Re: Gutmann Soundwave Therapy

2008-02-13 Thread Peter Gutmann
Daniel Carosone [EMAIL PROTECTED] writes: On Mon, Feb 04, 2008 at 02:48:08PM -0700, Martin James Cochran wrote: Additionally, in order to conserve bandwidth you might want to make a trade-off where some packets may be forged with small probability (in the VOIP case, that means an attacker gets

Re: Gutmann Soundwave Therapy

2008-02-13 Thread Daniel Carosone
On Mon, Feb 11, 2008 at 07:01:07PM +1300, Peter Gutmann wrote: Daniel Carosone [EMAIL PROTECTED] writes: [...] Particularly for the first point, early validation for packet integrity in general can be a useful defensive tool against unknown potential implementation vulnerabilities. This is

Re: Gutmann Soundwave Therapy

2008-02-09 Thread Daniel Carosone
Others have made similar points and suggestions, not picking on this instance in particular: On Mon, Feb 04, 2008 at 02:48:08PM -0700, Martin James Cochran wrote: Additionally, in order to conserve bandwidth you might want to make a trade-off where some packets may be forged with small

Re: Gutmann Soundwave Therapy

2008-02-09 Thread Leichter, Jerry
| - Truncate the MAC to, say, 4 bytes. Yes, a simple brute | force attack lets one forge so short a MAC - but | is such an attack practically mountable in real | time by attackers who concern you? | | In fact, 32-bit authentication tags are a feature

Re: Gutmann Soundwave Therapy

2008-02-09 Thread dan
Amateurs talk about algorithms. Professionals talk about economics. That would be Amateurs study cryptography; professionals study economics. -- Allan Schiffman, 2 July 04 Quotationally yours, --dan - The

Re: Gutmann Soundwave Therapy

2008-02-09 Thread Richard Salz
Thus unlike with bridges, you fundamentally can't evaluate the quality of a security system you built if you're unfamiliar with the state of the art of _attacks_ against security systems, and you can't become familiar with those unless you realize that these attacks have each brought

Re: Gutmann Soundwave Therapy

2008-02-09 Thread Eric Rescorla
At Thu, 7 Feb 2008 10:34:42 -0500 (EST), Leichter, Jerry wrote: | Since (by definition) you don't have a copy of the packet you've lost, | you need a MAC that survives that--and is still compact. This makes | life rather more complicated. I'm not up on the most recent lossy | MACing

Re: Gutmann Soundwave Therapy

2008-02-09 Thread Leichter, Jerry
| So, this issue has been addressed in the broadcast signature context | where you do a two-stage hash-and-sign reduction (cf. [PG01]), but | when this only really works because hashes are a lot more efficient | than signatures. I don't see why it helps with MACs. Thanks for the reference. |

RE: Gutmann Soundwave Therapy

2008-02-09 Thread Crawford Nathan-HMGT87
humans are not going to carry around large strong secrets every time either end of the connection restarts Which is what makes good crypto challenging. I think, though, that because people can understand the concept of physical locks and keys, that this should be carried forward... Good

Re: Gutmann Soundwave Therapy

2008-02-09 Thread Eric Rescorla
At Thu, 7 Feb 2008 14:42:36 -0500 (EST), Leichter, Jerry wrote: | Obviously, if you *really* use every k'th packet to define what is in | fact a substream, an attacker can arrange to knock out the substream he | has chosen to attack. So you use your encryptor to permute the | substreams,

Re: Gutmann Soundwave Therapy

2008-02-09 Thread Peter Gutmann
Leichter, Jerry [EMAIL PROTECTED] writes: All of this ignores a significant issue: Are keying and encryption (and authentication) mechanisms really independent of each other? I'm not aware of much work in this direction. Is there much work to be done here? If you view the keyex mechanism as a

Re: Gutmann Soundwave Therapy

2008-02-09 Thread Leichter, Jerry
| All of this ignores a significant issue: Are keying and encryption | (and authentication) mechanisms really independent of each other? I'm | not aware of much work in this direction. | | Is there much work to be done here? If you view the keyex mechanism | as a producer of an authenticated

Re: Gutmann Soundwave Therapy

2008-02-06 Thread James A. Donald
James A. Donald wrote: I have figured out a solution, which I may post here if you are interested. Ian G wrote: I'm interested. FTR, zooko and I worked on part of the problem, documented briefly here: http://www.webfunds.org/guide/sdp/index.html I have posted How to do VPNs right at

Re: Gutmann Soundwave Therapy

2008-02-06 Thread Peter Gutmann
Guus Sliepen [EMAIL PROTECTED] writes: Peter sent us his write-up up via private email a few days before he posted it to this list (which got it on Slashdot). I had little time to think about the issues he mentioned before his write-up became public. I should provide some background for the

Re: Gutmann Soundwave Therapy

2008-02-06 Thread Peter Gutmann
Ian G [EMAIL PROTECTED] writes: James A. Donald wrote: I have been considering the problem of encrypted channels over UDP or IP. TLS will not work for this, since it assumes and provides a reliable, and therefore non timely channel, whereas what one wishes to provide is a channel where

Re: Gutmann Soundwave Therapy

2008-02-06 Thread Peter Gutmann
Eric Rescorla [EMAIL PROTECTED] writes: I don't propose to get into an extended debate about whether it is better to use SRTP or to use generic DTLS. That debate has already happened in IETF and SRTP is what the VoIP vendors are doing. However, the good news here is that you can use DTLS to key

Re: Gutmann Soundwave Therapy

2008-02-06 Thread Ivan Krstić
On Jan 31, 2008, at 10:32 PM, Richard Salz wrote: Developers working in almost any field should know the history and best practices -- is PGP's original bass o matic any more important than the code in a defibrillator? -- but this is not the way our field works right now. Compare it to

Re: Gutmann Soundwave Therapy

2008-02-06 Thread Leichter, Jerry
Commenting on just one portion: | 2. VoIP over DTLS | As Perry indicated in another message, you can certainly run VoIP | over DTLS, which removes the buffering and retransmit issues | James is alluding to. Similarly, you could run VoIP over IPsec | (AH/ESP). However, for performance reasons,

Re: Gutmann Soundwave Therapy

2008-02-06 Thread Eric Rescorla
At Mon, 4 Feb 2008 09:33:37 -0500 (EST), Leichter, Jerry wrote: Commenting on just one portion: | 2. VoIP over DTLS | As Perry indicated in another message, you can certainly run VoIP | over DTLS, which removes the buffering and retransmit issues | James is alluding to. Similarly, you

Re: Gutmann Soundwave Therapy

2008-02-06 Thread Martin James Cochran
Comments inline. On Feb 3, 2008, at 5:56 PM, Eric Rescorla wrote: - If you use DTLS with AES in CBC mode, you have the 4 byte DTLS header, plus a 16 byte IV, plus 10 bytes of MAC (in truncated MAC mode), plus 2 bytes of padding to bring you up to the AES block boundary: DTLS adds 32 bytes of

Re: Gutmann Soundwave Therapy

2008-02-06 Thread Steven M. Bellovin
On Mon, 4 Feb 2008 09:33:37 -0500 (EST) Leichter, Jerry [EMAIL PROTECTED] wrote: The NSA quote someone - Steve Bellovin? - has repeated comes to mind: Amateurs talk about algorithms. Professionals talk about economics. Using DTLS for VOIP provides you with an extremely high level of

Re: Gutmann Soundwave Therapy

2008-02-06 Thread Eric Rescorla
At Mon, 04 Feb 2008 14:29:50 +1000, James A. Donald wrote: James A. Donald wrote: I have figured out a solution, which I may post here if you are interested. Ian G wrote: I'm interested. FTR, zooko and I worked on part of the problem, documented briefly here:

Re: Gutmann Soundwave Therapy

2008-02-06 Thread Bill Frantz
[EMAIL PROTECTED] (Peter Gutmann) on Monday, February 4, 2008 wrote: Eric Rescorla [EMAIL PROTECTED] writes: I don't propose to get into an extended debate about whether it is better to use SRTP or to use generic DTLS. That debate has already happened in IETF and SRTP is what the VoIP vendors

Re: Gutmann Soundwave Therapy

2008-02-03 Thread James A. Donald
-- Ivan Krstic' wrote: The wider point of Peter's writeup -- and of the therapy -- is that developers working on security tools should _know_ they're working in a notoriously, infamously hard field where the odds are _overwhelmingly_ against them if they choose to engineer new

Re: Gutmann Soundwave Therapy

2008-02-03 Thread Eric Rescorla
At Sun, 03 Feb 2008 12:51:25 +1000, James A. Donald wrote: -- Ivan Krstic' wrote: The wider point of Peter's writeup -- and of the therapy -- is that developers working on security tools should _know_ they're working in a notoriously, infamously hard field where the odds are

Re: Gutmann Soundwave Therapy

2008-02-01 Thread Perry E. Metzger
Sandy Harris [EMAIL PROTECTED] writes: What I don't understand is why you think tinc is necessary, or even worth the trouble. IPsec is readily available -- built into Windows, Mac OS and various routers, and with implementations for Linux and all the *BSDs -- has had quite a bit of expert

Re: Gutmann Soundwave Therapy

2008-02-01 Thread James A. Donald
Guus Sliepen wrote: Peter's write-up was the reason I subscribed to this cryptography mailing list. After a while the anger/hurt feelings I had disappeared. I knew then that Peter was right in his arguments. Nowadays I can look at Peter's write-up more objectively and I can see that it is not as

Re: Gutmann Soundwave Therapy

2008-02-01 Thread Richard Salz
The wider point of Peter's writeup -- and of the therapy -- is that developers working on security tools should _know_ they're working in a notoriously, infamously hard field where the odds are _overwhelmingly_ against them if they choose to engineer new solutions. Developers working in

Re: Gutmann Soundwave Therapy

2008-02-01 Thread Sandy Harris
What I don't understand is why you think tinc is necessary, or even worth the trouble. IPsec is readily available -- built into Windows, Mac OS and various routers, and with implementations for Linux and all the *BSDs -- has had quite a bit of expert security analysis, and handles VPNs just fine.

Re: Gutmann Soundwave Therapy

2008-02-01 Thread Eric Rescorla
At Fri, 01 Feb 2008 18:42:03 +1000, James A. Donald wrote: Guus Sliepen wrote: Peter's write-up was the reason I subscribed to this cryptography mailing list. After a while the anger/hurt feelings I had disappeared. I knew then that Peter was right in his arguments. Nowadays I can look

Re: Gutmann Soundwave Therapy

2008-02-01 Thread Perry E. Metzger
James A. Donald [EMAIL PROTECTED] writes: When tinc 2.0 will ever come out (unfortunately I don't have a lot of time to work on it these days), it will probably use the GnuTLS library and authenticate and connect daemons with TLS. For performance reasons, you want to tunnel network packets

Re: Gutmann Soundwave Therapy

2008-02-01 Thread Thor Lancelot Simon
On Thu, Jan 31, 2008 at 04:07:03PM +0100, Guus Sliepen wrote: Peter sent us his write-up up via private email a few days before he posted it to this list (which got it on Slashdot). I had little time to think about the issues he mentioned before his write-up became public. When it did, I

Re: Gutmann Soundwave Therapy

2008-02-01 Thread Guus Sliepen
On Thu, Jan 31, 2008 at 03:46:47PM -0500, Thor Lancelot Simon wrote: On Thu, Jan 31, 2008 at 04:07:03PM +0100, Guus Sliepen wrote: Peter sent us his write-up up via private email a few days before he posted it to this list (which got it on Slashdot). I had little time to think about the

Re: Gutmann Soundwave Therapy

2008-02-01 Thread Ian G
James A. Donald wrote: I have been considering the problem of encrypted channels over UDP or IP. TLS will not work for this, since it assumes and provides a reliable, and therefore non timely channel, whereas what one wishes to provide is a channel where timeliness may be required at the

Re: Gutmann Soundwave Therapy

2008-02-01 Thread Nicolas Williams
On Fri, Feb 01, 2008 at 09:24:10AM -0500, Perry E. Metzger wrote: Does tinc do something that IPsec cannot? I use a VPN system other than IPSec on a regular basis. The reason is simple: it is easy to configure for my application and my OS native IPsec tools are very difficult to configure.

Re: Gutmann Soundwave Therapy

2008-02-01 Thread Perry E. Metzger
Ian G [EMAIL PROTECTED] writes: This is what Guus was getting at: - We needed to tunnel data over UDP, with UDP semantics. SSL requires a reliable stream. Therefore, we had to use something other that SSL to tunnel data. The version of SSL (which is officially called TLS) that does

Re: Gutmann Soundwave Therapy

2008-01-31 Thread Hayden Stainsby
On 30 Jan 2008, at 04:26, Perry E. Metzger wrote: Clearly, more people need to know about Gutmann Soundwave Therapy. To this end, I would like to introduce the Gutmann Sound Wave Therapy Mobile Enlightenment Unit. http://occasionallyhuman.net/gutmann/ (NSFW if depictions of phallic

Re: Gutmann Soundwave Therapy

2008-01-31 Thread Guus Sliepen
On Tue, Jan 29, 2008 at 12:26:21PM -0500, Perry E. Metzger wrote: Clearly, more people need to know about Gutmann Soundwave Therapy. Ivan Krstić [EMAIL PROTECTED] writes: [...] [0] Last paragraph, http://diswww.mit.edu/bloom-picayune/crypto/14238 As it turns out, the central image of

Re: Gutmann Soundwave Therapy

2008-01-31 Thread Ivan Krstić
On Jan 31, 2008, at 4:07 PM, Guus Sliepen wrote: I hope that in the future, if you see an application doing something wrong, you don't immediately give the developers the soundwave therapy. The wider point of Peter's writeup -- and of the therapy -- is that developers working on security