[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] IPsec DH parameters, other flaws


On Sat, Nov 14, 2020 at 8:31 PM iang <iang AT iang.org> wrote:

coming late to this party... but I'll bet the permathread will be running for a decade.

On 20/07/2020 09:06, Alfie John wrote:
On 19 Jul 2020, at 14:55, Phillip Hallam-Baker <phill AT hallambaker.com> wrote:
There are a few individuals who seemed to be always there to pour poison in people's ears and to encourage them to 'stand their ground' when insisting on some asinine security requirement that makes the whole thing undeployable.
All these war stories are great to finally be open and to a larger audience. Thanks everyone for adding their nuggets!

So it's 2020 and we now know that there's a concerted effort to actively sabotage standards and implementations by many actors (including large budgets to sway people at all levels). Considering a clean slate for the whole stack - from TCP, IP, BGP, DNS, HTTP, etc and all the way to certificate infrastructure, application layer authentication, key management etc:

  - how would you design the state of the art with security as one of its primary goals (i.e features and anti-features)

The key is to start asking who, not how. It's clear that the IETF/etc was setup to allow vendors to duke it out. Which opened the way for NSA & friends to futz up the security groups with targetted interventions. In short to bring the process to a standstill where their security was involved.

IETF was set up to allow the DARPA program managers to monitor all the grants they had awarded. That is where the IAB and IESG really come from. It is also where the 'consensus' thing where the politburo get to decide everything comes from. 

Of course, DARPA/ARPA haven't been an issue in IETF for decades now. But the legacy remains. The people with the authority have no accountability. And that means they can't take important decisions. 

So the answer is to not do that - not do committees, working groups, and not rely on the good faith of participants. When there is an attacker who is prepared to outspend you and out-faith you, you have to change the process. In this context, the who cannot be a committee.

The who has to be individuals / tight teams

If you look at the successful security protocols in use today, only TLS was a group effort and that was largely because the principal architect wasn't legally allowed to work on it. PGP and SSH were both the work of one individual who got from the initial design to an advanced prototype alone.

The real inventor of TLS was Marc Andressen. It is ironically, the one bit of the Web he was the prime mover on and the one bit has never received credit for. At the time the idea of a Transport layer solution 'secure sockets' was really not the way to do things. Application layer was obviously more powerful. Only we didn't have the technology to do message layer at that time and the machines weren't up to it. Marca couldn't work on SSL directly though because he was under a non-compete to EIT. And while he had the top level architecture right, he didn't have the experience to get the lower levels right.

Problem with the individual inventor model is that there are maybe 1000 people in the world with the necessary skills. Of those, only a small number have the ego required to stand up and make a proposal. Being the target of other people's scorn is a lot harder than throwing rotten eggs at other people's stuff. And only a very small fraction of that number have the independent means to allow them to spend two to five years working without an immediate income.

Sure, I do have an end to end secure password vault and it is almost ready for release. How sure would you want to be that the code is correct before YOU release? 

The problem here might be how to stop nefarious agencies (NSA) from spiking the project while in gestation. Here, strong requirements, transparent schedule and many well known observers can help.

Don't assume the NSA is still the enemy. The Snowden breach has really changed attitudes. So has the DNC hack and the proliferation of disinformation operations and intelligence gathering operations posing as 'transparency organizations'. They are suddenly aware that the US is a really big glass house and the opposition is throwing stuff a lot bigger than their stones. One of the reasons I changed the name of PRISMProof to the Mathematical Mesh was that it is the technology that the NSA needs more than anyone else.

There is a piece of information I was given that I was told is the key: NOBUS. Nobody but US. It is still NSA doctrine as far as I am aware. Basically, they are perfectly happy creating backdoors when they can. But they must satisfy NOBUS - only 'we' can exploit them. If you look at DualEC-RNG, that satisfies NOBUS. 

But it isn't just the US that is manipulating the standards processes these days. We have China and Russia pushing their own agendas as well. It is instructive for people to look at John Young's dump of the emails discussing the creation of Wikileaks. One minute there is an open, cooperative effort to build a transparency group, the next, there is one person in sole control and pretty much everyone who helped him set it up has been kicked to the curb.

Besides metrics for crypto, I think we need metrics for transparency organizations and investigative journalists. Was the outing of Manning and Reality Winner really an accident or does the FSB just find that having some martyrs helps their cause?

The cryptography mailing list
cryptography AT metzdowd.com