Re: [Cryptography] Why prefer symmetric crypto over public key crypto?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Just to throw in my two cents... In the early 1990’s I wanted to roll out an encrypted e-mail solution for the MIT Community (I was the Network Manager and responsible for the mail system). We already had our Kerberos Authentication system (of which I am one of the authors, so I have a special fondness for it). It would do a fine job of helping people exchange session keys for mail and everyone at MIT has a Kerberos ID (and therefore would permit communication between everyone in the community). However, as Network Manager, I was also the person who would see legal requests for access to email and other related data. Whomever ran the Kerberos KDC would be in a position to retrieve any necessary keys to decrypt any encrypted message. Which meant that whomever ran the KDC could be compelled to turn over the necessary keys. In fact my fear was that a clueless law enforcement organization would just take the whole KDC with a search warrant, thus compromising everyone’s security. Today they may well also use a search warrant to take the whole KDC, but not because they are clueless... The desire to offer privacy protection that I, as the administrator, could not defeat is what motivated me to look into public key systems and eventually participate in the Internet’s Privacy Enhanced Mail (PEM) efforts. By using public key algorithms, correspondents are protected from the prying eyes of even the folks who run the system. I don’t believe you can do this without using some form of public key system. -Jeff – ___ Jeffrey I. Schiller Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room E17-110A, 32-392 Cambridge, MA 02139-4307 617.910.0259 - Voice j...@mit.edu http://jis.qyv.name ___ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFSLhgY8CBzV/QUlSsRAoQ8AKDBC/y/qph+HpE11a+5d7p6a6DqyQCgiN/f 3Dcsr8wLR1H+J9gzz31n4ys= =84A0 -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Sep 06, 2013 at 05:22:26PM -0700, John Gilmore wrote: Speaking as someone who followed the IPSEC IETF standards committee pretty closely, while leading a group that tried to implement it and make so usable that it would be used by default throughout the Internet, I noticed some things: ... Speaking as one of the Security Area Directors at the time... I have to disagree with your implication that the NSA intentionally fouled the IPSEC working group. There were a lot of people working to foul it up! I also don’t believe that the folks who participated, including the folks from the NSA, were working to weaken the standard. I suspect that the effort to interfere in standards started later then the IPSEC work. If the NSA was attempting to thwart IETF security standards, I would have expected to also see bad things in the TLS working group and the PGP working group. There is no sign of their interference there. The real (or at least the first) problem with the IPSEC working group was that we had a good and simple solution, Photuris. However the document editor on the standard decided to claim it (Photuris) as his intellectual property and that others couldn’t recommend changes without his approval. This effectively made Photuris toxic in the working group and we had to move on to other solutions. This is one of the events that lead to the IETF’s “Note Well” document and clear policy on the IP associated with contributions. Then there was the ISAKMP (yes, an NSA proposal) vs. SKIP. As Security AD, I eventually had to choose between those two standards because the working group could not generate consensus. I believed strongly enough that we needed an IPSEC solution so I decided to choose (as I promised the working group I would do if they failed to!). I chose ISAKMP. I posted a message with my rationale to the IPSEC mailing list, I’m sure it is still in the archives. I believe that was in 1996 (I still have a copy somewhere in my personal archives). At no point was I contacted by the NSA or any agent of any government in an attempt to influence my decision. Folks can choose to believe this statement, or not. IPSEC in general did not have significant traction on the Internet in general. It eventually gained traction in an important niche, namely VPNs, but that evolved later. IPSEC isn’t useful unless all of the end-points that need to communicate implement it. Implementations need to be in the OS (for all practical purposes). OS vendors at the time were not particularly interested in encryption of network traffic. The folks who were interested were the browser folks. They were very interested in enabling e-commerce, and that required encryption. However they wanted the encryption layer someplace where they could be sure it existed. An encryption solution was not useful to them if it couldn’t be relied upon to be there. If the OS the user had didn’t have an IPSEC layer, they were sunk. So they needed their own layer. Thus the Netscape guys did SSL, and Microsoft did PCT and in the IETF we were able to get them to work together to create TLS. This was a *big deal*. We shortly had one deployed interoperable encryption standard usable on the web. If I was the NSA and I wanted to foul up encryption on the Internet, the TLS group is where the action was. Yet from where I sit, I didn’t see any such interference. If we believe the Edward Snowden documents, the NSA at some point started to interfere with international standards relating to encryption. But I don’t believe they were in this business in the 1990’s at the IETF. -Jeff -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFSLSMV8CBzV/QUlSsRAigkAKCU6erw1U7FOt7A1QdItlGbFRfo+gCfeMg1 0Woyz0FyKqKYqS+gZFQWEf0= =yWOw -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Why prefer symmetric crypto over public key crypto?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, Sep 07, 2013 at 10:57:07AM +0300, ianG wrote: It's a big picture thing. At the end of the day, symmetric crypto is something that good software engineers can master, and relatively well, in a black box sense. Public key crypto not so easily, that requires real learning. I for one am terrified of it. Don’t be. There is no magic there. From what I can tell, there are two different issues with public key. 1. Weaknesses in the math. 2. Fragility in use. The NSA (or other national actors) may well have found a mathematical weakness in any of the public key ciphers (frankly they may have found a weakness in symmetric ciphers as well). Frankly, we just don’t know here. Do we trust RSA more then Diffie-Hellman or any of the Elliptic Curve techniques? Who knows. We can make our keys bigger and hope for the best. As for fragility. Generating random numbers is *hard*, particularly on a day to day basis. When you generate a keypair with GPG/PGP it prompts you to type in random keystrokes and move the mouse etc., all in an attempt to gather as much entropy as possible. This is a pain, but it makes sense for one-lived keys. People would not put up with this if you had to do this for each session key. Fragile public key systems (such as Elgamal and all of the variants of DSA) require randomness at signature time. The consequence for failure is catastrophic. Most systems need session keys, but the consequence for failure in session key generation is the compromise of the message. The consequence for failure in signature generation in a fragile public key system is compromise of the long term key! I wrote about this in NDSS 1991 I cannot find an on-line reference to it though. Then if you are a software developer, you have the harder problem of not being able to control the environment your software will run on, particularly as it applies to the availability of entropy. So my advice. Use RSA, choose a key as long as your paranoia. Like all systems, you will need entropy to generate keys, but you won’t need entropy to use it for encryption or for signatures. - -Jeff ___ Jeffrey I. Schiller Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room E17-110A, 32-392 Cambridge, MA 02139-4307 617.910.0259 - Voice j...@mit.edu http://jis.qyv.name ___ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFSKzKi8CBzV/QUlSsRAhoSAJ98g7NreJwIK+aYODM1zDsVsreMCQCcD2R9 vnvmNc4Uo45+ckUFQafuE4U= =x9bK -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Protecting Private Keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 While we worry about symmetric vs. public key ciphers, we should not forget the risk of compromise of our long-term keys. How are they protected? One of the most obvious ways to compromise a cryptographic system is to get the keys. This is a particular risk in TLS/SSL when PFS is not used. Consider a large scale site (read: Google, Facebook, etc.) that uses SSL. The private keys of the relevant certificates needs to be literally on hundreds if not thousands of systems. Chances are they are not encrypted on those systems so those systems can auto-restart without human intervention. Those systems also break periodically. What happens to the broken pieces, say a broken hard drive? If one of these private keys is compromised, all pre-recorded traffic can now be decrypted, as long as PFS was not used (and as we know, it is rarely used). Encrypted email is also at great risk because we have no PFS in any of these systems. Our private keys tend to last a long time (just look at the age of my private key!). If I was the NSA, I would be scavenging broken hardware from “interesting” venues and purchasing computers for sale in interesting locations. I would be particularly interested in stolen computers, as they have likely not been wiped. The bottom line here is that the NSA has upped the game (and probably did so quite a while ago, but we are just learning about it now). This means that commercial organizations that truly want to protect their customers from the NSA, and other national actors whom I am sure are just as skilled and probably more brazen, need to up their game, by a lot! - -Jeff P.S. I am very careful about which devices my private key touches and what happens to it when I am through with it. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFSKzZE8CBzV/QUlSsRAqTsAJ4xJymTj04zCGF7v9OaZ4vJC3WoMgCfU1Qd 960tkxkWdrzz4ymCksyaKog= =0JHf -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Opening Discussion: Speculation on BULLRUN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, Sep 07, 2013 at 09:14:47PM +, Gregory Perry wrote: And this is exactly why there is no real security on the Internet. Because the IETF and standards committees and working groups are all in reality political fiefdoms and technological monopolies aimed at lining the pockets of a select few companies deemed worthy of authenticating user documentation for purposes of establishing online credibility. ... Encrypting IPv6 was initially a mandatory part of the spec, but then it somehow became discretionary. The nuts and bolts of strong crypto have been around for decades, but the IETF and related standards powers to be are more interested in creating a global police state than guaranteeing some semblance of confidential and privacy for Internet users. I’m sorry, but I cannot let this go unchallenged. I was there, I saw it. For those who don’t know, I was the IESG Security Area Director from 1994 - 2003. (by myself until 1998 after which we had two co-AD’s in the Security Area). During this timeframe we formed the TLS working group, the PGP working group and IPv6 became a Draft Standard. Scott Bradner and I decided that security should be mandatory in IPv6, in the hope that we could drive more adoption. The IETF was (and probably still is) a bunch of hard working individuals who strive to create useful technology for the Internet. In particular IETF contributors are in theory individual contributors and not representatives of their employers. Of course this is the theory and practice is a bit “noisier” but the bulk of participant I worked with were honest hard working individuals. Security fails on the Internet for three important reasons, that have nothing to do with the IETF or the technology per-se (except for point 3). 1. There is little market for “the good stuff”. When people see that they have to provide a password to login, they figure they are safe... In general the consuming public cannot tell the difference between “good stuff” and snake oil. So when presented with a $100 “good” solution or a $10 bunch of snake oil, guess what gets bought. 2. Security is *hard*, it is a negative deliverable. You do not know when you have it, you only know when you have lost it (via compromise). It is therefore hard to show return on investment with security. It is hard to assign a value to something not happening. 2a. Most people don’t really care until they have been personally bitten. A lot of people only purchase a burglar alarm after they have been burglarized. Although people are more security aware today, that is a relatively recent development. 3. As engineers we have totally and completely failed to deliver products that people can use. I point out e-mail encryption as a key example. With today’s solutions you need to understand PK and PKI at some level in order to use it. That is likely requiring a driver to understand the internal combustion engine before they can drive their car. The real world doesn’t work that way. No government conspiracy required. We have seen the enemy and it is... -Jeff ___ Jeffrey I. Schiller Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room E17-110A, 32-392 Cambridge, MA 02139-4307 617.910.0259 - Voice j...@mit.edu http://jis.qyv.name ___ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFSK7xM8CBzV/QUlSsRApyUAKCB6GpP/hUHxtOQNGjSB5FDZS8hFACfVec6 pPw4Xvukq3OqPEkmVZKl0c8= =9/UP -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Google's Public Key Size (was Re: NSA and cryptanalysis)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, Sep 02, 2013 at 03:09:31PM -0400, Jerry Leichter wrote: Google recently switched to 2048 bit keys; hardly any other sites have done so, and some older software even has trouble talking to Google as a result. Btw. As a random side-note. Google switched to 2048 bit RSA keys on their search engine. However my connection to mail.google.com is using a NIST p256r1 ECC key in its certificate. - -Jeff -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFSJQt78CBzV/QUlSsRAtO0AKDkltH4HUVw5Pa2lwCLhHLAGrIJHACgxzZh 1EInnyyRoKX4xZ1rQ0M9c2g= =uOUn -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: HSM outage causes root CA key loss
- Peter Gutmann pgut...@cs.auckland.ac.nz wrote: I haven't been able to find an English version of this, but the following news item from Germany: ... It is exactly for this reason that when we generated the root key for the U.S. Higher Education PKI we did it outside of an HSM and then loaded it into two HSMs. The raw key was then manually secret shared accross five CD's (three being the quorum) which were distributed to five individuals for safe keeping. Because CD's have 700 Mb of storage and the share secret is tiny, literally thousands of copies of it were written on each CD along with the source code of the secret sharing software (written in Python). In theory every few years we are supposed to take out the CD's and verify that they can be read. It's probably time to do that now :-) Because of prior experience with a SafeKeyper(tm) (a very large HSM), I learned that when the only copy of your key is in an HSM, the HSM vendor really owns you key, or at least they own you! -- Jeffrey I. Schiller MIT Network Manager Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-190 Cambridge, MA 02139-4307 617.253.0161 - Voice j...@mit.edu - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Disk Encryption (was: Re: PGP master keys)
I use the following approach to encrypting my disks. I use an encrypted loopback device. The version of losetup I use permits me to store the disk key in a PGP encrypted file and decrypt it (with gpg) when needed. I made many backups of the both my personal keyring and the file with the encrypted loop key. So the only secret I have to remember is the passphrase on my normal PGP key, which I am not liekly to forget. Of course there is a trade-off here. If my PGP key is compromised, my disk encryption is at risk (if the encrypted disk key file is compromised as well). -Jeff P.S. If you run a reasonably modern Linux system, and have more then one system, you can use drbd to implement software mirroring between the two systems. Clever use of openvpn and encrypted loopback devices can do this securely as well. -- = Jeffrey I. Schiller MIT Network Manager Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-190 Cambridge, MA 02139-4307 617.253.0161 - Voice [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature