[Cryptography] From Nicaragua to Snowden - why no national standards should be considered in cryptosec
ianG
iang at iang.org
Sun Feb 28 09:18:23 EST 2016
On 27/02/2016 17:04 pm, Stephen Farrell wrote:
>> For example, in Russia
>> we have 4 algorithms of a digital signature, 2 of them are definitely
>> deprecated
>> but 2 others are required to be implemented. So smth like "National" (may
>> be with
>> mentioning the countries) will be ok and non-pejorative.
>
> There's that. But "national" is also no good as a label, as
> AES is national and some national algs are less well vetted/known
> than others.
(
Just as an aside... Belgians designed the algorithm, the code was
written by a Brazilian, the Java test rig was created by an Australian.
The Dutch in Anguilla did something too, can't quite recall what tho.
The other 4 contenders (or 29) were from many countries and spent a
lot of time analysing the 5 leaders. All 5 leaders were thought to be
state of the art of the time.
Seems non-national to me :)
The Americans ran the comp and chose the winner. The algorithm
however is only mandated for US Government agencies, not for anyone
else. Unlike many other standards bodies that also mandate against
industry.
Sure we know there are always going to be conspiracy theories, but
frankly, the full NIST comp is as open as any other process we can
invent. Again, in SHA3.
)
But that's not an interesting point. An interesting point is that
labelling a bad process won't save it.
> And there's also the set of algs that we think are ok, but are
> not yet needed, e.g. codepoints associated with Curve448 might
> not be needed right now, but might move to "good" status later.
>
> Deprecated also doesn't quite seem right for e.g. integer DH
> where we might want to prefer ECDH even though integer DH is
> still fine with sufficient length primes.
Ya. So the overall problem with consensus seeking is that everything
must be considered, everyone must have a say. As we can see on this
thread and in every other bikeshed, the result is a grand unified theory
of cryptopolitics, rather than ... a ciphersuite, which is what users need.
Anyone can bring a pander-request to the table, and lobby for it. Crap
or not. Anyone can bring a small RFC for no clear purpose, or a RNG
that is pre-broken, or argue that an opponent isn't following the latest
academic attack that is still warm from printing, or or or...
Ontologising the inputs or outputs isn't going to help.
There's no way around this. If you're going to allow *everyone* a
voice, then you'll end up with the pander-list. Which is fine in
ordinary commercial protocols like HTTP but not good in security
protocols where we have known, aggressive, enemies that don't follow the
laws of their land nor the laws of polite IETF society. AKA the spooks.
Add countries to that.
The only alternatives I can think of are diktat of some form. Of those,
I prefer the following diktat:
One person of known history and pedigree is chosen to design the crypto
suite. That person does it. That suite lasts for 7 years. If it goes
down in flames, so does that person's rep. Sucks, but the incentive to
take care is clear.
> And then (for TLS) there's stuff like SRP where almost nobody
> cares and we might not want that code in general libraries so
> maybe that's also better not in the "good" category too.
If nobody cares, then do an experiment? This is why I consistently
argued in TCPINC that David Mazieres' group should do it. The whole lot.
The notion of starting a competition between 2 opposing designs has
the unfortunate consequence of handing the NSA another 2-4 years grace
in mass surveillance.
Nobody should care what the suite is in TCPINC because the stuff can be
MITM'd by definition. I know that doesn't stop people reaching for the
paintbrush, but we should hold the line on general security: choosing
any suite is good for TCPINC, choosing two suites is to misunderstand
everything about the general nature of MITM, threat modelling, security.
( for others: TCPINC is the generic name for bootstrapping a
lightweight opportunistic encryption protocol within TCP so the masses
can get out from the yolk of permanent global mass surveillance. )
...
> Anyway, in the IETF the TLS WG have agreed to try to figure this
> out for TLS ciphersuites. They've not started that work yet, as
> they're busy with TLS1.3 but the bikeshedding will happen there
> in the not too distant future.
TLS is a challenge which cannot be surmounted because the process is
already too entrenched. Granted. No point in arguing about that.
iang
More information about the cryptography
mailing list