[Cryptography] What is a secure conversation? (Was: online forums...)

ianG iang at iang.org
Tue Dec 31 04:37:00 EST 2013 

On 30/12/13 19:06 PM, Theodore Ts'o wrote:
> On Mon, Dec 30, 2013 at 08:52:43AM +0300, ianG wrote:
>>
>> Threat modelling is separated because the threat is the domain of
>> the attacker, whereas the risk is the domain of the defender.
>
> Even in the domain of the attacker, the attacker is attacking a
> *specific* protocol, being used in a *specific user case*, and to
> achieve a *specific* goal.  If we are going to accurately model a
> threat, we need to understand these specifics.


NO, the point is, when in the domain of the attacker, we have to think 
like an attacker.  When in the defence domain, we think like a defender.

It is hard to think like both at the same time.  Hence, they are 
separated steps.  You can combine them if you can multithread, but 
that's your choice.

> Unfortunately, I don't
> see that happening in many of these discussions on the mailing list.


It's an open-to-join list.  It's like a committee :)  There are a range 
of capabilities and opinions...  an act of patience is required.


> For example, the people worrying about cache timing attacks for a KDF.


Right, I only skimmed that.  I couldn't see the threat.


>>> Personally, part of talking about listing the threat also includes
>>> doing the risk analysis, because otherwise the list can easily become
>>> unbounded, and because there are people who are overly inclined to
>>> paranoia will start pursuing solutions and demanding that we make
>>> changes to mailing lists, protocols, open source software, etc.,
>>> prematurely.
>>
>> Right, and that is why every listed threat has to be filtered.  In
>> risk analysis, they do teach you to do a preliminary pass and drop
>> stuff that is on the face of it unrealistic (at least in my class
>> they did).
>
> Great.  But that is not what is happening for most of the discussions
> on this mailing list.  There is no attempt to make sure that the list
> is complete, and there is no attempt to filter the threats for
> credibiity.  Instead, people immediately start leaping to proposed
> solutions and wringing their hands that all of our crypto applications
> are broken....


It's a mailing list :)

How you do your modelling is up to you.  Which is why for example, PHB 
only occasionally posts questions on his exercise.  He isn't asking the 
list to do the exercise, he's just getting feedback on what he's done.


>> Another threat that we should consider in our list:  what happens if
>> there is an insider in *our process* that has interests that are
>> incompatible with ours, and pushes us to weaken our process (and
>> improve his)?
>
> I'm not sure that this is ever going to be productive.  Sure, it's
> possible, but the solution is open proposals, open source, and open
> peer review.


lol... if one thing has been cleared up in the Snowden revelations it is 
that no solution is a panacea.  DUAL_EC was an open proposal with open 
source and open peer review.  We could argue that other "open" things 
are also subject to influences, we just haven't seen the smoking gun yet.

If you're still not convinced, put yourself in the NSA's shoes.  The 
DD-ops says that the Linux stuff has to be stopped.  How are you going 
to do it?

If you haven't figured out half a dozen channels into that open project 
by the time you've finished the next cup of coffee, you're not thinking 
... *like an attacker*.

Remember.  They have the budget, the orders, the incentive, the 
capabilities and the complete lack of respect for you and your 
high-minded thoughts.


> Otherwise, I could start complaining that people who are
> ranting and raving about threats without doing any kind of filtering
> are NSA plants who are trying to waste/disapate our energy, and you
> could claim that I'm a NSA shill for refusing to pay attention to your
> favorite pet threat.  And in the end, it doesn't further the
> discussion, but in act, degrades it.


Indeed.  Read the OSS sabotage manual, cerca 1940s.  That is a 
documented attack.


>> We know what doesn't work:  committees, broad-based low-level crypto
>> tool analyses, government standards, consultancies.
>>
>> What that leaves is, I think:  the business must appoint one person
>> to take responsibility.  That person must make the decision to drop
>> the unrealistic threats, once they've had their day in the sun.
>
> Who is "the business" and why do they get to decide who to appoint?


Business in the above is a metaphor for the overall economic purpose. 
The business might be your employer.  It might be the community of 
payment & speculative trading partners in the case of Bitcoin.  In the 
case of Linux, the business is that of users and corporates using a base 
OS to do software.


> How does this apply to all of our open source technologies, such as
> OpenSSH, OpenSSL, the Linux /dev/random driver, etc?


Exactly.  It only applies loosely.  The business of OpenSSL is ... what? 
  Undefined?  Protecting credit cards?  Online banking?  Are the users 
phishing victims or shy bits & bytes or SSL experts haunting open source 
projects and committees and PCI audit rooms?

The point is, at some level, with some tools like OpenSSL and DES and 
/dev/random, it is impossible to define "the business" with any 
reliability.  These are security tools, not security projects in and of 
themselves.  Tools cannot deliver security, because security can only be 
defined from within the context of a business.

Therefore, security modelling is at a loss.  No business means no threats.

So the problem that these groups have is that they generally copy a 
threat model from somewhere, and assume it, without regard to its 
closeness to reality (infamously, SSL's obsession with MITM), or they 
come up with a 'perfect' security model that may or may not meet the 
needs of the next layer up.

E.g., the block cipher ... which does not meet the needs of the 
developers, because it is simply too hard to put into a protocol. 
Answer?  redefine the problem scope and develop a new API.  In 
particular AE modes and CAESAR.

E.g., the RNG, which we now have a model for (trident-like 
collectors->mixer->whitener/expander courtesy of John & Bruce & Neils, 
etc) but it's still a tool, with a model that strives to be 'perfect' .. 
that may or may not play a part in a security design to meet the needs 
of a business.


> In the case of
> the RSA business, they chose Bart Harman as their CTO, who is
> presumably "the decider".  Given his recent statements, does that make
> you feel any more comfortable?


That's the point.  They chose someone.  If he makes you feel 
uncomfortable, then move your business.


> Committees do have their downsides, but at least we're not depending
> on a single person.


Wait ... can you depend on anyone in a committee?  Is that zero or many 
you're assuming there?

> Annointing a single person means that there is a
> single point of failure where that person might make be bribed or
> otherwise corrupted, or just make a single mistake.


Lol... Sure, maybe.  It is in some respects far easier to corrupt a 
committee than a single person, cf documented attack above.  Again, it's 
no panacea:  the business might live or die by those decisions.


> And that person may make take on all of the successes and failures,
> but to the extent that we depend on that technology, and we don't have
> the time to audit all possible security technologies, or to write all
> of the securiy technologies (and all of their dependencies, including
> the Intel CPU for those people who believe that the NSA could subvert
> the instruction pipelining and execution engine), we don't have a
> choice but to delegate our security to some set of people, or a single
> person.  Personally, I'd much rather delegate my security to an open
> committee using an open process.


Sooo... we're ready to start an open committee to decide what happens to 
the /dev/random on Linux in an open process?

Where do we sign up :)

Jokes aside, you're it, right?  You're in the hot seat.  What happens 
carries forward with your name into the future.

Why do you think the Linux kernel has some respect?  Because one person 
decides what happens in the kernel.  In app land, it's the wild west :) 
  Why do you think OpenBSD has a lot more respect in the security 
context?  One guy, and he's an obsessive fruitcake when it comes to 
security.  FreeBSD?  One guy, the security officer.

Microsoft?  No clue.  Apple?  They say nothing.  Google?  That many 
headed hydra has no single mind of its own, and wants to own your mind, 
so no joy there.  Mozilla? ...  These groups are so diverse they can't, 
don't and won't do it.



To paraphrase, there is only one CSO, and he's responsible.


iang

More information about the cryptography mailing list