[cryptography] the spell is broken

Kelly John Rose iam at kjro.se
Thu Oct 3 17:37:23 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I agree fully Jon,

I short, I feel that all trust for NIST has to be broken. It doesn't
matter if AES or SHA-2 is broken or not broken. You cannot go into a
security environment with a tool that is known to be compromised
(NIST) and just hope and pray that the pieces you are using aren't the
compromised pieces.

There are alternatives, it doesn't hurt to get them in place.

On 03/10/2013 3:31 PM, Jon Callas wrote:
> 
> On Oct 3, 2013, at 7:13 AM, Jeffrey Goldberg <jeffrey at goldmark.org>
> wrote:
> 
> Jeff,
> 
> You might call it "security theatre," but I call it (among other
> things) "protest." I have also called it "trust," "conscience," and
> other things including "emotional." I'm willing to call it
> "marketing" in the sense that marketing often means non-technical.
> I disagree with "security theatre" because in my opinion security
> theatre is *empty* or *mere* trust-building, but I don't fault you
> for being upset. I don't blame you for venting in my direction,
> either. I will, however, repeat that I believe this is something
> gentlepersons can disagree on. A decision that's right for me might
> not be right for you and vice-versa.
> 
> Since the AES competition, NIST has been taking a world-wide role
> in crypto standards leadership. Overall, it's been a good thing,
> but one could have one's disagreements with a number of things (and
> I do), but it's been a good *standards* process.
> 
> A good standard, however, is not necessarily the *best*, it's
> merely agreed upon. A standard that is everyone's second choice is
> better than a standard that is anyone's first choice. I don't think
> there are any problems with AES, but I think Twofish is a better
> choice. During the AES competition, the OpenPGP community as a
> whole, and I and my PGP colleagues put Twofish into OpenPGP
> *independently* of the then-unselected AES. It was thus our vote
> for it. When Phil, Alan, and I were putting ZRTP together, we put
> in Twofish as an option (RFC 6189, section 5.1.3). Thus in my
> opinion, if you know my long-standing opinions on ciphers, this
> shouldn't be a surprise. I think Twofish is a better algorithm than
> Rijndael.
> 
> ZRTP also has in it an option for using Skein's one-pass MAC
> instead of HMAC-SHA1. Why? Because we think it's more secure in
> addition to being a lot faster, which is important in an
> isochronous protocol.
> 
> Silent Phone already has Twofish in it, and is already using
> Skein-MAC.
> 
> In Silent Text, we went far more to the "one true ciphersuite"
> philosophy. I think that Iang's writings on that are brilliant.
> 
> As a cryptographer, I agree, but as an engineer, I want options. I
> view those options as a form of preparedness. One True Suite works
> until that suite is no longer true, and then you're left hanging.
> 
> To be fair, there are few options in ZRTP -- it's only AES or
> Twofish and SHA1-HMAC or Skein-MAC, so the selection matrix is
> small when compared to OpenPGP. We have One True Elliptic Curve --
> P-384, and options for AES-CCM in either 128 or 256 bits and paired
> with SHA-256 or SHA-512 as hash and HMAC as appropriate. There's a
> third option, AES-256 paired with Skein/Skein-MAC, which I don't
> think is in the code, merely defined as a cipher suite. I can't
> remember. So we have to add Twofish there, but it's in Silent Phone
> now.
> 
> Now let me go back to my comment about standards. Standards are not
> about what's *best*, they're about what's *agreed*, and part of
> what's agreed on is that they're good enough. When one is part of a
> standards regime, one sublimates one's personal opinions to the
> collective good of the standard. That collective good of the
> standard is also "security theatre" in the sense that one uses it
> because it's the thing uses to be part of the community.
> 
> I think Twofish is better than AES. I believe that Skein is better
> than SHA-2. I also believe in the value of standards.
> 
> The problem one faces with the BULLRUN documents gives a decision
> tree. The first question is whether you think they're credible. If
> you don't think BULLRUN is credible, then there's an easy
> conclusion -- stay the course. If you think it is credible, then
> the next decision is whether you think that the NIST standards are
> flawed, either intentionally or unintentionally; in short, was
> BULLRUN *successful*. If you think they're flawed, it's easy; you
> move away from them.
> 
> The hard decision is the one that comes next -- I can state it
> dramatically as "Do you stand with the NSA or not?" which is an
> obnoxious way to put it, as there are few of us who would say,
> "Yes, I stand with the NSA." You can phrase less dramatically it as
> standing with NIST, or even less dramatically as standing with "the
> standard." You can even state it as whether you believe BULLRUN was
> successful, or lots of other ways.
> 
> Moreover, it's not all-or-nothing. Bernstein and Lange have been
> arguing that the NIST curves are flawed since before Snowden. Lots
> of people have been advocating moving to curve 25519. I want a
> 384-or-better curve because my One True Curve has been P-384.
> 
> If I'm going to move away from the NIST/NSA curve (which seems
> wise), what about everything else? Conveniently, I happen to have
> alternates for AES and SHA-2 in my back pocket, where they've been
> *alternates* in my crypto going back years. They're even in part of
> the software, sublimated to the goodness of the standard. The work
> is merely pulling them to the forefront and tying a bow around it.
> 
> And absolutely, this is an emotional response. It's protest.
> Intellectually, I believe that AES and SHA2 are not compromised.
> Emotionally, I am angry and I want to distance myself from even the
> suggestion that I am standing with the NSA. As Coderman and Iang
> put it, I want to *signal* my fury. I am so pissed off about this
> stuff that I don't *care* about baby and bathwater, wheat and
> chaff, or whatever else. I also want to signal reassurance to the
> people who use my system that yes, I actually give a damn about
> this issue.
> 
> I am fortunate enough to have a completely good cipher and
> completely good hash function in my back pocket. So I'm going to
> use them. If it turns out that there's a good explanation, that
> BULLRUN is wrong, it's just software.
> 
> Your situation is different, as is everyone else's. I admire your
> cool head, but I have to stand over there. I apologize for angering
> you, but I'm not sorry.
> 
> If I'm wrong, I'll have to eat my words. I would rather eat my
> words in this direction -- moving away -- than the other direction
> -- standing pat.
> 
> Jon
> 
> 
> 
> _______________________________________________ cryptography
> mailing list cryptography at randombit.net 
> http://lists.randombit.net/mailman/listinfo/cryptography
> 

- -- 
Kelly John Rose
Mississauga, ON
Phone: +1 647 638-4104
Twitter: @kjrose

Document contents are confidential between original recipients and sender.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSTeOTAAoJEN5u/YAARo3h6JwIANi0U6LxejTV/RExRIBqgWFd
vBswz0EMLi5VH+yWbhMBxjclAdecc8qs3h++ZWMbKeRnz1aBDo51qz7NXecLwETX
4mbXD8Plb1kEPiEmBI3iW7ei/ZBZEVGsWmjwHbEfb+UePRA2GonT8/AhGJYi2ev1
qoTJrAJyHTEVoL1brbgUsp4ZBCJ6MvWJLKTSs5yH+h1jouXk3720r8Z86WvhpG3l
INZRPQUIC4Sz7J9IkieBBJcDfvHtVOVZ75k87ppNUT9MDqhnpZwa85qdTVdQIpH4
UsiltdkX8YV1PdYiSfC5z3U9QixakXIdrFjVDO1RXvSA3TA56X5LW64T2IdpTtg=
=wvl4
-----END PGP SIGNATURE-----


More information about the cryptography mailing list