Re: [cryptography] [Ach] Better Crypto
On 7/01/14 04:34 AM, Peter Gutmann wrote: give users a choice: a generic safe config (disable null, export ciphers, short keys, known-weak, etc), a maximum-interoperability config (3DES and others), and a super- paranoid config (AES-GCM-256, Curve25519, etc), with warnings that that's going to break lots of things. That's a good idea. I wonder if it could be done efficiently? Hmmm... iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NSA co-chair claimed sabotage on CFRG list/group (was Re: ECC patent FUD revisited
I think, like James, I see the sacrificial lamb approach. There is benefit in watching what they are up to. If a measurable push comes out of the IAB's CFRG, then this is a clear signal to avoid that like the plague. Pushing ECC patents. Pushing NIST curves. Clear signals! Without those signals, where would we get our information? I've always thought that IPSec, DNSSec, and similar were highly suspect because the IETF was there at the start, precisely. Unlike say SSH which was cut from whole cloth, in original form, or Skype which had to be sold to the borg, before it could be assimilated. In the wartime OSS Simple Field Sabotage Manual, it suggests things like: (4) Bring up irrelevant issues as frequently as possible. (6) Refer back to matters decided upon at the last meeting and attempt to reopen the question of the advisability of that decision. ... (2) Misunderstand orders. Ask endless questions or engage in long correspondence about such orders. Quibble over them when you can. (7) Insist on perfect work in relatively unimportant products; send back for refinishing those which have the least flaw. Approve other defective parts whose flaws are not visible to the naked eye. (10) To lower morale and with it, production, be pleasant to inefficient workers; give them undeserved promotions. Discriminate against efficient workers; complain unjustly about their work. Written from those times. It would be fascinating to read a current version, one that had been written with the IETF and national standards orgs in mind. Maybe someone could reverse-engineer these emails to figure it out? iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Ach] Better Crypto
On Jan 7, 2014, at 2:34 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: L. Aaron Kaplan kap...@cert.at writes: As a general observation, it also promotes the thinking that all we need to do is choose magic algorithm A instead of magic algorithm B and everything is fixed. No, if we created that impression then we failed. The problem is that as you read through the text you see, again and again, a large amount of material telling you how to configure algorithms for OpenSSL (and then to a lesser extent OpenSSH and others). It seems to be the overriding theme throughout the document. A better option would be to refer to a single location for this (in an appendix) and then give users a choice: a generic safe config (disable null, export ciphers, short keys, known-weak, etc), a maximum-interoperability config (3DES and others), and a super- paranoid config (AES-GCM-256, Curve25519, etc), with warnings that that's going to break lots of things. I like that idea That's what we state in the abstract as well as in the disclaimer. That assumes that people will read all of that, as well as the theory chapter that follows. Since the document is laid out as a cookbook, I have the feeling that most people who just want to get a server up and running will flip through until they find the bit corresponding to the software they'll be running and then cutpaste the config lines they find there. Or at least that's been my experience in maintaining an open-source crypto library for nearly two decades, the documentation isn't an instruction manual in the usual sense but a set of code templates ready to cutpaste into a finished app. Look at the popularity of HOWTOs for any number of how-to-set-up-XYZ issues, most people just want a cookbook and won't read long, detailed discussions. Or for that matter any discussion that goes beyond do this to get it running. I agree... that's how most people will read it probably. Unfortunately. As Aaron Zauner already mentioned, we thought about this a lot and ended up with 1. writing a How to read this guide section in the beginning including a flowchart 2. moving the theory section to the end (so that people can quickly find the copy paste section) and 3. always try to pull in the readers interest to follow up in the theory section. None if this is perfect yet of course. One of the very productive feedback results was that we should make a HTML version. So, Peter, how about this approach? 1. We will have three config options: cipher String A,B,C ( generic safe config, maximum interoperability (== this also makes the mozilla people happy then) and finally a super-hardened setting (with reduced compatibility)). Admins will get a choice and explanations on when to use which option. 2. (time-wise) first we focus on some of the weak spots in the guide like the ssh config (client config is missing...), the theory section etc. 3. we give people a config generator tool on the webpage which gives them snippets which they can include into their webservers, mailservers etc. The tool also shows admins (color codes?) which settings are compatible, unsafe etc. 4. In addition to having the config generator on the web page, the config snippets are moved to the appendix (as you suggested). The theory section moves up. Would that be more in your line of thinking? Anyway, we will have a authors' meeting today at ~ 19:00 CET and can discuss this. Anyone who wants to join via teleconference: please get in contact with me. We will arrange for remote participation. Aaron. Peter. --- // L. Aaron Kaplan kap...@cert.at - T: +43 1 5056416 78 // CERT Austria - http://www.cert.at/ // Eine Initiative der nic.at GmbH - http://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg signature.asc Description: Message signed with OpenPGP using GPGMail ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Ach] Better Crypto
On Jan 7, 2014, at 11:24 AM, stef s...@ctrlc.hu wrote: On Tue, Jan 07, 2014 at 11:18:45AM +0100, L. Aaron Kaplan wrote: 1. We will have three config options: cipher String A,B,C ( generic safe config, maximum interoperability (== this also makes the mozilla people happy then) and finally a super-hardened setting (with reduced compatibility)). lacking the context on this also makes the mozilla people happy then There were some discussions on the bettercrypto list regarding also supporting Windows XP (which means RC4 or 3DES). And there was a very good argument that a *lot* of people still use XP and for many sites it is not an option to exclude them. On the other hand, WinXP is end of life. It's a hard choice So, I guess that was a really good reason and personally I don't see any reason so far to assume: if that refers to firefox lack of tlsv1.2 support, it's in there starting from +24, but the mozilla people are still doing everything to maintain my suspicion of being complicit with the nsa, so it's not advertised and disabled by default. you can enable this in about:config where you set security.tls.version.max to 3 --- // L. Aaron Kaplan kap...@cert.at - T: +43 1 5056416 78 // CERT Austria - http://www.cert.at/ // Eine Initiative der nic.at GmbH - http://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg signature.asc Description: Message signed with OpenPGP using GPGMail ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] another Certicom patent
Dan Brown writes, on the semi-moderated c...@irtf.org list: I agree with your multiple PK algs suggestion, for parties who can afford it. What about sym key algs? Maybe too costly for now? By the way, this kind of idea goes back at least as far as 1999 from Johnson and Vanstone under the name of resilient cryptographic schemes. What Dan Brown carefully avoids mentioning here is that his employer holds patents US7797539, US8233617, USRE44670 (issued just last month), and CA2259738 on Resilient cryptographic schemes. Presumably this is also why he's so enthusiastic about the idea. Of course, the idea of using multiple cryptographic algorithms together has a long history before the 1999.01.20 priority date of the patent (see, e.g., http://link.springer.com/article/10.1007%2FBF02620231). The idea also has very little use, for several obvious reasons: * We have enough problems even getting _one_ algorithm deployed. * For applications with larger cost limits, we obtain much more security by pumping up the key size, rounds, etc. of a single algorithm rather than by combining algorithms. However, no matter how minor the idea is, it's interesting to see how Dan Brown pushes the idea on a standardization-related mailing list without mentioning his employer's related patents. There's a common myth that security is the primary design goal for cryptographic standards. In reality, security might be somewhere on the list of goals, but it certainly isn't at the top---it's constantly being compromised for the sake of other goals that have more obvious value for the participants in the standardization process. ---Dan ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Ach] Better Crypto
On 7/01/14 13:18 PM, L. Aaron Kaplan wrote: None if this is perfect yet of course. One of the very productive feedback results was that we should make a HTML version. A wiki... I would say. 1. We will have three config options: cipher String A,B,C ( generic safe config, maximum interoperability (== this also makes the mozilla people happy then) and finally a super-hardened setting (with reduced compatibility)). Admins will get a choice and explanations on when to use which option. You could call them: Suite A: maximum security, super hard Suite B: general safe Suite C: maximum compatibility ;) or if you're worried about being sued for trademark violation, how abouts: Sweet A, Bravo B, Crazy C! It would be nice if, typographically, we could see them on the page in some easy fashion. Like, A at left, B in middle, C at right, in consistent columns. Or in colours. That way, a sysadm could implement things in C easily, then move from right to left and try things out. Of course, this is only icing on the cake. If it can do B above, general safe, then that is really a step forward for the world. 2. (time-wise) first we focus on some of the weak spots in the guide like the ssh config (client config is missing...), the theory section etc. 3. we give people a config generator tool on the webpage which gives them snippets which they can include into their webservers, mailservers etc. The tool also shows admins (color codes?) which settings are compatible, unsafe etc. 4. In addition to having the config generator on the web page, the config snippets are moved to the appendix (as you suggested). The theory section moves up. I think the config cutpaste sections are what is important. As Peter mentioned. I'd flip that around: Config sections are the bulk. References to theory found in the Appendix, frequent tips that you'll enjoy some theory too. It's an advice guide, not a schoolbook. Would that be more in your line of thinking? Anyway, we will have a authors' meeting today at ~ 19:00 CET and can discuss this. Anyone who wants to join via teleconference: please get in contact with me. We will arrange for remote participation. good luck. I'm missing out on all the fun. Again! iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Ach] Better Crypto
On Tue, Jan 07, 2014 at 11:39:42AM +0100, L. Aaron Kaplan wrote: On Jan 7, 2014, at 11:24 AM, stef s...@ctrlc.hu wrote: On Tue, Jan 07, 2014 at 11:18:45AM +0100, L. Aaron Kaplan wrote: 1. We will have three config options: cipher String A,B,C ( generic safe config, maximum interoperability (== this also makes the mozilla people happy then) and finally a super-hardened setting (with reduced compatibility)). lacking the context on this also makes the mozilla people happy then There were some discussions on the bettercrypto list regarding also supporting Windows XP (which means RC4 or 3DES). interesting sudden context switch from mozillans to microsoft-victims. a distraction? And there was a very good argument that a *lot* of people still use XP and for many sites it is not an option to exclude them. On the other hand, WinXP is end of life. It's a hard choice for you it's an easy choice. your products only feature is to provide security, if you forfeit that feature for interoperability, then you have not achieved anything. i'd start looking into who actually proposed that, and what are his intelligence agency or corporate ties. this all sounds to me like the banking crisis, too-big-to-fail, so let's do some security theater, but otherwise leave all the downgrade attack paths open. So, I guess that was a really good reason and personally I don't see any reason so far to assume: you have not produced any argument - only a distraction - against that assumption. -- pgp: https://www.ctrlc.hu/~stef/stef.gpg pgp fp: FD52 DABD 5224 7F9C 63C6 3C12 FC97 D29F CA05 57EF otr fp: https://www.ctrlc.hu/~stef/otr.txt ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Ach] Better Crypto
Hi, * Axel Hübl wrote: I could not agree more. Crazy C get's totally against the scope of this document: providing _relyable_ crypto. If someone reads that document and goes for see, they still list it as compatible, provide it! the document lost it's main point. I agree too. Sorry. But that's really not our issue to tackle. If we want to provide a guide for _better_crypto_ we'll need to drop some stuff that eventually breaks compatibility. I'm totally for discussing ECDHE on top of DHE (although curve options as currently implemented in libraries just suck) and SRP (which is a very good scheme in my opinion) - but discussing EOL ciphers like 3DES is somewhat out of scope. After all we want to prompt change in peoples mindset about legacy installations, their security and what should be regarded as safe for customers and users. Nobody has to follow this guide to the letter. Aaron On Tue, Jan 7, 2014 at 1:38 PM, Axel Hübl axel.hu...@web.de wrote: I could not agree more. Crazy C get's totally against the scope of this document: providing _relyable_ crypto. If someone reads that document and goes for see, they still list it as compatible, provide it! the document lost it's main point. Cheers, Axel On 07.01.2014 13:08, Pepi Zawodsky wrote: On 07.01.2014, at 11:55, ianG i...@iang.org wrote: Suite C: maximum compatibility This is what every other guide on the internet already does. We'll _never_ get to improve the current state if we keep supporting fubared stuff. If we want the broadest compatibility let's switch back to plaintext. Works fine with my NCSA Mosaic. :-) In my opinion Sweet A is where we should be. Yes, this is a forward-looking setting. It sill shall point the direction everyone should be headed for. Bravo B is still considered secure as to our best of knowledge today™ which still supports a wide array of deployed software without unsafe compromises on the security aspect. I oppose the introduction of a Crazy C cipher that supports every client as this scenario would contradict the goal of the project as I see it. bettercompatibility.org is still available. :-) Best regards Pepi ___ Ach mailing list a...@lists.cert.at http://lists.cert.at/cgi-bin/mailman/listinfo/ach ___ Ach mailing list a...@lists.cert.at http://lists.cert.at/cgi-bin/mailman/listinfo/ach ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] NSA, FBI creep rule of law, democracy itself (Re: To Protect and Infect Slides)
This is indeed an interesting and scary question: On Sun, Jan 05, 2014 at 08:31:42PM +0300, ianG wrote: What is a game changer is the relationship between the NSA and the other USA civilian agencies. The breach of the civil/military line is the one thing that has sent the fear level rocketing sky high, as there is a widespread suspicion that the civil agencies cannot be trusted to keep their fingers out of the pie. AKA systemic corruption. If allied to national sigint capabilities, we're in a world of pain. Question: Is there anything that can put some meatmetrics on how developed and advanced this relationship is, how far the poison has spread? How afraid should people in America be? maybe the most interesting and portenteous shift in power towards Orwellianism and totalitarianism in a century, as it affects the effectiveness of rule of law, and already weak separation of politics from law enforcement and justice system in the (current though slipping) super-power with unfortunate aspirations of extra-territorialism and international bullying. We're still a few decades from the cross over of financial dominance to Asia and BRICs, and most of those places are probably worse than the US by aspiration if thats possible, though less internet spying budget and capability. Unless something shapes up towards democracy in the super-power competitors we're in for a dismal century seemingly. That the NSA, and now seemingly FBI, see this I think maybe this FBI mission creep suggests the national security / law enforcement separation is slipping badly: http://news.slashdot.org/story/14/01/07/0015255/fbi-edits-mission-statement-removes-law-enforcement-as-primary-purpose | Following the 9/11 attacks, the FBI picked up scores of new | responsibilities related to terrorism and counterintelligence while | maintaining a finite amount of resources. What's not in question is that | government agencies tend to benefit in numerous ways when considered | critical to national security as opposed to law enforcement. 'If you tie | yourself to national security, you get funding and you get exemptions on | disclosure cases,' said McClanahan. 'You get all the wonderful arguments | about how if you don't get your way, buildings will blow up and the | country will be less safe.' so if even the FBI are getting their nose into the tent of unfetter access to historical data on everyone, plus informal channels and tip-offs on dirt on politically unpopular pepople - eg say effective security researchers like Applebaum, or effective journalists like Greenwald. (No foreigners dont feel very comforted, and the explict acknowledgment of tip-offs, and inforation channels to US domestic and international law enforcement, basically puts the entire planet at risk of politicaly motivated interference.) With retroactive search of your entire lifes electronic foot print including every encrypted IM, skype voip channel, contacts, emails, attorney client privileged and not, with no warrant or evidence presented to a judge for subpoena, the Orwell 2.0 system can probably fabricate or concoct trouble for 99% of the adult population of the planet. George Orwell 30 years late. We're pretty close to fucked as a civilization unless something pretty radical shifts in the political thinking and authorizations. And realistically it not even clear the NSA can politically be controlled anymore by the political system. Its very hard to influence something with that much skull-duggery built into its DNA, that many 10s of billions in outsourced defense contractor lobbying power, that much inertia and will to survive as an org, with military PSYOPs to turn on its own populace and political system, and black bag covert ops ties to dirty tricks in CIA, and judicial and law virtual immunity. They probably realistically went full speed ahead since the 11 Sep 2001, if not earlier on such things, and the scrapping. TIA wiki http://en.wikipedia.org/wiki/Total_Information_Awareness | Although the program was formally suspended [as of late 2003], its data | mining software was later adopted by other government agencies, with only | superficial changes being made. Probably even before since we nominally won the export regulation debacle and democractic countries were forced to admit it was inconsistent with their self-perception as open democratic countries, to be controlling and banning encryption software. The 21st century equivalent of book burning. Can we rectify this with the cypherpunks write code? Maybe as Schneier said in a discussion on this topic with Eben Moglen (at Moglen's respective university) maybe we can make it more expensive by deploying more crypto that is end to end secure, secure by default. ie more TOFU, more cert pinning, more certificate transparency distributed cert validation. Even the cert valiation maybe behind the game, perhaps NSA really do already have a lot of actual SSL private keys via hardware,
Re: [cryptography] NSA, FBI creep rule of law, democracy itself (Re: To Protect and Infect Slides)
(Sorry to top post - I want to cherry pick one point). What is a game changer is the relationship between the NSA and the other USA civilian agencies. The breach of the civil/military line is the one thing that has sent the fear level rocketing sky high, Information sharing among agencies such as the FBI and CIA was written into the original NSA charter back in the 1950s. In fact, some would argue the failure to abide by the charter with respect to information sharing contributed to 9/11. From the charter (http://w2.eff.org/Privacy/Key_escrow/Clipper/nsa.charter): b. The Board shall be composed of the following members: (1) The Director of Central Intelligence, who shall be the Chairman of the Board. (2) A representative of the Secretary of State. (3) A representative of the Secretary of Defense (4) A representative of the Director of the Federal Bureau of Investigation. (5) The Director of the National Security Agency. (6) A representative of the Department of the Army. (7) A representative of the Department of the Navy. (8) A representative of the Department of the Air Force. (9) A representative of the Central Intelligence Agency. Jeff On Tue, Jan 7, 2014 at 10:24 AM, Adam Back a...@cypherspace.org wrote: This is indeed an interesting and scary question: On Sun, Jan 05, 2014 at 08:31:42PM +0300, ianG wrote: What is a game changer is the relationship between the NSA and the other USA civilian agencies. The breach of the civil/military line is the one thing that has sent the fear level rocketing sky high, as there is a widespread suspicion that the civil agencies cannot be trusted to keep their fingers out of the pie. AKA systemic corruption. If allied to national sigint capabilities, we're in a world of pain. Question: Is there anything that can put some meatmetrics on how developed and advanced this relationship is, how far the poison has spread? How afraid should people in America be? maybe the most interesting and portenteous shift in power towards Orwellianism and totalitarianism in a century, as it affects the effectiveness of rule of law, and already weak separation of politics from law enforcement and justice system in the (current though slipping) super-power with unfortunate aspirations of extra-territorialism and international bullying. We're still a few decades from the cross over of financial dominance to Asia and BRICs, and most of those places are probably worse than the US by aspiration if thats possible, though less internet spying budget and capability. Unless something shapes up towards democracy in the super-power competitors we're in for a dismal century seemingly. That the NSA, and now seemingly FBI, see this I think maybe this FBI mission creep suggests the national security / law enforcement separation is slipping badly: http://news.slashdot.org/story/14/01/07/0015255/fbi-edits-mission-statement-removes-law-enforcement-as-primary-purpose | Following the 9/11 attacks, the FBI picked up scores of new | responsibilities related to terrorism and counterintelligence while | maintaining a finite amount of resources. What's not in question is that | government agencies tend to benefit in numerous ways when considered | critical to national security as opposed to law enforcement. 'If you tie | yourself to national security, you get funding and you get exemptions on | disclosure cases,' said McClanahan. 'You get all the wonderful arguments | about how if you don't get your way, buildings will blow up and the | country will be less safe.' so if even the FBI are getting their nose into the tent of unfetter access to historical data on everyone, plus informal channels and tip-offs on dirt on politically unpopular pepople - eg say effective security researchers like Applebaum, or effective journalists like Greenwald. (No foreigners dont feel very comforted, and the explict acknowledgment of tip-offs, and inforation channels to US domestic and international law enforcement, basically puts the entire planet at risk of politicaly motivated interference.) With retroactive search of your entire lifes electronic foot print including every encrypted IM, skype voip channel, contacts, emails, attorney client privileged and not, with no warrant or evidence presented to a judge for subpoena, the Orwell 2.0 system can probably fabricate or concoct trouble for 99% of the adult population of the planet. George Orwell 30 years late. We're pretty close to fucked as a civilization unless something pretty radical shifts in the political thinking and authorizations. And realistically it not even clear the NSA can politically be controlled anymore by the political system. Its very hard to influence something with that much skull-duggery built into its DNA, that many 10s of billions in outsourced defense contractor lobbying power, that much inertia and