Re: Possibly questionable security decisions in DNS root management
On Oct 14, 2009, at 7:54 PM, Perry E. Metzger wrote: ...We should also recognize that in cryptography, a small integer safety margin isn't good enough. If one estimates that a powerful opponent could attack a 1024 bit RSA key in, say, two years, that's not even a factor of 10 over 90 days, and people spending lots of money have a good record of squeezing out factors of 10 here and there. Finding an exponential speedup in an algorithm is not something one can do, but figuring out a process trick to remove a small constant is entirely possible. Meanwhile, of course, the 1024 bit "short term" keying system may end up staying in place far longer than we imagine -- things like this often roll out and stay in place for a decade or two even when we imagine we can get rid of them quickly. As I read it, "short term" refers to the lifetime of the *key*, not the lifetime of the *system*. Do we really believe we won't be able to attack a 1024 bit key with a sufficiently large budget even in 10 years? ... Currently, the cryptographic cost of an attack is ... 0. How many attacks have there been? Perhaps the perceived value of owning part of DNS isn't as great as you think. If the constraints elsewhere in the system limit the number of bits of signature you can transfer, you're stuck. Presumably over time you'd want to go to a more bit-efficient signature scheme, perhaps using ECC. But as it is, the choice appears to be between (a) continuing the current completely unprotected system and (b) *finally* rolling out protection sufficient to block all but very well funded attacks for a number of years. Should we let the best be the enemy of the good here? -- Jerry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Possibly questionable security decisions in DNS root management
At 7:54 PM -0400 10/14/09, Perry E. Metzger wrote: >There are enough people here with the right expertise. I'd be interested >in hearing what people think could be done with a fully custom hardware >design and a budget in the hundreds of millions of dollars or more. What part of owning a temporary private key for the root zone would be worth even 10% of that much? There are attacks, and there are motivations. Until we know the latter, we cannot put a price on the former. Related question: if all the root keys were 2048 bits, who do you think would change the way they rely on DNSSEC? --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Possibly questionable security decisions in DNS root management
bmann...@vacation.karoshi.com writes: > er... there is the root key and there is the ROOT KEY. > the zsk only has a 90 day validity period. ... meets the > "spec" and -ought- to be good enough. that said, it is > currently a -proposal- and if credible arguments can be made > to modify the proposal, I'm persuaded that VSGN will do so. Well, you might look at Ekr's argument, which I largely agree with. I think the two key observations are that 1024 bit keys are already considered iffy, large (perhaps hundreds of millions of dollars or even more) may be thrown by opponents at this particular key, and that technology for factoring will only get better. Given the sums that could be spent, very specialized hardware could be built -- far more specialized than ordinary PCs on which the problem doesn't scale that well in its most expensive steps. Security is usually not limited by cryptography in the modern world. Crypto systems are usually far stronger than opponents will to spend, and bugs are the more obvious way to attack things. However, if you're talking about a really high value target and "weak enough" crypto, the economics change, and with them so does everything else. Crypto being a potential weak spot is an exceptionally rare situation, but the DNS root key is insanely high value. We should also recognize that in cryptography, a small integer safety margin isn't good enough. If one estimates that a powerful opponent could attack a 1024 bit RSA key in, say, two years, that's not even a factor of 10 over 90 days, and people spending lots of money have a good record of squeezing out factors of 10 here and there. Finding an exponential speedup in an algorithm is not something one can do, but figuring out a process trick to remove a small constant is entirely possible. Meanwhile, of course, the 1024 bit "short term" keying system may end up staying in place far longer than we imagine -- things like this often roll out and stay in place for a decade or two even when we imagine we can get rid of them quickly. Do we really believe we won't be able to attack a 1024 bit key with a sufficiently large budget even in 10 years? Again, normally, crypto isn't where you attack an opponent, but in this case, I'd suggest that key length might not be a silly thing to worry about. There are enough people here with the right expertise. I'd be interested in hearing what people think could be done with a fully custom hardware design and a budget in the hundreds of millions of dollars or more. Perry -- Perry E. Metzgerpe...@piermont.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Possibly questionable security decisions in DNS root management
On Wed, Oct 14, 2009 at 07:22:27PM -0400, Perry E. Metzger wrote: > > bmann...@vacation.karoshi.com writes: > > On Wed, Oct 14, 2009 at 06:24:06PM -0400, Perry E. Metzger wrote: > >> Ekr has a very good blog posting on what seems like a bad security > >> decision being made by Verisign on management of the DNS root key. > >> > >> http://www.educatedguesswork.org/2009/10/on_the_security_of_zsk_rollove.html > >> > >> In summary, a decision is being made to use a "short lived" 1024 bit key > >> for the signature because longer keys would result in excessively large > >> DNS packets. However, such short keys are very likely crackable in short > >> periods of time if the stakes are high enough -- and few keys in > >> existence are this valuable. > > > > however - the VSGN proposal meets current NIST guidelines. > > That doesn't say anything about how good an idea it is, any more than an > architect can make a building remain standing in an earthquake by > invoking the construction code. > > We are the sort of people who write these sorts of guidelines, and if > they're flawed, we can't use them as a justification for designs. > > (Well, a bureaucrat certainly can use such documents as a form of CYA, > but we're discussing technology here, not means of evading blame.) > > The fact is, the DNS root key is one of the few instances where it is > actually worth someone's time to crack a key because it provides > enormous opportunities for mischief, especially if people start trusting > it more because it is authenticated. Unlike your https session to view > your calendar or the password for your home router, the secret involved > here are worth an insane amount of money. er... there is the root key and there is the ROOT KEY. the zsk only has a 90 day validity period. ... meets the "spec" and -ought- to be good enough. that said, it is currently a -proposal- and if credible arguments can be made to modify the proposal, I'm persuaded that VSGN will do so. > Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Possibly questionable security decisions in DNS root management
bmann...@vacation.karoshi.com writes: > On Wed, Oct 14, 2009 at 06:24:06PM -0400, Perry E. Metzger wrote: >> Ekr has a very good blog posting on what seems like a bad security >> decision being made by Verisign on management of the DNS root key. >> >> http://www.educatedguesswork.org/2009/10/on_the_security_of_zsk_rollove.html >> >> In summary, a decision is being made to use a "short lived" 1024 bit key >> for the signature because longer keys would result in excessively large >> DNS packets. However, such short keys are very likely crackable in short >> periods of time if the stakes are high enough -- and few keys in >> existence are this valuable. > > however - the VSGN proposal meets current NIST guidelines. That doesn't say anything about how good an idea it is, any more than an architect can make a building remain standing in an earthquake by invoking the construction code. We are the sort of people who write these sorts of guidelines, and if they're flawed, we can't use them as a justification for designs. (Well, a bureaucrat certainly can use such documents as a form of CYA, but we're discussing technology here, not means of evading blame.) The fact is, the DNS root key is one of the few instances where it is actually worth someone's time to crack a key because it provides enormous opportunities for mischief, especially if people start trusting it more because it is authenticated. Unlike your https session to view your calendar or the password for your home router, the secret involved here are worth an insane amount of money. Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: Possibly questionable security decisions in DNS root management
On Wed, Oct 14, 2009 at 06:24:06PM -0400, Perry E. Metzger wrote: > > Ekr has a very good blog posting on what seems like a bad security > decision being made by Verisign on management of the DNS root key. > > http://www.educatedguesswork.org/2009/10/on_the_security_of_zsk_rollove.html > > In summary, a decision is being made to use a "short lived" 1024 bit key > for the signature because longer keys would result in excessively large > DNS packets. However, such short keys are very likely crackable in short > periods of time if the stakes are high enough -- and few keys in > existence are this valuable. however - the VSGN proposal meets current NIST guidelines. --bill > > Perry > -- > Perry E. Metzger pe...@piermont.com > > - > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Possibly questionable security decisions in DNS root management
Ekr has a very good blog posting on what seems like a bad security decision being made by Verisign on management of the DNS root key. http://www.educatedguesswork.org/2009/10/on_the_security_of_zsk_rollove.html In summary, a decision is being made to use a "short lived" 1024 bit key for the signature because longer keys would result in excessively large DNS packets. However, such short keys are very likely crackable in short periods of time if the stakes are high enough -- and few keys in existence are this valuable. Perry -- Perry E. Metzgerpe...@piermont.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
EFF Warns Texas Instruments to Stop Harassing Calculator Hobbyists (for cracking public keys)
FYI. As I understand it, TI calculator boot ROMs use a 512 bit RSA public key to check the signature of the software they're loading. When hobbyists who wanted to run their own alternative OS software on their calculator calculated the corresponding private key and were thus able to sign their own software, TI sent them DMCA takedowns claiming they had cracked TI's DRM. As with the CSS keys, a publish/takedown chase ensued. Wikileaks has had the censored keys up since August. EFF is now representing the hobbyists, and may stand to collect legal fees from TI. Here's Schneier's take: http://www.schneier.com/blog/archives/2009/09/texas_instrumen.html John Electronic Frontier Foundation Media Release For Immediate Release: Tuesday, October 13, 2009 Contact: Jennifer Stisa Granick Civil Liberties Director Electronic Frontier Foundation jenni...@eff.org +1 415 436-9333 x134 EFF Warns Texas Instruments to Stop Harassing Calculator Hobbyists Baseless Legal Threats Squash Free Speech, Innovation San Francisco - The Electronic Frontier Foundation (EFF) warned Texas Instruments (TI) today not to pursue its baseless legal threats against calculator hobbyists who blogged about potential modifications to the company's programmable graphing calculators. TI's calculators perform a "signature check" that allows only approved operating systems to be loaded onto the hardware. But researchers were able to reverse-engineer signing keys, allowing tinkers to install custom operating systems and unlock new functionality in the calculators' hardware. In response to this discovery, TI unleashed a torrent of demand letters claiming that the anti-circumvention provisions of the Digital Millennium Copyright Act (DMCA) required the hobbyists to take down commentary about and links to the keys. EFF represents three men who received such letters. "The DMCA should not be abused to censor online discussion by people who are behaving perfectly legally," said Tom Cross, who blogs at memestreams.net. "It's legal to engage in reverse engineering, and its legal to talk about reverse engineering." In fact, the DMCA explicitly allows reverse engineering to create interoperable custom software like the programs the hobbyists are using. Additionally, TI makes its software freely available on its website, so there is no connection between the use of the keys and unauthorized distribution of the code. "This is not about copyright infringement. This is about running your own software on your own device -- a calculator you legally bought," said EFF Civil Liberties Director Jennifer Granick. "Yet TI still issued empty legal threats in an attempt to shut down discussion of this legitimate tinkering. Hobbyists are taking their own tools and making them better, in the best tradition of American innovation." For the full letters sent to Texas Instruments by EFF on behalf of their clients: http://www.eff.org/files/filenode/coders/TI%20Claim%20Ltr%20101309.pdf For this release: http://www.eff.org/press/archives/2009/10/13 About EFF The Electronic Frontier Foundation is the leading civil liberties organization working to protect rights in the digital world. Founded in 1990, EFF actively encourages and challenges industry and government to support free expression and privacy online. EFF is a member-supported organization and maintains one of the most linked-to websites in the world at http://www.eff.org/ -end- - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Review of new book on the NSA
There's a new book on the NSA, based largely on documents received via Freedom of Information Act requests. Bamford's review is at http://www.nybooks.com/articles/23231 . --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com