Re: [Cryptography] paranoid cryptoplumbing is a probably not defending the weakest point
On Tue, Sep 17, 2013 at 8:54 AM, Perry E. Metzger wrote: > I'd like to note quite strongly that (with certain exceptions like > RC4) the odds of wholesale failures in ciphers seem rather small > compared to the odds of systems problems like bad random number > generators, sabotaged accelerator hardware, stolen keys, etc., and a > smart attacker goes for the points of weakness. As a counterpoint to what I was saying earlier, here's a tool that's likely focusing on the wrong problems: https://keybase.io/triplesec/ -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] paranoid cryptoplumbing is a probably not defending the weakest point
On Tue, 17 Sep 2013 10:07:38 -0700 Tony Arcieri wrote: > The NSA of course participated in active attacks too, but it seems > their main MO was passive traffic collection. That's not what I've gotten out of the most recent revelations. It would seem that they've been evading rather than breaking the crypto: putting back doors in protocols, stealing keys, encouraging weak RNGs, adding flaws to hardware, etc. -- as well as doing active attacks using stolen or broken CA keys. I don't doubt that they archive everything they can forever, of course. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] paranoid cryptoplumbing is a probably not defending the weakest point
On Tue, Sep 17, 2013 at 9:28 AM, Perry E. Metzger wrote: > In any case, I would continue to suggest that the weakest point > (except for RC4) is (probably) not going to be your symmetric cipher. > It will be protocol flaws and implementation flaws. No point in > making the barn out of titanium if you're not going to put a door on > it. If your threat is a patient eavesdropper (particularly one that obsessively archives traffic like the NSA) then combining ciphers can give you long term confidentiality even in the event one of your encryption primitives is compromised. The NSA of course participated in active attacks too, but it seems their main MO was passive traffic collection. But yes, endpoint security is weak, and an active attacker would probably choose that approach over trying to break particular algorithms. -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] paranoid cryptoplumbing is a probably not defending the weakest point
On the "Paranoid Cryptoplumbing" discussion: I'd like to note quite strongly that (with certain exceptions like RC4) the odds of wholesale failures in ciphers seem rather small compared to the odds of systems problems like bad random number generators, sabotaged accelerator hardware, stolen keys, etc., and a smart attacker goes for the points of weakness. I'm not going to put my admin hat on and stop the discussion so long as it remains relatively sane and technical, but for most purposes it is probably just reinforcing a steel door in a paper wall. (Of course, if the endpoints are trusted hardware running a formally verified capability operating system and you still have time on your hands, hey, why not? Of course, when I posted a long message about modern formal verification techniques and how they're now practical, no one bit on the hook.) All that said, even I feel the temptation for low performance applications to do something like Bill Frantz suggests. It is in the nature of people in our community to like playing with such things. Just don't take them *too* seriously please. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] paranoid cryptoplumbing is a probably not defending the weakest point
On Tue, 17 Sep 2013 12:15:48 -0400 Jerry Leichter wrote: > Actually, I think there is a potentially interesting issue here: > RC4 is faster and requires significantly fewer resources than > modern block ciphers. As a result, people would really like to use > it - and actually they *will* continue to use it even in the face > of the known attacks (which, *so far*, are hardly fatal except in > specialized settings). If you are dealing with huge numbers of connections, you probably have hardware and AES is plenty fast -- modern Intel hardware accelerates it, too. (If you really want a fast stream cipher, why not use ChaCha20 or something else that is probably much better than RC4? I mean, if you're going to propose changing it, as you do, it won't interoperate anyway, so you can substitute something better.) In any case, I would continue to suggest that the weakest point (except for RC4) is (probably) not going to be your symmetric cipher. It will be protocol flaws and implementation flaws. No point in making the barn out of titanium if you're not going to put a door on it. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] paranoid cryptoplumbing is a probably not defending the weakest point
On Sep 17, 2013, at 11:54 AM, "Perry E. Metzger" wrote: > I'd like to note quite strongly that (with certain exceptions like > RC4) the odds of wholesale failures in ciphers seem rather small > compared to the odds of systems problems like bad random number > generators, sabotaged accelerator hardware, stolen keys, etc., and a > smart attacker goes for the points of weakness Actually, I think there is a potentially interesting issue here: RC4 is faster and requires significantly fewer resources than modern block ciphers. As a result, people would really like to use it - and actually they *will* continue to use it even in the face of the known attacks (which, *so far*, are hardly fatal except in specialized settings). So ... is there some simple way of combining RC4 with *something* that maintains the performance while retaining the speed? How about two separate RC4's (with independent keys) XOR'ed together? That would still be considerably faster than AES. There appear to be two general classes of known attacks: 1. The initial key setup doesn't produce enough randomness; 2. There are long-term biases in the output bytes. The first of these can be eliminated by using AES to generate values to scramble the internal state. The second can be hidden by doing post-whitening, XOR'ing in a byte from AES in (say) counter mode. If you use a given byte 64 times, then use the next byte of the output, you pay 1/64 the cost of actually using AES in counter mode, but any bias in the output would have to play out over a 64-byte segment. (Actually, if you use ideas from other stream ciphers, changing the whitening every 64 bytes probably isn't right - you want the attacker to have to guess where the changeovers take place. There are many ways to do that.) Of course, don't take any of the above and go build code. It's just speculation and likely has serious problems. I toss it out to illustrate the idea. Whether it's actually worthwhile ... I doubt it, but it's worth thinking about. -- Jerry ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography