[Cryptography] IPsec DH parameters, other flaws

Thierry Moreau thierry.moreau at connotech.com
Fri Jul 3 10:41:06 EDT 2020 

Thanks for this interecting historical perspective.

See below for a few comments.

On 02/07/20 05:27 PM, William Allen Simpson wrote:
> [reading some older list items, branching off]
>
> On 6/3/20 2:29 AM, Peter Gutmann wrote:
>> [1] I've never understood why IPsec and the cargo-cult protocols that
>> reused
>>      the parameters from it fixed on a single set of DH parameters.
>> IPsec is
>>      possibly one of the most unnecessarily flexible protocols in the
>> world
>>      where absolutely everything is up for negotiation, but there's
>> one single
>>      set of parameters that every single user has to share to create a
>> single
>>      point of failure for attackers to exploit.
>
> The original IPsec (Karn, Metzger, and Simpson) did not!
>
> Photuris was designed around negotiating variable DH parameters
> and avoiding easy denial of service attacks.  From the beginning!
>
> Karn also insisted the option field be limited to 8 bits, so there
> would never be many options.  We'd only assign a few combinations
> that were well vetted together.
>
> All of that went by the wayside after NSA (and BBN) got involved.
>
> Also, among other things, requiring the IV sent in the clear was
> another Steve Kent innovation.  Even though he'd been on a paper
> years earlier that the IV should be secret.
>
> And there was the Null encryption option.  And the ability to
> negotiate a downgrade.  And the serious problems we published via
> Usenix, because IETF wouldn't....

To me as an applied cryptography practitioner, the documentation of the 
NULL encryption option was a convenient (i.e. readily identified upon a 
first look at the document) that the whole thing was not aimed at 
end-to-end security for the benefit of users.

> We knew so many things to be wrong.  The best explanation is that
> flaws in the resulting IPsec were deliberate.

At layer 9, IPsec was envisioned as a mandatory requirement for IPng (to 
become IPv6) which would not fit the US (and allies) dedication to 
preserve "national security" network traffic interception capability. 
Thus a flawless IPsec was institutionally/constitutionally impossible.

>
> Thankfully, after a quarter century, TLS 1.3 has almost all the
> features we originally presented in 1995.

Your "almost all" qualification turns down my interest in the detailed 
TLS 1.3 design study. I do not see a rationale for giving up *any* of 
the security features present in the basic cryptographic protocol 
science available in the 1995-2005 period.

More specifically: Only from the current challenges of Internet presence 
for large organizations, I presume the TLS 1.3 design addresses the 
requirements for heavy server side loads (connection setups and overall 
encrypted data throughput), the ultimate end-to-end security being 
subordinated to server side efficiency.

Still without any definite rationale, I expect that some of the TLS 1.3 
options would meet the ultimate end-to-end security criteria, but the 
corresponding profiles would not be readily deployed by servers and thus 
perhaps not well supported by browsers. Am I right with this expectation?

- Thierry

More information about the cryptography mailing list