[Cryptography] Paranoia for a Monday Morning

Tue Oct 28 09:32:03 EDT 2014

On 27/10/2014 11:35 am, Jerry Leichter wrote:
> We've seen increasing evidence that the NSA influenced the choice of cryptographic standards towards designs that were extremely difficult to get right - e.g., Dan Bernstein's claims that the standard elliptic curves have arithmetic whose implementations need special-case paths that make side-channel attacks much easier than they need to be.
> 
> As I look at the world around me, however, I see few proven attacks against fielded cryptographic implementations - but an ever-flowing stream of attacks against another class of standardized software.

As some of us have been saying for many a year, the crypto is the least
of your problems.  Concentrate on the software engineering, and when
you've got that right, you may have cause to demand better crypto.  And
stop this sophistry with algorithm agility and other vanity concepts...

>  I'm talking, of course, about browsers.  The complexity of browser standards - and of ancillary software like Flash - has proved way beyond our capability to program without error.  It's easy to blame Adobe or the Microsoft of old for incompetent programming; but even the latest IE, produced under what may be the best "secure software development chain" in the world; and Chrome, a clean-sheet, open-source implementation by a team containing some of the best security guys out there; continue to be found to have gaping holes.  At some point, you have to step back and admit that the problem doesn't lie with the developers:  They are being set up to fail, handed a set of specifications that we simply too hard to get right.

Right.  The experience I had reduced to this, if I can compress it.

Following the Browser wars that destroyed Netscape, Mozilla swore to
implement standards, and clawed back the high ground.  Others sort of
followed suit.

But, standards don't change in ways that improve security for end users.
 Standards have no feedback loop back to endusers because they aren't
represented, and standards groups are stuck in 1990s security model
thinking (e.g., the ITM).

Hence, the secure browsing system might have started out with some
notion X of security back in 1994.  But absent a correcting feedback
loop back to users, it was set up to deviate from X in a negative
direction.  Spencian mechanics apply, market for silver bullets and all
that.

> And that, of course, raises the question:  Accident, or enemy action?

Enemy action is part of it, but what the enemy did was leverage our own
accident-proneness.  The notion of security from PKI was strongly pushed
by the NSA, through many channels, because they knew they could backdoor
the CAs.  This was a big thing at the time, it was written somewhere
that they 'bet the farm' on this strategy.

In contrast, it's not clear to me that they understood the MITM agenda
per se which undermined the entire Internet security.  But, once they
saw how it raised the complexity barrier, they would have been all for
it.  "You must defend against the MITM at all costs!"  Including
security for all, unfortunately, but we've got a great story to tell
about MITMs.  So I'd expect that as shills in standards groups and
browsers are outed over time, their actions will be strongly correlated
with MUST-anti-MITM-ness.

Once the PKI was bedded in with standards, the security failure over
time was a certainty.

I suspect the NSA bungled this strategy.  They probably rationalised
that the USG would be protected by their own strong CAs, but it turned
out that the weakness outside that vector was so endemic that everyone
suffered, equally.

iang