Re: draft paper: "Deploying a New Hash Algorithm"

2005-08-17 Thread Florian Weimer
* Steven M. Bellovin:

> I'd have phrased it differently than Perry did.  I'd say that the 
> attackers are often cleverer *about security* than protocol designers, 
> because insecurity is their specialty.

I think this misses the point.  Hardly anybody attacks protocols.  In
fact, I think that those who design protocols easily outnumber those
who attack them.

What is being attacked aren't protocols, but implementations.  More
precisely, deployed implementations.  (I'm not talking about PR
attacks here, which can be powerful and costly as well; these are
completely different matters.)  I will receive a lot of flak for this
from the "faith is a verb", sorry, "security is a process" crowd, but
I'm convinced that at the moment, with the technology we have,
security is primarily a deployment issue.  This becomes becomes even
more clear when you give up the misguided and completely unrealistic
focus on prevention, which still plagues large parts of the industry,
despite continuous failure of this approach.

That's why I was shocked when one vocal critic of electronic voting
disclosed that he'd never observed an actual electronic procedure.
When he did, he suddenly realized that some of the attacks he'd been
speculating about couldn't actually work in the field.  (Other attacks
still seemed realistic, though.)

Or another example: Can you criticize the designers of the cookie
protocol that the cookies are not sufficient for secure session
management in web applications?  Or that IPsec XAUTH doesn't prevent
gateway impersonation attacks from insiders?  There are limits what
protocol designers can do, especially if the protocol is a universal
building block.  Security doesn't compose well, so getting individual
protocols right simply isn't the whole story.  Usually, it's even
possible to deploy insecure protocols and implementations in a
reasonably secure manner, and often, this isn't as costly as it
sounds.

> \item   Your enemy is just as smart as you are.  If we haven't seen
> a given class of attack yet, it's because it hasn't been necessary;
> simpler attacks have worked well enough.  (Besides, how do you know
> if you'll actually notice it?)

I think it's also important to realize that new protocols or
countermeasures which protect valuable assets (at least in the
attackers' eyes) can result in a considerable shift in attack
technology, especially on underlying protocols.

In the DoS context, this effect is quite well-known.  Once the end
system's application and TCP/IP stack can withstand the attack, your
network components or link bandwidth is attacked.  Of course, this
increases collateral damage, so it's common practice in a certain
class of DoS targets not to protect your hosts as well as you could.

I fear that a similar shift could occur at a protocol level.  Take
mail authentication, for example.  We have various proposals to use
DNS as a trusted data source.  If attackers think that subverting mail
authentication is a reasonable goal (which I doubt, but let's assume
it for the sake of argument), then it might be feasible to begin
large-scale attacks on DNS.  Of course, these attacks would have
enormous side effects, not just for mail delivery.  You make one thing
more secure, attacks shift to the underlying protocols which are
historically weak, and everybody loses because an old, widely used
protocol is suddenly put under significant stress.

Maybe this fear is a bit far-fetched, especially in the
SPF/DKIM/Sender-ID context, but I think the effect might indeed exist.
In general, attackers don't follow an economic model.  They don't
necessarily attack the weakest link where their attacks might be the
most effective, they just use what works for them.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: draft paper: "Deploying a New Hash Algorithm"

2005-08-06 Thread John Kelsey
>From: "Steven M. Bellovin" <[EMAIL PROTECTED]>
>Sent: Aug 5, 2005 12:04 PM
>To: Steve Furlong <[EMAIL PROTECTED]>
>Cc: cryptography@metzdowd.com
.Subject: Re: draft paper: "Deploying a New Hash Algorithm" 

...
>I'd have phrased it differently than Perry did.  I'd say
>that the attackers are often cleverer *about security* than
>protocol designers, because insecurity is their specialty.
>Ordinary protocol desingers are good at designing those
>protocols, but they haven't been trained to think about
>security.  

Yes!  I've noticed that it's really common for me to work on
a project for a very short time (like an hour or two), and
start noticing all kinds of security holes, including a lot
of stuff with nothing to do with cryptography.  I'll still
be asking very basic questions of the other people on the
project about how things are *supposed* to work, but be
pointing out attacks they never thought of at the same time.
I think this is just a different way of thinking.  Attackers
and security people do this all the time.  Most normal
people never do--it's like once they've got the rules in
their heads, that's what's possible, and they don't even
think about it.  

How many times, working on security for some system, have
you pointed out an attack, only to hear some variation on
"but who would think of that?"  And you can see the same
thing happening in discussions of homeland security and
counterterrorism stuff.  It's like most people look at the
national guardsmen in the airport, and say "whew, I feel
safer," rather than "what the heck are those guys supposed
to do to stop hijacked planes crashing into buildings?" 

I like your starting points, but I think the real approach
to thinking about this is a bit broader.  It has to do with
understanding the rules, and trying to ask, for each one,
"and what makes me obey that rule?" or "what would happen if
I didn't do such and so?"  

>   --Steven M. Bellovin, http://www.cs.columbia.edu/~smb

--John Kelsey

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: draft paper: "Deploying a New Hash Algorithm"

2005-08-05 Thread Steven M. Bellovin
In message <[EMAIL PROTECTED]>, Steve Furlong writes:
>> [Moderator's note: ... attackers are often cleverer than protocol
>> designers. ...
>
>Is that true? Or is it a combination of
>
>(a) a hundred attackers for every designer, and
>(b) vastly disparate rewards: continued employment and maybe some
>kudos for a designer or implementer, access to $1,000,000,000 of bank
>accounts for an attacker
>

I'd have phrased it differently than Perry did.  I'd say that the 
attackers are often cleverer *about security* than protocol designers, 
because insecurity is their specialty.  Ordinary protocol desingers are 
good at designing those protocols, but they haven't been trained to 
think about security.  Here's how I put it in my talk at the IETF 
plenary last night:

\ns{Patterns of Thought}  
\item   Serial number 1 of any new device is delivered to your enemy.
\item   You hand your packets to your enemy for delivery.
\item   Your enemy is just as smart as you are.  If we haven't seen
a given class of attack yet, it's because it hasn't been necessary;
simpler attacks have worked well enough.  (Besides, how do you know
if you'll actually notice it?)
\endns


--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: draft paper: "Deploying a New Hash Algorithm"

2005-08-04 Thread Steve Furlong
> [Moderator's note: ... attackers are often cleverer than protocol
> designers. ...

Is that true? Or is it a combination of

(a) a hundred attackers for every designer, and
(b) vastly disparate rewards: continued employment and maybe some
kudos for a designer or implementer, access to $1,000,000,000 of bank
accounts for an attacker


SRF

-- 
There are no bad teachers, only defective children.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: draft paper: "Deploying a New Hash Algorithm"

2005-08-04 Thread Alex Alten

Steve,

At 05:34 PM 7/29/2005 -0400, Steven M. Bellovin wrote:
In message <[EMAIL PROTECTED]>, Alex Alten 
write

s:
>At 08:12 AM 7/25/2005 -0400, Steven M. Bellovin wrote:
>>In message <[EMAIL PROTECTED]>, Alex Alten
>>write
>>s:
>> >Steve,
>> >
>> >This also seems to be in conjunction with the potential switch over from
>> >RSA et al. to
>> >ECC for PKI, etc.
>> >
>>
>>Yes, Eric and I have been talking about that, and we'll add some
>>discussion of that to the next version of the paper.
>
>Variable output is really needed too, say 16, 32, 64, 128, 256 and 512 bits.
>And on the wishful side, the ability to optimize compression across
>multiple CPUs.
>

That's completely orthogoal to what the paper is about.  We're talking
about how to convert to *any* new hash algorithm; we're not concerned
with which is chosen.  (I confess, though, that hash outputs of less
than 128 bits don't strike me as cryptographically useful except for
HMAC and the like.)


Sorry for going off on a tangent.

Actually 32 (or even 16) bits is really useful for retrofitting old 
insecure protocols where you
don't want to alter the header size, you only need access control, and the 
packets only exist

for less than 100 msecs.

- Alex

--

- Alex Alten


[Moderator's note: I have to strongly disagree. 16 bits is rarely, if
ever, of any use in authentication in a modern system. Even if you
think something can't live long enough to be spoofed, it usually can,
and as it turns out, attackers are often cleverer than protocol
designers. Crypto is too brittle to play such games with it. --Perry]
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: draft paper: "Deploying a New Hash Algorithm"

2005-07-25 Thread Steven M. Bellovin
In message <[EMAIL PROTECTED]>, Alex Alten write
s:
>Steve,
>
>This also seems to be in conjunction with the potential switch over from 
>RSA et al. to
>ECC for PKI, etc.
>

Yes, Eric and I have been talking about that, and we'll add some 
discussion of that to the next version of the paper.

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


draft paper: "Deploying a New Hash Algorithm"

2005-07-21 Thread Steven M. Bellovin
Eric Rescorla and I have written a paper "Deploying a New Hash Algorithm".
A draft is available at http://www.cs.columbia.edu/~smb/papers/new-hash.ps
and http://www.cs.columbia.edu/~smb/papers/new-hash.pdf .

Here's the abstract:

As a result of recent discoveries, the strength of hash
functions such as MD5 and SHA-1 have been called into
question.  Regardless of whether or not it is necessary to
move away from those now, it is clear that it will be
necessary to do so in the not-too-distant future.  This
poses a number of challenges, especially for certificate-based
protocols.  We analyze S/MIME, TLS, and IPsec.  All three
require protocol or implementation changes.  We explain
the necessary changes, show how the conversion can be done,
and list what measures should be taken immediately.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]