[cryptography] the spell is broken

ianG iang at iang.org
Thu Oct 3 03:49:42 EDT 2013


On 3/10/13 01:23 AM, Jon Callas wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On Oct 2, 2013, at 12:26 PM, coderman <coderman at gmail.com> wrote:
>
>> On Wed, Oct 2, 2013 at 10:38 AM, Jared Hunter <feralchimp at gmail.com> wrote:
>>> Aside from the curve change (and even there), this strikes me as a marketing message rather than an important technical choice. The message is "we react to a deeper class of threat than our users understand."
>>
>>
>> it is simpler than that.  to signal integrity, and provide assurance,
>> it is common not just to avoid impropriety, but to avoid the
>> _appearance_ of impropriety.
>>
>> this change, while not materially affecting security (the weakest link
>> in SilentCircle was never the crypto) succeeds in conveying the
>> message of integrity as paramount.
>>
>> so yes, a marketing message, but a simple one. i have no problem with
>> this as long as they're not implying that AES or SHA-2 are broken in
>> some respect.
>
> Thank you very much for that assessment.
>
> I'm not implying at all that AES or SHA-2 are broken. If P-384 is broken, I believe the root cause is more that it's old than it was backdoored.
>
> But it doesn't matter what I think. This is a trust issue.
>
> A friend of mine offered this analogy -- what if it was leaked that the government replaced all of a vaccine with salt water because some nasty jihadis get vaccinated. This is serious and pretty horrifying.
>
> If you're a responsible doctor, and source your vaccines from the same place, even if you test them yourself you're stuck proving a negative and in a place where stating the negative can look like you're part of the conspiracy.


Right, good analogy.  "Proving the negative" is the trap that google, 
Apple, Facebook, etc are in.


> I see this as a way out of the madness. Yes, it's "marketing" if by marketing you mean non-technical. By pushing this out, we're letting people who believe there's a problem have a reasonable alternative.


I would say it is risk management.  As you say, we no longer have 
confidence in "proving the negative" because we are faced with a 
confirmed positive.

Over on the other list, I thought about it more, and came to these 
conclusions:

    1. the interference happened.
    2. a key component was the perversion of a cryptography supplier.
    3. NSA can influence suppliers that export and those that are
       large government contractors.
    4. Therefore we can no longer have the confidence ("prove the
       negative") in US exporters of crypto.
    5. Avoid all USA crypto.

This is far worse than BSAFE or NIST -- failure of confidence impacts 
Java's JCA and Microsoft's CAPI.  Questions have even been raised about 
Linux's RNG.

Which means most everyone in the application world is in trouble deep.


> If we, the crypto community, decide that the P-384+AES+SHA2 cipher suite is just fine, we can walk the decision back. It's just a software change.


I have faith in AES.  I played a small part in the project, it went 
well.  We didn't need to change our Rijndael code at all, just rename it 
to AES.

I have faith in SHA1, SHA2, and SHA3.  They play relatively non-delicate 
parts in properly designed protocols, and their margin of safety is 
proven in the MD5/SHA1 history.

PK algorithms are a different story...  I certainly agree that choosing 
NIST EC curves raises questions about your entire process.  Not for the 
American market, but the world market.


> Let me also add that I wouldn't fault anyone for deciding differently. We, the crypto community, need to work together with security and respecting each other's decisions even if we make different decisions and do different things. I respect the alternate decision, to stay the course.


Dark clouds ahead.  It's back to 1990s.  I don't think they really had a 
grip on how much damage they could do.  I wonder if NIST has a grip on 
how to recover this situation?



iang


More information about the cryptography mailing list