[cryptography] the spell is broken

Jon Callas jon at callas.org
Thu Oct 3 17:31:12 EDT 2013

Hash: SHA1

On Oct 3, 2013, at 7:13 AM, Jeffrey Goldberg <jeffrey at goldmark.org> wrote:


You might call it "security theatre," but I call it (among other things) "protest." I have also called it "trust," "conscience," and other things including "emotional." I'm willing to call it "marketing" in the sense that marketing often means non-technical. I disagree with "security theatre" because in my opinion security theatre is *empty* or *mere* trust-building, but I don't fault you for being upset. I don't blame you for venting in my direction, either. I will, however, repeat that I believe this is something gentlepersons can disagree on. A decision that's right for me might not be right for you and vice-versa.

Since the AES competition, NIST has been taking a world-wide role in crypto standards leadership. Overall, it's been a good thing, but one could have one's disagreements with a number of things (and I do), but it's been a good *standards* process.

A good standard, however, is not necessarily the *best*, it's merely agreed upon. A standard that is everyone's second choice is better than a standard that is anyone's first choice. I don't think there are any problems with AES, but I think Twofish is a better choice. During the AES competition, the OpenPGP community as a whole, and I and my PGP colleagues put Twofish into OpenPGP *independently* of the then-unselected AES. It was thus our vote for it. When Phil, Alan, and I were putting ZRTP together, we put in Twofish as an option (RFC 6189, section 5.1.3). Thus in my opinion, if you know my long-standing opinions on ciphers, this shouldn't be a surprise. I think Twofish is a better algorithm than Rijndael.

ZRTP also has in it an option for using Skein's one-pass MAC instead of HMAC-SHA1. Why? Because we think it's more secure in addition to being a lot faster, which is important in an isochronous protocol. 

Silent Phone already has Twofish in it, and is already using Skein-MAC.

In Silent Text, we went far more to the "one true ciphersuite" philosophy. I think that Iang's writings on that are brilliant. 

As a cryptographer, I agree, but as an engineer, I want options. I view those options as a form of preparedness. One True Suite works until that suite is no longer true, and then you're left hanging.

To be fair, there are few options in ZRTP -- it's only AES or Twofish and SHA1-HMAC or Skein-MAC, so the selection matrix is small when compared to OpenPGP. We have One True Elliptic Curve -- P-384, and options for AES-CCM in either 128 or 256 bits and paired with SHA-256 or SHA-512 as hash and HMAC as appropriate. There's a third option, AES-256 paired with Skein/Skein-MAC, which I don't think is in the code, merely defined as a cipher suite. I can't remember. So we have to add Twofish there, but it's in Silent Phone now.

Now let me go back to my comment about standards. Standards are not about what's *best*, they're about what's *agreed*, and part of what's agreed on is that they're good enough. When one is part of a standards regime, one sublimates one's personal opinions to the collective good of the standard. That collective good of the standard is also "security theatre" in the sense that one uses it because it's the thing uses to be part of the community.

I think Twofish is better than AES. I believe that Skein is better than SHA-2. I also believe in the value of standards.

The problem one faces with the BULLRUN documents gives a decision tree. The first question is whether you think they're credible. If you don't think BULLRUN is credible, then there's an easy conclusion -- stay the course. If you think it is credible, then the next decision is whether you think that the NIST standards are flawed, either intentionally or unintentionally; in short, was BULLRUN *successful*. If you think they're flawed, it's easy; you move away from them.

The hard decision is the one that comes next -- I can state it dramatically as "Do you stand with the NSA or not?" which is an obnoxious way to put it, as there are few of us who would say, "Yes, I stand with the NSA." You can phrase less dramatically it as standing with NIST, or even less dramatically as standing with "the standard." You can even state it as whether you believe BULLRUN was successful, or lots of other ways.

Moreover, it's not all-or-nothing. Bernstein and Lange have been arguing that the NIST curves are flawed since before Snowden. Lots of people have been advocating moving to curve 25519. I want a 384-or-better curve because my One True Curve has been P-384.

If I'm going to move away from the NIST/NSA curve (which seems wise), what about everything else? Conveniently, I happen to have alternates for AES and SHA-2 in my back pocket, where they've been *alternates* in my crypto going back years. They're even in part of the software, sublimated to the goodness of the standard. The work is merely pulling them to the forefront and tying a bow around it.

And absolutely, this is an emotional response. It's protest. Intellectually, I believe that AES and SHA2 are not compromised. Emotionally, I am angry and I want to distance myself from even the suggestion that I am standing with the NSA. As Coderman and Iang put it, I want to *signal* my fury. I am so pissed off about this stuff that I don't *care* about baby and bathwater, wheat and chaff, or whatever else. I also want to signal reassurance to the people who use my system that yes, I actually give a damn about this issue.

I am fortunate enough to have a completely good cipher and completely good hash function in my back pocket. So I'm going to use them. If it turns out that there's a good explanation, that BULLRUN is wrong, it's just software. 

Your situation is different, as is everyone else's. I admire your cool head, but I have to stand over there. I apologize for angering you, but I'm not sorry.

If I'm wrong, I'll have to eat my words. I would rather eat my words in this direction -- moving away -- than the other direction -- standing pat.


Version: PGP Universal 3.2.0 (Build 1672)
Charset: windows-1252


More information about the cryptography mailing list