[cryptography] the spell is broken

Jeffrey Goldberg jeffrey at goldmark.org
Thu Oct 3 21:26:00 EDT 2013

Jon, first of all thank you for your extremely thoughtful note.

I suspect that we will find that we don’t actually disagree about much, and also my previous rant was driven by the general anger and frustration that all of us are experiencing. That is, I amy have been misdirecting my anger at the whole situation at you, a fellow victim.

On 2013-10-03, at 4:31 PM, Jon Callas <jon at callas.org> wrote:

> You might call it "security theatre," but I call it (among other things) "protest.”

I would put it more strongly than that. I think that NIST needs to be punished. Even if Dual_EC_DRBG were their only lapse, any entity that has allowed themselves to be used that way should be forced to exit the business of being involved in making recommendations on cryptography. I don’t have to think that they are bad people or even that they could have prevented what happened. But I think there needs to be an unambiguous signal to every other (potential) standards body about what happens if you even think of allowing for the sabotage of crypto.

I imagine that everyone is looking at public protocols for picking curves now. Everyone is looking at how every step in the establishment of a recommendation can be made provably transparent. That is all a good thing, and it does require that NIST pay dearly. But it isn’t a trust issue. I don’t “trust” the NIST less than I trust any other standard’s body. The need to be put out of the crypto business as a signal and deterrent to others, but not because they are inherently less trustworthy.

But not using AES is a protest that hurts only ourselves. It doesn’t punish where punishment is needed.

> I have also called it "trust," "conscience," and other things including "emotional." I'm willing to call it "marketing" in the sense that marketing often means non-technical.


> I disagree with "security theatre" because in my opinion security theatre is *empty* or *mere* trust-building,

I still think the term is appropriate, and indeed I think that your sentence about conscience and emotions actually reinforces my claim that it is theater. But I think that it is largely a definitional question which isn’t worth pursuing. I’m using the term in a slightly different way than you are.

> but I don't fault you for being upset. I don't blame you for venting in my direction, either. I will, however, repeat that I believe this is something gentlepersons can disagree on. A decision that's right for me might not be right for you and vice-versa.

Absolutely! Although I still stand by my “security theater” statement, I think I also mean it less pejoratively than it came across. Anyone (including me and the company that I work for) who has moved to 256 bit symmetric keys is engaging in “security theater” in my sense of the word. It’s nothing to be particularly proud of, but it doesn’t make us the TSA either.

> Since the AES competition, NIST has been taking a world-wide role in crypto standards leadership.

Yep. And (sadly) that has go. As I said, they need to pay a heavy price so that it is absolutely clear that some behaviors are beyond the pale.

> A good standard, however, is not necessarily the *best*, it's merely agreed upon.

That’s true.

>  I think Twofish is a better algorithm than Rijndael.

OK. I was flat out wrong. I was ignorant of your longstanding view of ciphers. I’m not competent to really have an opinion about whether your judgement is correct there, but that isn’t relevant. I thought Twofish was pulled out of a hat. I was wrong. And I also apologize for accusing you of pulling Twofish out of hat.

> ZRTP also has in it an option for using Skein's one-pass MAC instead of HMAC-SHA1. Why? Because we think it's more secure in addition to being a lot faster, which is important in an isochronous protocol. 

I agree that if you are changing ciphersuites, it’s as good a time as any to move to a SHA-3 candidate. And as there some questions that need to be answered about official SHA-3, I’m happy with Skein. Again, I’m not competent to judge the relative merits of SHA-3 candidates.

> Silent Phone already has Twofish in it, and is already using Skein-MAC.

Ah. So yes, we are in very different starting places. Your choice seems very reasonable.

> In Silent Text, we went far more to the "one true ciphersuite" philosophy. I think that Iang's writings on that are brilliant. 
> As a cryptographer, I agree, but as an engineer, I want options.

I think I am in a different position. I’m neither an engineer nor a cryptographer. I’m the guy who can kinda sorta read bits of the cryptography literature and advise the engineers on what to do with respect to using these tools. And what we decide affects the security of a very large number of users. So for me, the “one true ciphersuite” notion was ideal. I could pay attention and follow the consensus advice.  You may be competent to, say, pick Skein over Blake for some particular purpose, but I’m not. And I don’t want to have to make those choices.

Not only is it that I don’t want to make such choices, but you shouldn’t want me to either. You don’t want me and zillions of application developers to be making such choices. So the loss of “one true ciphersuite”. Think about it, it’s taken a decade to get typical application developers to understand that for many purposes you can’t just use SHA1, but you need to contain it in HMAC. Now they are going to have to unlearn that for the new class of hash algorithms.  If we are forced from the Eden of one true ciphersuite, we may end up with people who really aren’t competent to judge picking algorithms out of a hat.

So, I guess that some of my frustration that I’m taking out in various directions is rooted in that. Expelled from the paradise of one true ciphersuit, I have the responsibility to choose between the good and the bad didn’t get enough to eat from the tree of knowledge.

> One True Suite works until that suite is no longer true, and then you're left hanging.

Yep. I was certainly aware of the risks, but I guess I took a bit of a CYA approach. If people spent enormous amounts of money building certain things into chips, they surely would have investigated very carefully before making such a commitment. (I should say that it really isn't CYA; I want to make the best choices for our customers. I also am intensely curious about this stuff, even if I’m not a cryptographer by any means.)

> Now let me go back to my comment about standards. Standards are not about what's *best*, they're about what's *agreed*, and part of what's agreed on is that they're good enough. When one is part of a standards regime, one sublimates one's personal opinions to the collective good of the standard.

Yes. I fully agree. And I agree that there were things that went into the selection of Rijndael that may not be what I would chose. I fully get that. But having been selected more than a decade ago, AES has been subject to far far more scrutiny than anything else. As a consequence, I think that the gap between our understanding of AES and the NSA’s is smaller than the gap for lesser studied ciphers. So I’m not talking about following the standard as soon as the winner is declared, but the benefits of it having been the standard for so long decrease my uncertainty about it.

> That collective good of the standard is also "security theatre" in the sense that one uses it because it's the thing uses to be part of the community.

I can see how that might be the case under an even looser definition than I was using, but I’m not really buying it in this case. 

> I think Twofish is better than AES. I believe that Skein is better than SHA-2. I also believe in the value of standards.

Acknowledged. I had misjudged your motivations, and in a fairly insulting way. I appreciate the grace in your response. 

> The problem one faces with the BULLRUN documents gives a decision tree. The first question is whether you think they're credible. If you don't think BULLRUN is credible, then there's an easy conclusion -- stay the course. If you think it is credible, then the next decision is whether you think that the NIST standards are flawed, either intentionally or unintentionally; in short, was BULLRUN *successful*. If you think they're flawed, it's easy; you move away from them.

My take is that BULLRUN was successful in parts. I’m not sure whether the count Dual_EC_DRBG as a success or not, as problems with it were discovered early. It stank from the outset and BULLRUN just confirmed that the stink had a nasty source. Leaving RSA Inc aside, no one really needed to change ciphersuites. Yet it was that revelation that sent me reeling. So the question which other standards *could* they have gotten away with subverting. Quite simply not everything has the kind of math that Dual_EC_DRBG has and not everything has the same “gaps” in the history of where certain things come from.

You seem to be suggesting that if BULLRUN was successful anywhere, then it was successful everywhere (and they tried it with everything). Furthermore, at least with AES, you seem to be assuming that if BULLRUN was successful in a case in 2006, then it was also done successfully before 2001.

And so when looking at which things I need to move away from, I have to judge the risks that they’ve been compromised in light of all of the information that we have. The new information was confirmation that at least after 2001, the NSA was willing and able to subvert at least one NIST cryptographic standard. I have to integrate that piece of exceedingly distressing news in light of everything else we know about the things I rely on.

And so this is what we rely on: AES, SHA-2, and the (alleged) CSPRNGs in commercial operating systems.

Looking at those realistically, my energies haven’t been focused on looking for replacements for AES and SHA2, but how to deal with potentially malicious CSPRNGs from Apple and Microsoft.  So my focus on improving key generation against undetectably malicious CSPRNGs. 

> The hard decision is the one that comes next -- I can state it dramatically as "Do you stand with the NSA or not?" which is an obnoxious way to put it, as there are few of us who would say, "Yes, I stand with the NSA." You can phrase less dramatically it as standing with NIST, or even less dramatically as standing with "the standard." You can even state it as whether you believe BULLRUN was successful, or lots of other ways.

I’m sorry, but that I have to reject. That is an all or nothing absolutism that I not only think is wrong, but is pernicious. “If you don’t take my position on all things that have come out of NIST you are a stooge for the NSA”. I really don’t think that is something you want to be saying.

> Moreover, it's not all-or-nothing. Bernstein and Lange have been arguing that the NIST curves are flawed since before Snowden. Lots of people have been advocating moving to curve 25519. I want a 384-or-better curve because my One True Curve has been P-384.

Ah. Good. You are not taking an all-or-nothing position. I seem to have misread something then. I concur about P-384. Were we using elliptic curves, I would be advocating the same move.

> If I'm going to move away from the NIST/NSA curve (which seems wise), what about everything else?

This isn’t a philosophical or judgement difference between us. It’s just a technical starting place, but

> Conveniently, I happen to have alternates for AES and SHA-2 in my back pocket, where they've been *alternates* in my crypto going back years. They're even in part of the software, sublimated to the goodness of the standard. The work is merely pulling them to the forefront and tying a bow around it.

OK. You have persuaded me that you are making the right choice for your situation.

> And absolutely, this is an emotional response. It's protest. Intellectually, I believe that AES and SHA2 are not compromised. Emotionally, I am angry and I want to distance myself from even the suggestion that I am standing with the NSA. As Coderman and Iang put it, I want to *signal* my fury. I am so pissed off about this stuff that I don't *care* about baby and bathwater, wheat and chaff, or whatever else. I also want to signal reassurance to the people who use my system that yes, I actually give a damn about this issue.

So do I. So do I. I am furious. And I want to let the world know. And most importantly, I want to do what I can to make sure that nothing like this happens again. I wrote at top what kind of signal I think is needed for that.

> I admire your cool head,

Don’t mistake it for lack of anger.

> but I have to stand over there. I apologize for angering you, but I'm not sorry.

No apology needed. And I once again apologize for thinking and saying that you made your ciphersuite choices naively. And again, thank you for this discussion.



More information about the cryptography mailing list