[Cryptography] Cipher death notes (was: Re: Fwd: OPENSSL FREAK)

Tue Mar 31 16:11:47 EDT 2015

On 31 Mar 2015 10:47 -0700, from bear at sonic.net (Ray Dillinger):
> Honestly, this was exactly the scenario I had in mind when I proposed
> implementing "death notes" for ciphers.
> 
> It was a simple idea then, and is still simple.  A death note is
> simply a proof that the encryption has been broken, (such as, in
> this case, a cert issued by a known-bogus "negative cert authority"
> whose keys were publicly destroyed immediately after creation).
> 
> Everything that gets the death note (and has implemented the
> feature, sigh) responds by permanently disabling that crypto
> primitive (in this case erasing all certificates that use that
> cipher), permanently storing the death note, and thereafter
> passing on the death note to anyone who later tries to use
> the dead crypto primitive.

Maybe I'm missing the utter simplicity here, but there's something I
don't quite understand. Hopefully you can enlighten me in the matter.

Suppose that the feature you describe was widely implemented. Suppose
also that the relevant primitive gets broken in a meaningful manner,
_but_ that the ability to break said primitive has not yet spread to
the masses. Maybe the break was limited to a fairly specific case, but
still bad enough to warrant sunsetting the primitive in question on a
rapid schedule (perhaps something like for example that we find an
efficient way to factor one out of every ten thousand RSA moduli, for
some given value of efficient, but there is no good test for such
moduli). Maybe the break requires a large amount of computational
resources, making it out of the reach of all but the very most
resourceful adversaries. Maybe it requires a combination of multiple
such factors before the break becomes feasible. Or whatever.

The end result of the above is the same: we have reason to believe
that YFTLA (Your Favorite Three-Letter Agency, for some given values
of "Three" and "Letter") may have the capability to break said
cryptographic primitive at least in select cases, but it remains well
out of the reach of the general public, let alone any one individual.

What would entice said TLA to publish the break, rather than
(attempting to) keep the ability to themselves and maybe a few of
their closest allies? What would entice them to break the specific
"negative cert authority" key (which gains them nothing except the
ability to force the primitive in question out of use, depriving them
of their ability to break the security of the system), rather than,
say in the case of public key cryptography or cryptographic hashes,
the root cert of Comodo or Verisign (which gains them potentially
_very_ significant leverage) or the PGP key of a high-value target?

Your proposal is certainly an interesting idea for academic exercises,
where the whole idea would presumably be to publish and get wide
dissemination of the result, but how does it help with adversaries who
keep the capability to themselves and/or secret/classified for the
purposes of making good use of the break?

-- 
Michael Kjörling • https://michael.kjorling.se • michael at kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)