[Cryptography] Fwd: OPENSSL FREAK

ianG iang at iang.org
Sat Apr 4 14:10:01 EDT 2015 

On 4/04/2015 12:26 pm, Jerry Leichter wrote:
> On Apr 3, 2015, at 3:24 PM, Ray Dillinger <bear at sonic.net> wrote:
>> ...The Death Note is disaster management for full-scale emergencies
>> where time to plan and implement a more reasonable and measured
>> response has already, clearly, *provably* run out. You can't
>> deploy it without doing some damage, but the damage you'd do
>> by NOT deploying it is worse. Death Notes cannot and should
>> not appear until the cipher or whatever primitive has broken
>> so very badly that damage is unavoidable.
> So in the last 50 years or so, can you give an example in which a Death Note would have actually been published?


I think that's worth asking.  As an open internet, we now have 20-23 
years of deployment of crypto.  We should now be in command of a 
substantial body of evidence concerning what works and what doesn't 
work, over a period of time.


> I can think of many cases of *implementations* being revealed to be broken by the publication of attack code.

Right.  So do we need a DeathNotice for the Implementation?

And does this DeathNotice also serve to cover the algorithm?

Which by nature of its claim over the implementation, it cannot be a 
proof-of-breach because if we could prove the breach we'd fix the 
breach.  Therefore it is likely administrative --> revocation by 
owner/WG/AD.

> And of cases where *security parameters* were shown to be two small (size of DES and RSA keys) by the publication of descriptions of such breaks using just-now-possible amounts of hardware.  You might be able to get something like a death notice out of the latter (by pre-publishing challenge problems), though you'd have to trust whoever generates the challenges to keep them private.

I suspect we can probably do the latter if we employ root-key like 
ceremonies to create the challenges and then destroy the keys.

> ... (As I understand it, a "real" Death Notice is an actual proof which is impossible to fake, even given special knowledge.)


(So, an encrypted message with a text phrase and the key to be used, 
such that when cracked, you can use the key revealed to confirm the 
encryption?  "The magic key is SHA1(OstrichContrariness)" .. ok)


> If you can't show the existence of such a mechanism would actually help in plausible real cases, this discussion seems rather pointless.


No, the discussion isn't pointless, but maybe frustrating or obvious in 
degrees.

If the Death Note is the plan for retirement, and we can show that the 
Death Note doesn't work, then we've shown something:  there is no plan 
for retirement.

Those who think algorithm agility is a good thing need to show that 
there is a plan to utilise the benefit of that agility -- a SWITCH -- 
and a plan to clean up later on when the inevitable expiry decision or 
event is reached -- the DEATH NOTE or revocation or similar.



iang

More information about the cryptography mailing list