one part at home and one at work, or something similar, and to treat it like they'd treat their passport or insurance documentation. Peter. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
On Thursday, September 5, 2013, Jerry Leichter wrote: [This drifts from the thread topic; feel free to attach a different subject line to it] On Sep 5, 2013, at 4:41 PM, Perry E. Metzger wrote: 3) I would not be surprised if random number generator problems in a variety of equipment and software were not a very obvious target, whether those problems were intentionally added or not. Random number generators make for a very interesting target. Getting decent amounts of entropy on conventional machines is very difficult. Servers have almost no random variation in their environments; desktops somewhat more; modern laptops, yet more. Virtualization - now extremely common on the server side - makes things even harder. But even laptops don't have much. So we're left trying to distill enough randomness for security - a process that's error-prone and difficult to check. Virtual private servers are a very big problem. Virtual machine deployment systems at very large hosting providers have been found to use the same /dev/urandom initialization for many thousands of machines. It comes from not re-seeding from /dev/random on provisioning, and running with the same seed as was in the VM template when it was 'cut'. I know because I fixed it at places I worked as a contractor. I know at least one competitor had the issue. No knowledge if it was ever fixed there. Don't trust seeds you didn't generate. Think about Amazon AWS instances all spinning up on demand with the exact same init code and prng seed (this example is not the ones i dealt with, butnis perhaps a larger problem). You always have a window after startup where you can predicte the state of the kernel level prng. Not a big one, but it is real and in the wild. -David Mercer -- David Mercer - http://dmercer.tumblr.com IM: AIM: MathHippy Yahoo/MSN: n0tmusic Facebook/Twitter/Google+/Linkedin: radix42 FAX: +1-801-877-4351 - BlackBerry PIN: 332004F7 ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
Perry E. Metzger pe...@piermont.com writes: At the very least, anyone whining at a standards meeting from now on that they don't want to implement a security fix because it isn't important to the user experience or adds minuscule delays to an initial connection or whatever should be viewed with enormous suspicion. I think you're ascribing way too much of the usual standards committee crapification effect to enemy action. For example I've had an RFC draft for a trivial (half a dozen lines of code) fix for a decade of oracle attacks and whatnot on TLS sitting there for ages now and can't get the TLS WG chairs to move on it (it's already present in several implementations because it's so simple, but without a published RFC no-one wants to come out and commit to it). Does that make them NSA plants? There's drafts for one or two more fairly basic fixes to significant problems from other people that get stalled forever, while the draft for adding sound effects to the TLS key exchange gets fast-tracked. It's just what standards committees do. (If anyone knows of a way of breaking the logjam with TLS, let me know). Peter. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] tamper-evident crypto? (was: BULLRUN)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message 52291a36.9070...@av8n.com, John Denker j...@av8n.com writes To say the same thing the other way, I was always amazed that the Nazis were unable to figure out that their crypto was broken during WWII. There were experiments they could have done, such as sending out a few U-boats under strict radio silence and comparing their longevity to others. In fact the Nazis did have many suspicions that Enigma was compromised, no more so (this from memory, the books with the fuller account are on a shelf several thousand miles away from my current desk) than in the Python incident where the Devonshire was sent to sink a German U-boat refuelling boat ... and the Dorsetshire turned up at the same place by chance and chipped in. The subsequent German inquiry (two enemy ships appearing over the horizon heading straight for your refuelling point in the middle of the empty South Atlantic is deeply worrying) relied upon them reading our North Atlantic convoy traffic (they were breaking Allied codes at that point in the war) where they found no evidence of Enigma acquired information being used to avoid U-boat movements. This was because their inquiry happened to coincide with a short period during which we were not reading their traffic! The inquiry concluded that Enigma was not broken (which was strictly correct at that moment) and it carried on being used. Such are the random chances, good and bad, which occur in the real world. Of course there were improvements made to Enigma throughout the war both to the hardware and also to operating procedures... it was harder to break in 1945 than 1939. So my question is: What would we have to do to produce /tamper-evident/ data security? As a preliminary outline of the sort of thing I'm talking about, you could send an encrypted message that says The people at 1313 Mockingbird Lane have an enormous kiddie porn studio in their basement. and then watch closely. See how long it takes until they get raided. you will have noted the requirement for some of the agencies who have been given NSA material (such as telco metadata) to recreate it for the benefit of their court cases ... so you'd probably fail to observe any background activity that tested whether this information was plausible or not (assuming that the NSA considered this issue important enough to pursue); and then some chance event would occur that caused someone from Law Enforcement (or even a furnace maintenance technician) to have to look in the basement. You'd be left saying this proves it and everyone else will be spending their time commenting on whether your particular style of tinfoil hat appeared sartorially suitable - -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 iQA/AwUBUik0UeINNVchEYfiEQIj1wCgjvXptGYkMdfKFI7pQfQuMUZJOAkAmwV2 UiNLZIncCKWCsUynA0p5y/Ws =fqW2 -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
On Fri, 06 Sep 2013 13:50:54 +1200 Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Perry E. Metzger pe...@piermont.com writes: Does that make them NSA plants? There's drafts for one or two more fairly basic fixes to significant problems from other people that get stalled forever, while the draft for adding sound effects to the TLS key exchange gets fast-tracked. It's just what standards committees do. Maybe. Yesterday I would have consistently ascribed things to bureaucracy instead of malice. Today, I'm less sure. At the very least, the current revelations make such things less benevolent -- whether from malice or stupidity, we can no longer sit on security fixes on the basis that no one will exploit them and they're not important to the user. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Suite B after today's news
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 5, 2013, at 6:16 PM, Dan McDonald dan...@kebe.com wrote: Consider the Suite B set of algorithms: AES-GCM AES-GMAC IEEE Elliptic Curves (256, 384, and 521-bit) Traditionally, people were pretty confident in these. How are people's confidence in them now? My opinion about GCM and GMAC has not changed. I've never been a fan. My objection to them is that they are tetchy to use -- hard to get right, easy to get wrong. It's pretty much what is in Niels's paper: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf I don't think they're actively bad, though. For the purpose they were created for -- parallelizable authenticated encryption -- it serves its purpose. You can have a decent implementor implement them right in hardware and walk away. I think that any of OCB, CCM, or EAX are preferable from a security standpoint, but none of them parallelize as well. If you want to do a lot of encrypted and authenticated high-speed link encryption, well, there is likely no other answer. It's GCM or nothing. Remember that every intelligence agency has a SIGINT branch and an IA (Information Assurance) branch. Sometimes they are different agencies (at least titularly) like GCHQ/CESG, BND/BSI, etc. The NSA does not separate its SIGINT directorate and the IA directorate into different agencies. I think the IA people have shown they do a good job, but they are humans too and make mistakes. Heck, there are things that various IA people do and recommend that I disagree with from weakly to strongly. I weakly disagree with GCM -- I think it's spinach and I say to hell with it, as opposed to thinking it's crap. Would a signals intelligence organization that finds a flaw in what the IA people did tell the IA branch so people can fix it? That's the *real* question. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFSKTc3sTedWZOD3gYRAhsoAKCP0xlsuWIE5CMDeBMwqQQ4hVIInwCg7LJX XHkmG7DzCxPubNay86/UL7U= =Eo6n -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] tamper-evident crypto? (was: BULLRUN)
On Thu, Sep 5, 2013 at 9:18 PM, Peter Gutmann pgut...@cs.auckland.ac.nzwrote: To say the same thing the other way, I was always amazed that the Nazis were unable to figure out that their crypto was broken during WWII. There were experiments they could have done, such as sending out a few U-boats under strict radio silence and comparing their longevity to others. Cognitive dissonance. We have been..., sorry Ve haff been reassured zat our cipher is unbreakable, so it must be traitors, bad luck, technical issues, As I recall the history it was direction finding (HF-DF) that was causing specific U-boats to be lost. Crypto was more global---resulting in rerouting convoys, etc. See https://en.wikipedia.org/wiki/High-frequency_direction_finding. After late '42 or so, U-boat radio silence would have indicated that using the radios was a problem---even during the time that the Naval Enigma was not being broken. -- Chuck == Charles L. Jackson 301 656 8716desk phone 888 469 0805fax 301 775 1023mobile PO Box 221 Port Tobacco, MD 20677 ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Suite B after today's news
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 5, 2013, at 7:15 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Jon Callas j...@callas.org writes: My opinion about GCM and GMAC has not changed. I've never been a fan. Same here. AES is, as far as we know, pretty secure, so any problems are going to arise in how AES is used. AES-CBC wrapped in HMAC is about as solid as you can get. AES-GCM is a design or coding accident waiting to happen. This isn't the 1990s, we don't need to worry about whether DES or FEAL or IDEA or Blowfish really are secure or not, we can just take a known-good system off the shelf and use it. What we need to worry about now is deployability. AES- CTR and AES-GCM are RC4 all over again, it's as if we've learned nothing from the last time round. How do you feel (heh, I typoed that as feal) about the other AEAD modes? Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFSKTwesTedWZOD3gYRAgyXAJ0X7q9+1DRM+1p/eQ13Hlu0P4s4vQCgsQLG zs8/592lHqurlVWlghRTdJg= =Ni0l -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 5, 2013, at 7:01 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Perry E. Metzger pe...@piermont.com writes: I'm aware of the randomness issues for ECDSA, but what's the issue with ECDH that you're thinking of? It's not just randomness, it's problems with DLP-based crypto in general. For example there's the scary tendency of DLP-based ops to leak the private key (or at least key bits) if you get even the tiniest thing wrong. For example if you follow DSA's: k = G(t,KKEY) mod q then you've leaked your x after a series of signatures, so you need to know that you generate a large-than-required value before reducing mod q. The whole DLP family is just incredibly brittle. I don't disagree by any means, but I've been through brittleness with both discrete log and RSA, and it seems like only a month ago that people were screeching to get off RSA over to ECC to avert the cryptocalypse. And that the ostensible reason was that there are new discrete log attacks -- which was just from Mars and I thought that that proved the people didn't know what they were talking about. Oh, wait, it *was* only a month ago! Silly me. Crypto experts issue a call to arms to avert the cryptopocalypse http://arstechnica.com/security/2013/08/crytpo-experts-issue-a-call-to-arms-to-avert-the-cryptopocalypse/ Discrete log has brittleness. RSA has brittleness. ECC is discrete log over a finite field that's hard to understand. It all sucks. RSA certainly appears to require vastly longer keys for the same level of assurance as ECC. That's assuming that the threat is cryptanalysis rather than bypass. Why bother breaking even 1024-bit RSA when you can bypass? And now we're back to the hymnal you and I have been singing from. It ain't the crypto, it's the software. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFSKTuhsTedWZOD3gYRAhiJAKDaNIw1ztD/Lj1WAW3U/pOtkpoybQCgoW6o nd08pq+l1QiViF7cPATuPig= =Z3wh -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Suite B after today's news
Jon Callas j...@callas.org writes: My opinion about GCM and GMAC has not changed. I've never been a fan. Same here. AES is, as far as we know, pretty secure, so any problems are going to arise in how AES is used. AES-CBC wrapped in HMAC is about as solid as you can get. AES-GCM is a design or coding accident waiting to happen. This isn't the 1990s, we don't need to worry about whether DES or FEAL or IDEA or Blowfish really are secure or not, we can just take a known-good system off the shelf and use it. What we need to worry about now is deployability. AES- CTR and AES-GCM are RC4 all over again, it's as if we've learned nothing from the last time round. Peter. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
The actual documents - some of which the Times published with few redactions - are worthy of a close look, as they contain information beyond what the reporters decided to put into the main story. For example, at http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html?ref=uspagewanted=all, the following goal appears for FY 2013 appears: Complete enabling for [redacted] encryption chips used in Virtual Public Network and Web encryption devices. The Times adds the following note: Large Internet companies use dedicated hardware to scramble traffic before it is sent. In 2013, the agency planned to be able to decode traffic that was encoded by one of these two encryption chips, either by working with the manufacturers of the chips to insert back doors or by exploiting a security flaw in the chips' design. It's never been clear whether these kinds of notes are just guesses by the reporters, come from their own sources, or com e from Snowden himself. The Washington Post got burned on one they wrote. But in this case, it's hard to come up with an alternative explanation. Another interesting goal: Shape worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS. Elsewhere, enabling access and exploiting systems of interest and inserting vulnerabilities. These are all side-channel attacks. I see no other reference to cryptanalysis, so I would take this statement at face value: NSA has techniques for doing cryptanalysis on certain algorithms/protocols out there, but not all, and they would like to steer public cryptography into whatever areas they have attacks against. This makes any NSA recommendation *extremely* suspect. As far as I can see, the bit push NSA is making these days is toward ECC with some particular curves. Makes you wonder. (I know for a fact that NSA has been interested in this area of mathematics for a *very* long time: A mathematician I knew working in the area of algebraic curves (of which elliptic curves are an example) was re cruited by - and went to - NSA in about 1975. I heard indirectly from him after he was at NSA, where he apparently joined an active community of people with related interests. This is a decade before the first public suggestion that elliptic curves might be useful in cryptography. (But maybe NSA was just doing a public service, advancing the mathematics of algebraic curves.) NSA has two separate roles: Protect American communications, and break into the communications of adversaries. Just this one example shows that either (a) the latter part of the mission has come to dominate the former; or (b) the current definition of an adversary has become so broad as to include pretty much everyone. Now, the NSA will say: Only *we* can make use of these back doors. But given the ease with which Snowden got access to so much information ... why should we believe they can keep such secrets? -- Jerry ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Suite B after today's news
Jon Callas j...@callas.org writes: How do you feel (heh, I typoed that as feal) about the other AEAD modes? If it's not a stream cipher and doesn't fail catastrophically with IV reuse then it's probably as good as any other mode. Problem is that at the moment modes like AES-CTR are being promulgated as fashion statements without any consideration about operational deployment, when what we should be promoting is something that's safely and effectively deployable. Someblockcipher-CBC + HMAC is a nice safe bet, run your HMAC, do a constant-time compare of the result, toss the encrypted data if you get a verify failure, otherwise decrypt, it's pretty straightforward. Peter. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 5, 2013, at 7:31 PM, Jerry Leichter leich...@lrw.com wrote: Another interesting goal: Shape worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS. Elsewhere, enabling access and exploiting systems of interest and inserting vulnerabilities. These are all side-channel attacks. I see no other reference to cryptanalysis, so I would take this statement at face value: NSA has techniques for doing cryptanalysis on certain algorithms/protocols out there, but not all, and they would like to steer public cryptography into whatever areas they have attacks against. This makes any NSA recommendation *extremely* suspect. As far as I can see, the bit push NSA is making these days is toward ECC with some particular curves. Makes you wonder. Yes, but. The reason we are using those curves is because they want them for products they buy. (I know for a fact that NSA has been interested in this area of mathematics for a *very* long time: A mathematician I knew working in the area of algebraic curves (of which elliptic curves are an example) was re cruited by - and went to - NSA in about 1975. I heard indirectly from him after he was at NSA, where he apparently joined an active community of people with related interests. This is a decade before the first public suggestion that elliptic curves might be useful in cryptography. (But maybe NSA was just doing a public service, advancing the mathematics of algebraic curves.) I think it might even go deeper than that. ECC was invented in the civilian world by Victor Miller and Neal Koblitz (independently) in 1985, so they've been planning for breaking it even a decade before its invention. NSA has two separate roles: Protect American communications, and break into the communications of adversaries. Just this one example shows that either (a) the latter part of the mission has come to dominate the former; or (b) the current definition of an adversary has become so broad as to include pretty much everyone. I definitely believe (b). However, I also think that they aren't a monolith, and we know that each part of the mission is the adversary of the other. I don't believe that the IA people would do a bad job to support SIGINT. Once you start down that path, it's easy to get to madness, or perhaps merely evidence that they have time travel. I'll add that they have a third mission -- run the government's classified computer network, and that *that* mission is the one that Snowden worked for. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFSKUQLsTedWZOD3gYRAlZvAKCtZP9iy1eyGBq4UbG9xO9jmNscigCZAYVv M13sxiFZ5ch7PhgoIh1LziA= =fEtw -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
On Sep 5, 2013, at 10:19 PM, Jon Callas wrote: I don't disagree by any means, but I've been through brittleness with both discrete log and RSA, and it seems like only a month ago that people were screeching to get off RSA over to ECC to avert the cryptocalypse. And that the ostensible reason was that there are new discrete log attacks -- which was just from Mars and I thought that that proved the people didn't know what they were talking about. Oh, wait, it *was* only a month ago! Silly me. Crypto experts issue a call to arms to avert the cryptopocalypse http://arstechnica.com/security/2013/08/crytpo-experts-issue-a-call-to-arms-to-avert-the-cryptopocalypse/ Discrete log has brittleness. RSA has brittleness. ECC is discrete log over a finite field that's hard to understand. It all sucks. Perhaps it's time to move away from public-key entirely! We have a classic paper - Needham and Schroeder, maybe? - showing that private key can do anything public key can; it's just more complicated and less efficient. Not only are the techniques brittle and increasingly under suspicion, but in practice almost all of our public key crypto inherently relies on CA's - a structure that's just *full* of well-known problems and vulnerabilities. Public key *seems to* distribute the risk - you just get the other guy's public key and you can then communicate with him safely. But in practice it *centralizes* risks: In CA's, in single magic numbers that if revealed allow complete compromise for all connections to a host (and we now suspect they *are* being revealed.) We need to re-think everything about how we do cryptography. Many decisions were made based on hardware limitations of 20 and more years ago. More efficient claims from the 1980's often mean nothing today. Many decisions assumed trust models (like CA's) that we know are completely unrealistic. Mobile is very different from the server-to-server and dumb-client-to-server models that were all anyone thought about the time. (Just look at SSL: It has the inherent assumption that the server *must* be authenticated, but the client ... well, that's optional and rarely done.) None of the work then anticipated the kinds of attacks that are practical today. I pointed out in another message that today, mobile endpoints potentially have access to excellent sources of randomness, while servers have great difficulty getting good random numbers. This is the kind of fundamental change that needs to inform new designs. -- Jerry ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
Another interesting goal: Shape worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS. ... This makes any NSA recommendation *extremely* suspect. As far as I can see, the bit push NSA is making these days is toward ECC with some particular curves. Makes you wonder. Yes, but. The reason we are using those curves is because they want them for products they buy. They want to buy COTS because it's much cheap, and COTS is based on standards. So they have two contradictory constraints: They want the stuff they buy secure, but they want to be able to break in to exactly the same stuff when anyone else buys it. The time-honored way to do that is to embed some secret in the design of the system. NSA, knowing the secret, can break in; no one else can. There have been claims in this direction since NSA changed the S-boxes in DES. For DES, we now know that was to protect against differential cryptanalysis. No one's ever shown a really convincing case of such an embedded secret hack being done ... but now if you claim it can't happen, you have to explain how the goal in NSA's budget could be carried out in a way consistent with the two constraints. Damned if I know (I know for a fact that NSA has been interested in this area of mathematics for a *very* long time: A mathematician I knew working in the area of algebraic curves (of which elliptic curves are an example) was recruited by - and went to - NSA in about 1975 I think it might even go deeper than that. ECC was invented in the civilian world by Victor Miller and Neal Koblitz (independently) in 1985, so they've been planning for breaking it even a decade before its invention. I'm not sure exactly what you're trying to say. Yes, Miller and Koblitz are the inventors of publicly known ECC, and a number of people (Diffie, Hellman, Merkle, Rivest, Shamir, Adelman) are the inventors of publicly known public-key cryptography. But in fact we now know that Ellis, Cocks, and Williamson at GCHQ anticipated their public key cryptography work by several years - but in secret. I think the odds are extremely high that NSA was looking at cryptography based on algebraic curves well before Miller and Koblitz. Exactly what they had developed, there's no way to know. But of course if you want to do good cryptography, you also have to do cryptanalysis. So, yes, it's quite possible that NSA was breaking ECC a decade before its (public) invention. :-) -- Jerry ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 5, 2013, at 8:02 PM, Jerry Leichter leich...@lrw.com wrote: Perhaps it's time to move away from public-key entirely! We have a classic paper - Needham and Schroeder, maybe? - showing that private key can do anything public key can; it's just more complicated and less efficient. Not really. The Needham-Schroeder you're thinking of is the essence of Kerberos, and while Kerberos is a very nice thing, it's hardly a replacement for public key. If you use a Needham-Schroeder/Kerberos style system with symmetric key systems, you end up with all of the trust problems, but on steroids. (And by the way, please say symmetric key as opposed to public key -- if you say private key then someone will inevitably get confused and think you mean the private half of a public key pair and there will be tears.) Not only are the techniques brittle and increasingly under suspicion, but in practice almost all of our public key crypto inherently relies on CA's - a structure that's just *full* of well-known problems and vulnerabilities. Public key *seems to* distribute the risk - you just get the other guy's public key and you can then communicate with him safely. But in practice it *centralizes* risks: In CA's, in single magic numbers that if revealed allow complete compromise for all connections to a host (and we now suspect they *are* being revealed.) I have to disagree. You don't need a CA. There's a very long rant I could make here, and I'll try to keep it a summary. Much of the system we have is built needing CAs, but it was only built that way. A long time ago, the certificate structure we're still vestigially using had as one of its goals a way to keep the riff-raff from using crypto. I remember when I got my first PEM certificate, I had to send my blinking passport off to MITRE for two weeks so they could let me encrypt the crapola that was sitting on my disk unencrypted. It was harder to get a cert than it was to get a visa to Saudi Arabia! So much of what we would have encrypted we just printed on paper and put in a file cabinet. Excuse me, I'm starting on that rant I said I wouldn't do. The major problem one has with public key is knowing that the public key of the endpoint you want to talk to us actually the right public key. Trusted Introducers of any sort are one way to solve the problem. CAs are merely an industrialized form of Trusted Introducer and not ipso facto bad. The way that Web PKI (as it's now being called) is using Trusted Introducers is suboptimal, but ironically, we are on the inflection point of a real honest-to-whomever fix to them in the form of Certificate Transparency. That suggests even another discussion, one that I promised Ben I'd get to eventually. The major problem with the certificate system is actually the browsers, in my opinion, because they actively discourage using certificates in any other way. If browsers, for example, allowed you to use a private cert with a user experience that was ultimately SSH-like (also called TOFU for Trust On First Use) as opposed to putting big blood-red danger warnings up, it would work out better for everyone including the CAs. But anyway, there are other solutions. They range from some variant of Direct Trust being TOFU or even using a Kerberos-like system to hand you a key, or what we do in ZRTP, or lots of other things. The bottom line is that if you want to send someone a message securely and you have never talked to them before, you have no other way to deal with it than public key systems. (Or you can re-define the problem. Suppose I want to send Glenn Greenwald a message and his Kerberos controller gives me an AES key, I merely have to trust the controller. If we say that trusting him is the same as trusting the controller, then yeah, sure, it works. That's a suitable redefinition in which the KDC is isomorphic to a CA. But if we allow public key, then I could get Mr. Greenwald's public key from an intermediary who is not necessarily an authority, or even self-publish keys. It's done with PGP all the time.) We need to re-think everything about how we do cryptography. Many decisions were made based on hardware limitations of 20 and more years ago. More efficient claims from the 1980's often mean nothing today. Many decisions assumed trust models (like CA's) that we know are completely unrealistic. Mobile is very different from the server-to-server and dumb-client-to-server models that were all anyone thought about the time. (Just look at SSL: It has the inherent assumption that the server *must* be authenticated, but the client ... well, that's optional and rarely done.) None of the work then anticipated the kinds of attacks that are practical today. I concur that the way that browsers and web servers us SSL is suboptimal. This doesn't mean that a solution is impossible, it only means we have
Re: [Cryptography] Email and IM are ideal candidates for mix networks
On 8/25/13 at 8:32 PM, leich...@lrw.com (Jerry Leichter) wrote: *The* biggest headache is HTTP support. Even the simplest modern HTTP server is so complex you can never be reasonably sure it's secure (though, granted, it's simpler than a browser!) You'd want to stay simple and primitive. I'm currently over 250 messages behind, so please pardon me if this item has already been mentioned. Back in 2009, Charlie Landau and I worked on a DARPA contract to demonstrate a secure web key server[1]. We used CAPROS[2] as the underlying operating system and build a HTTP interpreter to act as the server. The system is GPL and the source for the web key server is available on Sourceforge[3]. Charlie comments that the IDL files are quite useful, but there really isn't any documentation. Let me give a brief overview: When a new TCP connection arrives, a new instance of the web key server is created. It can not communicate with any other instance of the web key server, and the only real authority it has, beyond sending and receiving on the TCP circuit, is to a name lookup system. This name lookup system takes a string -- the secret part of the web key -- and returns a resource. The web key server then returns the contents of that resource to the requestor. Since the name lookup system does not allow enumeration of its contents, even if an instance of the web key server is compromised, an attacker will still have to guess the secret part of the web key to retrieve authorities from the name lookup system. Cheers - Bill [1] Web key: http://waterken.sourceforge.net/web-key/ [2] http://www.capros.org/, http://capros.sourceforge.net/ [3] http://sourceforge.net/projects/capros/ --- Bill Frantz| Truth and love must prevail | Periwinkle (408)356-8506 | over lies and hate. | 16345 Englewood Ave www.pwpconsult.com | - Vaclav Havel | Los Gatos, CA 95032 ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Can you backdoor a symmetric cipher (was Re: Opening Discussion: Speculation on BULLRUN)
On Thu, 5 Sep 2013 23:24:54 -0400 Jerry Leichter leich...@lrw.com wrote: They want to buy COTS because it's much cheap, and COTS is based on standards. So they have two contradictory constraints: They want the stuff they buy secure, but they want to be able to break in to exactly the same stuff when anyone else buys it. The time-honored way to do that is to embed some secret in the design of the system. NSA, knowing the secret, can break in; no one else can. There have been claims in this direction since NSA changed the S-boxes in DES. For DES, we now know that was to protect against differential cryptanalysis. No one's ever shown a really convincing case of such an embedded secret hack being done ... but now if you claim it can't happen, It is probably very difficult, possibly impossible in practice, to backdoor a symmetric cipher. For evidence, I direct you to this old paper by Blaze, Feigenbaum and Leighton: http://www.crypto.com/papers/mkcs.pdf Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 5, 2013, at 8:24 PM, Jerry Leichter leich...@lrw.com wrote: Another interesting goal: Shape worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS. ... This makes any NSA recommendation *extremely* suspect. As far as I can see, the bit push NSA is making these days is toward ECC with some particular curves. Makes you wonder. Yes, but. The reason we are using those curves is because they want them for products they buy. They want to buy COTS because it's much cheap, and COTS is based on standards. So they have two contradictory constraints: They want the stuff they buy secure, but they want to be able to break in to exactly the same stuff when anyone else buys it. The time-honored way to do that is to embed some secret in the design of the system. NSA, knowing the secret, can break in; no one else can. There have been claims in this direction since NSA changed the S-boxes in DES. For DES, we now know that was to protect against differential cryptanalysis. No one's ever shown a really convincing case of such an embedded secret hack being done ... but now if you claim it can't happen, you have to explain how the goal in NSA's budget could be carried out in a way consistent with the two constraints. Damned if I know (I know for a fact that NSA has been interested in this area of mathematics for a *very* long time: A mathematician I knew working in the area of algebraic curves (of which elliptic curves are an example) was recruited by - and went to - NSA in about 1975 I think it might even go deeper than that. ECC was invented in the civilian world by Victor Miller and Neal Koblitz (independently) in 1985, so they've been planning for breaking it even a decade before its invention. I'm not sure exactly what you're trying to say. Yes, Miller and Koblitz are the inventors of publicly known ECC, and a number of people (Diffie, Hellman, Merkle, Rivest, Shamir, Adelman) are the inventors of publicly known public-key cryptography. But in fact we now know that Ellis, Cocks, and Williamson at GCHQ anticipated their public key cryptography work by several years - but in secret. I think the odds are extremely high that NSA was looking at cryptography based on algebraic curves well before Miller and Koblitz. Exactly what they had developed, there's no way to know. But of course if you want to do good cryptography, you also have to do cryptanalysis. So, yes, it's quite possible that NSA was breaking ECC a decade before its (public) invention. :-) What am I trying to say? I'm being a bit of a smartass. I'm sorry, it's a character flaw, but it's one that amuses me. I'll be blunt, instead. There is a lot of discussion here -- not really so much from you but in general -- that in my opinion is fighting the last war. Sometimes that last war is the crypto wars of the 1990s, but sometimes it's WWII. Yeah, yeah, if you don't remember history you'll repeat it, but we need to look through the windshield, not the rear view mirror. My smartassedness was saying that by looking at the past, gawrsh, maybe we're seeing a time machine! The present war is not the previous one. This one is not about crypto. It involves crypto, but it's not *about* it. The bright young things of 1975 who went to work for the NSA wrote theorems and got lifetime employment. The bright young things of 2010 write shellcode and are BAH contractors. There are two major trends that are happening. One is that they're hitting the network, not the crypto. Look at Dave Aitel's career, not your mathematician friend. Aitel is one of the ones that got away, and what he talks about is what we're seeing that they are doing. If you have to listen to one of the old school mathematicians, listen to Shamir -- they go around crypto. (And actually, we need to look not at Aitel as he left in 2002, but the bright young thing who left last year, but I think I'm making my point.) The other major trend is that outsourcing, contracting and other things ruined the social contract between them and the people who work there. (This reflects the other other problem which is that the social contract between them and us seems to be void.) Nonetheless, Aitel and others left and are leaving because no longer do they tap you on the shoulder in college and then there's the mutual backscratching of a lifelong career. Now a contractor knows that when the contract is over, they're out of a job. And when the contractor sees malfeasance that goes all the way up to the Commander-in-Chief, they look at what their employment agreement said, as well as the laws that apply to them. If you're in that environment and you see malfeasance, you go to your superior and it's a felony not to. If your superior is part of the malfeasance, you go
Re: [Cryptography] Can you backdoor a symmetric cipher (was Re: Opening Discussion: Speculation on BULLRUN)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sep 5, 2013, at 9:33 PM, Perry E. Metzger pe...@piermont.com wrote: It is probably very difficult, possibly impossible in practice, to backdoor a symmetric cipher. For evidence, I direct you to this old paper by Blaze, Feigenbaum and Leighton: http://www.crypto.com/papers/mkcs.pdf There is also a theorem somewhere (I am forgetting where) that says that if you have a block cipher with a back door, then it is also a public key cipher. The proof is easy to imagine -- whatever trap door lets you unravel the cipher is the secret key, and the block cipher proper is a PRF that covers the secret key. I remember the light bulb going on over my head when I saw it presented. So if you have a backdoored symmetric cipher, you also have a public key algorithm that runs five orders of magnitude faster than any existing public key algorithm. This suggests that such a thing does not exist. We have a devil of a time making public key systems that actually work. Look at all we've talked about with brittleness of the existing ones, and how none of the alternatives (Lattice, McElice, etc.) are really any better and most of those are really only useful in a post-quantum world. It doesn't prove it, but it suggests it. The real question there is whether someone who had such a thing would want to be remembered by history as the inventor of the most significant PK system the world has ever seen, or a backdoored cipher. Jon -BEGIN PGP SIGNATURE- Version: PGP Universal 3.2.0 (Build 1672) Charset: us-ascii wj8DBQFSKV02sTedWZOD3gYRAnK5AJ9aB8I0csP1ryW6aaXEqMPOyL31PwCfZuUs swH73+Zqwqy4ZFeD7QjWoyM= =BnW3 -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption
The following is from a similar list in Europe. Think this echoes much on this list but has an interesting twist about PFS cipher suites. Begin forwarded message: From: Paterson, Kenny [kenny.pater...@rhul.ac.uk] Sent: Friday, September 06, 2013 12:03 AM To: Christof Paar; ecrypt2-...@esat.kuleuven.be Subject: Re: NYTimes.com: N.S.A. Foils Much Internet Encryption Christof, Thanks for sharing this link. What seems likely, reading between the lines of this article, is that NSA/GCHQ have access, by a variety of means, to RSA private keys for popular websites, enabling them to (at will) recover SSL/TLS session keys. This can be done offline for stored traffic or online as packets pass by on the network. I stress that the article does not say this directly. One solution, preventing passive attacks, is for major browsers and websites to switch to using PFS ciphersuites (i.e. those based on ephemeral Diffie-Hellmann key exchange). For statistics on current adoption of such ciphersuites, see: http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypte d-tomorrow.html Regards Kenny ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
