[Cryptography] IPsec DH parameters, other flaws

[Phillip Hallam-Baker]

On Sat, Nov 14, 2020 at 8:31 PM iang <iang at iang.org> wrote:

> coming late to this party... but I'll bet the permathread will be running
> for a decade.
> On 20/07/2020 09:06, Alfie John wrote:
>
> On 19 Jul 2020, at 14:55, Phillip Hallam-Baker <phill at hallambaker.com> <phill at hallambaker.com> wrote:
>
> There are a few individuals who seemed to be always there to pour poison in people's ears and to encourage them to 'stand their ground' when insisting on some asinine security requirement that makes the whole thing undeployable.
>
> All these war stories are great to finally be open and to a larger audience. Thanks everyone for adding their nuggets!
>
> So it's 2020 and we now know that there's a concerted effort to actively sabotage standards and implementations by many actors (including large budgets to sway people at all levels). Considering a clean slate for the whole stack - from TCP, IP, BGP, DNS, HTTP, etc and all the way to certificate infrastructure, application layer authentication, key management etc:
>
>   - how would you design the state of the art with security as one of its primary goals (i.e features and anti-features)
>
>
> The key is to start asking who, not how. It's clear that the IETF/etc was
> setup to allow vendors to duke it out. Which opened the way for NSA &
> friends to futz up the security groups with targetted interventions. In
> short to bring the process to a standstill where their security was
> involved.
>
IETF was set up to allow the DARPA program managers to monitor all the
grants they had awarded. That is where the IAB and IESG really come from.
It is also where the 'consensus' thing where the politburo get to decide
everything comes from.

Of course, DARPA/ARPA haven't been an issue in IETF for decades now. But
the legacy remains. The people with the authority have no accountability.
And that means they can't take important decisions.

So the answer is to not do that - not do committees, working groups, and
> not rely on the good faith of participants. When there is an attacker who
> is prepared to outspend you and out-faith you, you have to change the
> process. In this context, the who cannot be a committee.
>
> The who has to be individuals / tight teams
>
If you look at the successful security protocols in use today, only TLS was
a group effort and that was largely because the principal architect wasn't
legally allowed to work on it. PGP and SSH were both the work of one
individual who got from the initial design to an advanced prototype alone.

The real inventor of TLS was Marc Andressen. It is ironically, the one bit
of the Web he was the prime mover on and the one bit has never received
credit for. At the time the idea of a Transport layer solution 'secure
sockets' was really not the way to do things. Application layer was
obviously more powerful. Only we didn't have the technology to do message
layer at that time and the machines weren't up to it. Marca couldn't work
on SSL directly though because he was under a non-compete to EIT. And while
he had the top level architecture right, he didn't have the experience to
get the lower levels right.

Problem with the individual inventor model is that there are maybe 1000
people in the world with the necessary skills. Of those, only a small
number have the ego required to stand up and make a proposal. Being the
target of other people's scorn is a lot harder than throwing rotten eggs at
other people's stuff. And only a very small fraction of that number have
the independent means to allow them to spend two to five years working
without an immediate income.

Sure, I do have an end to end secure password vault and it is almost ready
for release. How sure would you want to be that the code is correct before
YOU release?

The problem here might be how to stop nefarious agencies (NSA) from spiking
> the project while in gestation. Here, strong requirements, transparent
> schedule and many well known observers can help.
>
Don't assume the NSA is still the enemy. The Snowden breach has really
changed attitudes. So has the DNC hack and the proliferation of
disinformation operations and intelligence gathering operations posing as
'transparency organizations'. They are suddenly aware that the US is a
really big glass house and the opposition is throwing stuff a lot bigger
than their stones. One of the reasons I changed the name of PRISMProof to
the Mathematical Mesh was that it is the technology that the NSA needs more
than anyone else.

There is a piece of information I was given that I was told is the key:
NOBUS. Nobody but US. It is still NSA doctrine as far as I am aware.
Basically, they are perfectly happy creating backdoors when they can. But
they must satisfy NOBUS - only 'we' can exploit them. If you look at
DualEC-RNG, that satisfies NOBUS.

But it isn't just the US that is manipulating the standards processes these
days. We have China and Russia pushing their own agendas as well. It is
instructive for people to look at John Young's dump of the emails
discussing the creation of Wikileaks. One minute there is an open,
cooperative effort to build a transparency group, the next, there is one
person in sole control and pretty much everyone who helped him set it up
has been kicked to the curb.

Besides metrics for crypto, I think we need metrics for transparency
organizations and investigative journalists. Was the outing of Manning and
Reality Winner really an accident or does the FSB just find that having
some martyrs helps their cause?

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20201117/0ca1bfb0/attachment.htm>