Re: [cryptography] [tor-talk] NIST approved crypto in Tor?

2013-09-08 Thread Eugen Leitl 
- Forwarded message from Gregory Maxwell gmaxw...@gmail.com -

Date: Sun, 8 Sep 2013 06:44:57 -0700
From: Gregory Maxwell gmaxw...@gmail.com
To: This mailing list is for all discussion about theory, design, and 
development of Onion Routing.
tor-t...@lists.torproject.org
Subject: Re: [tor-talk] NIST approved crypto in Tor?
Reply-To: tor-t...@lists.torproject.org

On Sat, Sep 7, 2013 at 8:09 PM, Gregory Maxwell gmaxw...@gmail.com wrote:
 On Sat, Sep 7, 2013 at 4:08 PM, anonymous coward
 anonymous.cow...@posteo.de wrote:
 Bruce Schneier recommends *not* to use ECC. It is safe to assume he
 knows what he says.

 I believe Schneier was being careless there.  The ECC parameter sets
 commonly used on the internet (the NIST P-xxxr ones) were chosen using
 a published deterministically randomized procedure.  I think the
 notion that these parameters could have been maliciously selected is a
 remarkable claim which demands remarkable evidence.

Okay, I need to eat my words here.

I went to review the deterministic procedure because I wanted to see
if I could repoduce the SECP256k1 curve we use in Bitcoin. They don't
give a procedure for the Koblitz curves, but they have far less design
freedom than the non-koblitz so I thought perhaps I'd stumble into it
with the most obvious procedure.

The deterministic procedure basically computes SHA1 on some seed and
uses it to assign the parameters then checks the curve order, etc..
wash rinse repeat.

Then I looked at the random seed values for the P-xxxr curves. For
example, P-256r's seed is c49d360886e704936a6678e1139d26b7819f7e90.

_No_ justification is given for that value. The stated purpose of the
veritably random procedure ensures that the parameters cannot be
predetermined. The parameters are therefore extremely unlikely to be
susceptible to future special-purpose attacks, and no trapdoors can
have been placed in the parameters during their generation.

Considering the stated purpose I would have expected the seed to be
some small value like ... 6F and for all smaller values to fail the
test. Anything else would have suggested that they tested a large
number of values, and thus the parameters could embody any undisclosed
mathematical characteristic whos rareness is only bounded by how many
times they could run sha1 and test.

I now personally consider this to be smoking evidence that the
parameters are cooked. Maybe they were only cooked in ways that make
them stronger? Maybe

SECG also makes a somewhat curious remark:

The elliptic curve domain parameters over (primes) supplied at each
security level typically consist of examples of two different types of
parameters — one type being parameters associated with a Koblitz curve
and the other type being parameters chosen verifiably at random —
although only verifiably random parameters are supplied at export
strength and at extremely high strength.

The fact that only verifiably random are given for export strength
would seem to make more sense if you cynically read verifiably
random as backdoored to all heck. (though it could be more innocently
explained that the performance improvements of Koblitz wasn't so
important there, and/or they considered those curves weak enough to
not bother with the extra effort required to produce the Koblitz
curves).
-- 
tor-talk mailing list - tor-t...@lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

- End forwarded message -
-- 
Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org
__
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] [tor-talk] NIST approved crypto in Tor?

2013-09-07 Thread Eugen Leitl 
- Forwarded message from Nick Mathewson ni...@alum.mit.edu -

Date: Sat, 7 Sep 2013 13:02:04 -0400
From: Nick Mathewson ni...@alum.mit.edu
To: tor-t...@lists.torproject.org tor-t...@lists.torproject.org
Subject: Re: [tor-talk] NIST approved crypto in Tor?
Reply-To: tor-t...@lists.torproject.org

On Sat, Sep 7, 2013 at 5:25 AM, Sebastian G. bastik.tor
bastik@googlemail.com wrote:
 Hi,

 Tor switches over to ECC what's a reasonable step.

 I'm unable to find the blog post (or maybe it was an official comment on
 the blog) [With DDG and StartPage] where someone said that if the NIST
 (I guess) is not lying ECC is safe.

 Is the ECC used by Tor in some way certified by NIST?

The TLS ECDH groups P-256 and P-224 are NIST-certified.  For circuit
extension, we use Dan Bernstein's non-NIST-certified curve25519 group.

 Are other parts of Tor certified by NIST?

NIST has certified tons of stuff, including AES and SHA1 and SHA256
and SHA3.  If you're jumping ship from NIST, you need to jump ship
from those as well.


Of all the NIST stuff above, my suspicion is not that they are
cryptographically broken, but that they are deliberately hard to
implement correctly: see
  * http://cr.yp.to/talks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf
(on the P groups)
and
  * http://cr.yp.to/antiforgery/cachetiming-20050414.pdf (on AES)

Also, we're not using DSA, but DSA (as recommended by NIST) fits into
this pattern: DSA (as recommended by NIST) requires a strong random
number generator to be used when signing, and fails terribly in a way
that exposes the private key if the random number generator is the
least bit week or predictable. (see
https://en.wikipedia.org/wiki/Digital_Signature_Algorithm#Sensitivity)

To me, this suggests a trend of certifying strong cryptographic
algorithms while at the same time ensuring that most implementations
will be of poor quality.  That's just speculation, though.

(And I'm probably falling to the fallacy where you assume that
whatever results somebody gets are the ones they wanted.)



Of course, the deliberately in deliberately hard to implement
correctly is almost impossible to prove.  Is it nearly impossible to
write a fast side-channel-free AES implemenation in C because because
of a nefarious conspiracy, or simply because cryptographers in 2000
didn't appreciate how multiplication in GF(2^8) wasn't as
software-friendly a primitive?  (Looking at the other AES finalists, I
see a bunch of other hard-to-do-right-in-fast-software stuff like
GF(2^8) multiplication and table-based s-boxes.)   Are the ECC P
groups shaped that way for nefarious reasons, or simply because the
standards committee didn't have an adequate appreciation of the
software issues?

And it's not like NIST standards are the only ones that have problems.
 TLS is an IETF standard, but TLS implementations today have three
basic kinds of ciphersuirte: a fraught-with-peril CBC-based
pad-MAC-then-encrypt kind where somebody finds a new active attack
every year or so; a stream-cipher-based kind where the only supported
stream cipher is the ridiculously bad RC4, and an authenticated
encryption kind where the the AEAD mode uses GCM, which is also hard
to do in a side-channel-free way in software.

Conspiracy, or saboteurs in the (international) TLS working group, or
international bureaucratic intertia? Who can say?

And let's not mention X.509.  Let's just not, okay?  X.509 is
byzantine in a way that would make any reasonable implementor's head
spin, *and* the X.509 CA infrastructure is without a doubt one of the
very worst things in web security today.  And it's an international
standard.


[...]
 I understand that ECC used for Tor is different from what the essay is
 about.

 However the NSA may found something it can exploit in ECC and made NIST
 (maybe unknowingly) standardize the curve (or whatever) that is most
 vulnerable or recommends for a weak one, or for too short keys.

 Does Tor use stuff certified or recommended by NIST?

Yes; see above.  Also, there were once NIST recommendations for using
TLS; I have no idea whether we're following them or not.  (There are
NIST recommendations for nearly )

 If so would it be reasonable to move to international standards
 (whatsoever) without the involvement of NIST and NSA 'consultation'?
 (Completely unrelated to what might be going on, just as defense-in-depth.)

I'm not sure that there *are* international-standards recommendations
for ECC groups or for ciphers that diverge from NIST's.  The IETF is
an international body, after all, and TLS standards have been happily
recommending SHA1, SHA256, AES, DSA, and the P groups for ages.  (See
also notes above about the not-much-betterness of international
stuff.)

With any luck, smart cryptographers will start to push non-NIST curves
and ciphers into prominence.  I've got some hopes for the EU here;
ECRYPT and ECRYPT II produced some exceptionally worthwhile results; I
hope that whoever makes funding decisions funds a nice