[Cryptography] asymmetric attacks on crypto-protocols - the rough consensus attack
ianG
iang at iang.org
Sun Aug 2 00:27:12 EDT 2015
There's a group working on a new crypto protocol. I don't need to name
them because it's a general issue, but we're talking about one of those
"rough consensus and working code" rooms where dedicated engineers do
what they most want to do - create new Internet systems.
This new crypto protocol will take a hitherto totally open treasure
trove of data and hide it. Not particularly well but well enough to
make the attacker work at it. The attacker will have to actually do
something, instead of just hoovering.
Doing something will be dangerous - because those packets could be
spotted - so it will be reserved for those moments and targets where
it's worthwhile. It's not as if the attacker cares that much about
being spotted, but embarrassment is best avoided.
So this could be kind of a big deal - we go from 100% open on this huge
data set, down to 99% closed, over some time and some deployment curve.
Now, let's assume the attacker is pissed at this. And takes it's
attitudinal inspiration from Hollywood, or other enlightened sources
like NYT on how to retaliate in cyberwar (OPM, anyone?) [0]. Which is
to say, it decides to fight back. Game on.
How to fight back seems easy to say: Stop the group from launching its
protocol. How?
It turns out that there is a really nice attack. If the group has a
protocol in mind, then all the attacker has to do is:
a) suggest a new alternate protocol.
b) balance the group so that there is disagreement, roughly evenly
balanced between the original and the challenger.
Suggesting an alternate is really easy - as we know there are dozens of
prototypes out there, just gotta pick one that's sufficiently different.
In this case I can think of 3 others without trying, and 6 people on
this group could design 1 in a month.
Balancing the group is just a matter of phone calls and resources. Call
in favours. So many people out there who would love to pop in and utter
an opinion. So many friends of friends, willing to strut their stuff.
Because of the rules of rough consensus, if a rough balance is
preserved, then it stops all forward movement. This is a beautiful
attack. If the original side gets disgusted and walks, the attacker can
simply come up with a new challenger. If the original team quietens
down, the challenger can quieten down too - it doesn't want to win, it
wants to preserve the conflict.
The attack can't even be called, because all contributors are doing is
uttering an opinion as they would if asked. The attack simply uses the
time-tested rules which the project is convinced are the only way to do
these things.
The only defence I can see is to drop rough consensus. By offering
rough consensus, it's almost a gilt-edged invitation to the attacker.
The attacker isn't so stupid as to not use it.
Can anyone suggest a way to get around this? I think this really puts a
marker on the map - you simply can't do a security/crypto protocol under
rough consensus in open committee, when there is an attacker out there
willing to put in the resources to stop it.
Thoughts?
iang
[0] you just can't make this stuff up...
http://mobile.nytimes.com/2015/08/01/world/asia/us-decides-to-retaliate-against-chinas-hacking.html
More information about the cryptography
mailing list