Status of opportunistic encryption

Victor Duchovni Victor.Duchovni at MorganStanley.com
Tue May 30 21:45:19 EDT 2006 

On Wed, May 31, 2006 at 08:56:53AM +1000, James A. Donald wrote:

> Active attacks are rare, possibly nonexistent except for
> Wifi.  If NSA and the other TLAs were doing active
> attacks, they would be detected some of the time.  They
> don't like being detected.

Active attacks at the network layer are relatively rare, but definitely
not non-existent. Spammers occasionally hijack BGP prefixes, send some
spam and move on. They can also hijack nameserver IPs, MX host IPs, but
for now they prefer sending over receiving. This will likely change,
the playbook of organized crime on the net has been expanding steadily
when money overtook teen-age dare-do as the most common motivation for
active attacks in ~2002.

> If anyone does an active attack, this is a one off
> event.  If someone routinely and regularly does active
> attacks, the attack will be detected, the point where
> they are modifying messages will be detected, and will
> be bypassed.

They keep moving around, some ISPs turn a blind eye in return
for the revenue stream.

> > Consequently, also SSH with GSS KEX, is not MITM
> > resistant when the attacker can tamper with DNS
> > responses.
> 
> My understanding is that SSH when using GSS KEX does not
> cache the keys, which strikes me as a amazingly stupid
> idea,

No, that's the whole point. What works for the individual administering 10
machines, does not scale to organizations with hundres of administrators
managing tens of thousands of machines. With KEX you trust Kerberos,
not your key store. The problem is that one also ends up trusting, DNS
or NIS or LDAP, ...

> particularly when SSH key caching has been so
> successful, and when the user thinks he knows his
> security comes from key caching.  The experience with
> PKI suggests that it is very difficult to have security
> without durable cached keys.

Quite the converse, the PKI keys are too durable. (Segue to Wheeler &
Wheeler) the Kerberos online verification model is actually superior,
but in practice the implementation runs into issues with insecure
nameservices. We need a more secure stack.

> Attacks on DNS are common, though less common than other
> attacks, but they are by scammers, not TLA agencies,
> perhaps because they are so easily detected.

Yes, but the scammers are getting into more markets, first spam and
advance fee scams, then phishing, now pump and dump scams, they are
evolving fast. We are largely standing still.

> Encrypting DNS is unacceptable, because the very large
> number of very short messages make public key encryption
> an intolerable overhead.  A DNS message also has to fit
> in a single datagram.

Workable DNS-SEC exists, what lacks now is the will and political muscle
to make it happen. Signing is done on update, not on read.

> To accommodate these constraints, we need DNS
> certificates sent in the clear, and signed with elliptic
> curve public keys (which allow both signatures and
> certificates to be short enough to fit in a datagram).

The real question is not how to do DNS-SEC, but how soon, and then how to
leverage it in real protocols. Will there be a reasonably comprehensive
set of Internet integrated services that work *together* "securely" in
a reasonable fashion, or are we still building the tower of Babel (now
in software). A more trustworthy DNS would IMHO be a good foundation.

-- 

 /"\ ASCII RIBBON                  NOTICE: If received in error,
 \ / CAMPAIGN     Victor Duchovni  please destroy and notify
  X AGAINST       IT Security,     sender. Sender does not waive
 / \ HTML MAIL    Morgan Stanley   confidentiality or privilege,
                                   and use is prohibited.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list