[Cryptography] asymmetric attacks on crypto-protocols - the rough consensus attack

Stephen Farrell stephen.farrell at cs.tcd.ie
Sun Aug 2 17:36:15 EDT 2015 


On 02/08/15 22:17, ianG wrote:
> So, just to forestall any thoughts in a particular direction.
> 
> 1.  It is fruitless to name a person who might be a shill.  The reason
> is quite logical - the attacker is better at this game than you are, and
> will use your attempt to name a shill as a way to create discord, and
> will (eg) also use the same noise to name YOU as a shill.  Or worse.  In
> case you're wondering, this is known art, I'm not just talking out my
> posterior.
> 
> tl;dr don't name a shill, you'll lose.  Attacker is better at it.

Strongly agree.

> 
> 2.  Naming a WG is also amusing but distracting.  This is the security
> area.  The attacker exists.  He spends millions of dollars on this, he
> has been caught with his finger in the cookie jar before (nod to Watson
> on these points), and he's said in revealed docs he's going to do it. We
> all know that.

Also agree.

> 
> So, it's a systemic problem.  It might be happening today in a group,
> but actually it's more likely a honed process across 10 or more groups.
>  What's the systemic response?
> 
> 3.  This only applies to security when there is a known attacker who's
> decided to stop this particular protocol from interfering with his
> actions.  That's a fairly narrow slice of WGs.  Probably less than 10
> (speculation).

I disagree there. I think the attacker is probably more interested in
there being protocols for which turning on any security is hard. That
could be attempted by making some specific security protocol hard to
deploy, (*) but equally by making e.g. a protocol that requires that
every node have the ability to add/subtract/change PDUs. That way it's
hard to add any e2e security features, no matter how well designed
those are.

So I think it'd be as likely that lots of non-security-area WGs
would be targets. The latter might also be easier to influence, as
many participants could be commercially motivated to not want better
security and privacy as that has a cost.

> 
> I.e., I'm not arguing to dispose of the entirety of the IETF.  Not today
> at least :)

I'm afraid you did suggest just that. The rough consensus thing and the
open-ness thing are inextricably intertwined and necessary for the IETF.
Take away one or both and you're no longer dealing with the IETF.

So while I'm interested in feasible ways to improve IETF process, I'm
not interested in surrender, but I said that already I guess:-)

Cheers,
S.

(*) I think I'm on record as saying that the IETF has in the past
failed in developing security protocols that were too hard to deploy.
It could be that this attack was a part of the cause of that. But
my take is that perfectionism and inexperience with scale on the
part of security folks was a bigger factor. In any case I think
we're improving in that respect, but have a ways to go.


> 
> 
> On 2/08/2015 20:09 pm, Stephen Farrell wrote:
>> And before one argues to discard a significant part of such a process,
>> especially on the basis of an invisible hand on the scales, I do think
>> one has a duty to at least accurately describe what one is arguing to
>> discard. And you have not done that.
> 
> 
> 
> So, assumptions:
> 
> 1.  The attacker exists.
> 2.  The attacker has approximately infinite resources and is prepared to
> spend them.
> 3.  The attacker can call on a large network of people, including ones
> who might not agree with the call, and ones who don't spot the motives.
> 4.  The attacker cares not to be spotted, but not that much.  You're not
> going to sue him.
> 5.  The attacker has decided that deployment of protocol X on
> wide-spread basis is to be stopped.  (Somehow.)
> 
> Then the attack.
> 
> As described, attacker eases the WG into rough anti-consensus, a balance
> between two opposing forces by
>   (i) proposing an alternate protocol, and
>   (ii) stacking the group so there is roughly enough opposition.
> 
> The defence *I proposed* was to drop rough consensus.  I stopped there.
> 
> Stephen pointed out that any replacement of rough consensus with a
> directional method ("one czar" or AD or ...) would then shift the burden
> of the attack to another place.  I.e., could very will just work in the
> attacker's favour.  A very good point.
> 
> Jerry described the coin toss.  This "addresses" Stephen's dual-attack
> at some level.  What it does is actually give a 50% chance of the good
> protocol, and a 50% chance of the challenger.  So now we can refine our
> attack by saying, the challenger should be also a non-optimal protocol.
>  We've now got a 50% chance of killing it by putting in a non-working
> protocol, a familiar scenario to everyone who's been engaged in these
> efforts, sadly.
> 
> Now I'll propose another way, just thought of it:
> 
> Split the protocols.  Group A proceeds, so does group B.  Then both are
> standardised.  Now, the market works both over.  There is now a betamax
> story to get through as the market gets to have a second call on the
> rough consensus.
> 
> If you believe in rough consensus that much, let the market vote ;-)
> 
> Engineers of course will be horrified.  "We can do better!"  But
> actually, maybe we can't.  Betamax resolved more quickly in the
> marketplace than many standards groups took to come to rough consensus
> and produce their standards.
> 
> Maybe the question here is, where is the pain?  And perhaps a bit of
> user pain is the price we pay?
> 
> (None of these points are entirely new!)
> 
> 
> 
>> That is another part of why I think your argument here is ill-informed.
> 
> 
> This is all by way of a thought experiment.  I set some parameters.
> Everyone's free to knock it down, and/or change the parameters to be
> more interesting (someone has already proposed an entirely new set of
> parameters in private email).
> 
> Where it gets "interesting" is when we inform a particular situation in
> reality.  That's of course a crapshoot.
> 
> But we don't know how close the thought experiment gets to reality
> unless we try.
> 
> 
> 
>> (Separately, I never said economic "progress" - I said interests which
>> is just not the same:-)
> 
> 
> (Right.  In this case, I reckon the interests are directly opposed.
> Attacker's mission is pretty clear.)
> 
> 
> 
> iang
> 
>

More information about the cryptography mailing list