[Cryptography] hard to trust all those root CAs

John Denker jsd at av8n.com
Wed Jul 23 08:32:39 EDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/22/2014 04:59 PM, Russ Nelson wrote:
> 
> Crypto without a threat model is like cookies without milk. Keep
> saying it until it becomes second nature to specify the threat model.

The moderators wisely insist on brevity.  However, we 
have to give up something in return.  You don't get to
snip out the threat model and then complain that no
threat model was specified.

I hate to belabor the obvious, but on 07/19/2014 02:03 
PM, the OP in this thread did mention MITM attacks and
did cite data on forged certificates in the wild.

If you want the next level of detail, it is known that
the NSA acts as a MITM at the /hardware/ layer:  they
intercept and tamper with shipments after they leave
the manufacturer and before they reach the end-user.
They can insert back doors in everything from consumer-
grade stuff like cable modems, to corporate firewalls,
to carrier-grade backbone routers.  This meddle-in-the-
middle approach saves them the trouble of suborning a
whole bunch of manufacturers directly;  all they need 
to do is suborn a handful of shipping companies.  This 
is documented in the Snowden files; no tin-foil hat is
required.

If the Chinese PLA Third Department is not installing
their own back doors, I'd be shocked.  If they weren't
doing it a year ago, they must have read the Snowden
files as a how-to manual.  For equipment made in China, 
they can demand direct cooperation from the manufacturers.

Couple that with a rogue CA.  Now you're drowning in 
milk.

Note that back doors are notoriously hard to secure.
A third party gets to choose the NSA back door, or 
the Third Department back door, or some generic stack-
overflow bug, or whatever.

A question for each person on this list:  Are you sure
that all of your communications with your banker, doctor, 
lawyer, mistresses, etc. move over networks that are 
immune to MITM attacks?  If so, please raise your hand.

On 07/22/2014 03:07 PM, Jerry Leichter wrote:
> I forget the name, but there was a plugin that would warn you of
> unexpected changes in location of the CA.

It can't be a very successful solution, if people refer
to it in the past tense, and can't remember the name.

Note the contrast:  As currently deployed:
  SSL relies on authority, with no pinning or notary.
  SSH relies on pinning, with no authority or notary.
  PGP relies on web-of-trust, which usually boils down
   to little more than a labor-intensive form of pinning.

As discussed on 09/27/2013 09:43 AM, I reckon a heterotic 
approach would greatly increase security in all three cases.
I use the term "pinning" to refer to local approaches, 
and "notary" to refer to network-based online approaches.

AFAICT no "perfect" solution is possible.  If somebody 
wants to make a Truman Show / Matrix fake universe for 
you to live in, they can do so -- in principle.  However,
I reckon that good crypto engineering can make this much 
more expensive to do, and much easier to detect.

Evidently there are no widely-deployed solutions;  
otherwise we wouldn't be seeing forged certificates 
in the wild.  Is there anything on the horizon?
If not, why not?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIVAwUBU8+rYPO9SFghczXtAQJ/xRAAn1DVw6rNhsGwom5Evg4FWuhJHpn/q9aa
4hmh20tCFba9erXtXeEzGmAdGXvNpy/u7dRk46FclQPrVJciLg3uTsaHLijOFWng
YA3vg1H5HbTmDvTo+gDG/AWiO3Ix6WCkFWn7AsJowue7mmzfFKpcb9/VSAw9Zo+0
C/dddCj0xrwKSkOkNCHo08bB461AQe++Iq5PsPVNeVabnB64FWuB0SuJBigKxRNz
KN3C4xwE9ruQ/dGYhJA9NbGAQCg1iE3VY6DQHG00vdih0dyIbtDdLlxjvJeJhfvW
2Z3SBd4snglbo2LxmtQeS3KeDDdJf8aWHW3duOEWE5MXRsM3SkS73WGdE2ib7yOA
1Ex8QqozAeYwm+MW1FpjR8z2/XhCMDZebn1iy+a8SVP1ScEbbl4OKxJs7IDlIK9y
yxfHXClJXAYe5U9CjU92oVnBfkgtJasSPsjwPcY++ZRcSpmTUNLZejL69elgHGCq
qMVJGIuVEpeGGZmgWG14yES1fTrI7KwR7HsnvBYf2gFgI5G94BQ5dC+BmCkIJZKt
/qMPQFqEQdIClk1u53jgNODXWA7Ft3h/o1k4e9lSs7FO98RRBS+ixzSqBBCQdxBq
5D94WpF4jd5Gs+eeVI6uJfX8zTPAj5fy5hHbtu0nU1tiyth+WuSWlXqw3JuASuaw
MWSE8IgB5yE=
=Ih1m
-----END PGP SIGNATURE-----


More information about the cryptography mailing list