Said it before and will say it again: privacy on internet is a technical problem only up to a certain point. It becomes a political problem at one point.
The power of strong and asymmetric cryptography led a lot of programmers into the belief that this is a political problem that can be solved with technical solutions but it is not.
Whether it is a subtle influence as is described here or as a heavy handed approach like in China, politics trump technological means.
If your government is actively trying to undermine the security and privacy of your technological solution, you need to be outspoken about it.
Another point to add to yours is that there are so few people capable of understanding these convoluted protocols and cryptosystems. How many people are actively attempting to find weaknesses in AES, Elliptic Curves, SHA1, DLP, IFP? Also, often times those people currently examining these systems are the same exact people that were performing the state of the art cryptanalysis in the 90's
It's impressive how much progress that field has made since the 1990s. I know there are other criticisms of Applied Cryptography, but we understand so much now that we didn't at the time it appeared.
Something I find a bit disturbing is how much of our understanding of particular issues seems to depend on brilliant individuals. This is a bit like the Bernstein monoculture article that was discussed here recently but I'm also thinking of several of the items from Boneh's RSA attack overview paper, or maybe Xiaoyun Wang's hash function stuff.
Clearly all discoveries are going to be made and published by someone, but something about the academic field of cryptography keeps striking me as "wow, we're really lucky to have that person in this field". And that's a bit concerning because this phenomenon seems to suggest either that the field is still pretty small or still pretty immature, and in that sense may still be missing several important discoveries, for all the progress that it's made since the early nineties.
That's kind of a strange takeaway from Boneh's RSA attack paper, which is a survey of other researchers; IIRC, no two of the attacks in that paper came from the same researcher.
Bernstein is a bit of an odd duck in this regard, but if you look at some of the other "great personages of cryptography", you'll see that they're minting PhDs who are themselves going on to do important work, so the capacity of the field is expanding, not contracting to a single Bernstein monoculture point.
Bernstein's position in the field of practical cryptography is a product of an almost monomaniacal focus on commodity hardware performance and ease of use. The Bernstein monoculture will pass --- probably soon, after CAESAR finishes, or if people start taking pq crypto more seriously.
> That's kind of a strange takeaway from Boneh's RSA attack paper, which is a survey of other researchers; IIRC, no two of the attacks in that paper came from the same researcher.
I think I had that sense about individual items there, like Coppersmith's attack.
> if you look at some of the other "great personages of cryptography", you'll see that they're minting PhDs who are themselves going on to do important work, so the capacity of the field is expanding, not contracting to a single Bernstein monoculture point.
"Bernstein's position in the field of practical cryptography is a product of an almost monomaniacal focus on commodity hardware performance and ease of use. "
It's like a marketing issue to me. He focused on what type of crypto there was a large demand for. His solutions now have the First Mover advantage. Others can still compete although his will stay widely deployed or long-lasting in legacy systems.
It's easy to get this view from outside, but there's lots and lots of people working on this stuff within the field of cryptography that people in software engineering don't hear about because their work doesn't quite have that focus on implementation, that, for instance, DJB's work has.
The ciphers aren't the problem. The protocols are. IPSEC is insanely over engineered, as are most protocols these days.
It's not just in crypto. I was looking at the guts of web sockets the other day and was like WHY WHY WHY WHY WHY. I usually find myself asking "what problem does this solve?" over and over when I look at modern systems.
Of course even with my strong bias against it I am still occasionally guilty of over engineering. I just rewrote a major system to de-engineer it. I just keep thinking I will need it even when I have YAGNI tattooed on the inside of my eyelids.
There's actually lots and lots of people attempting to break these primitives; just take a look at the proceedings of CRYPTO, EUROCRYPT, FSE, CHES, etc.
Politicial solutions didn't work in the 1970s (Church Committee), the 1990s (Crypto Wars 1), or more recently. Hopefully it's just bad luck, because I think the best solution is for technical people to work on technical solutions while political people work on political solutions, and we can meet in the middle.
Unlike in politics, we've had success with technical solutions: strong E2E encrypted messaging is now normal, TLS is getting massive deployment, we have better crypto in general from key agreement to ciphers to libraries, and so much more.
To compare, what political solutions have equally improved the landscape? What's the political equivalent of getting Curve25519 into the hands of billions of users? What's the political equivalent of Signal Protocol going mainstream?
I've seen this same basic comment a lot in technical circles, and they ~all seem to subtly discredit technical solutions.
It makes me wonder: do people in political groups say, "let's stop with the political solutions and instead learn programming and cryptography and make technical solutions!" I sure hope not.
How did Crypto Wars 1 not have a political solution? Export controls were dropped, the Clipper chip was canned. It was mostly due to the political arguments being made at the time, not some unstoppable technological breakthrough.
The story that prompted this discussion is about BULLRUN, a government effort to backdoor crypto, which took place after Crypto Wars 1. And as we know, BULLRUN is just a small portion of what we've had to deal with since Crypto Wars 1 was supposedly "won."
Clipper could have been fixed. The flaw in it was repairable. It was dropped instead because the idea was already politically weak so it didn't take much to push it over the edge.
Just take for example Elliptic Curves which sit at the crossroads of analytic theory, theory of functions, abstract algebra, algebraic geometry and number theory. It is nearly impossible for a single person to bear the cognitive overhead needed just to understand how might one approach attacking Elliptic Curve systems
I disagree, it's hardly impossible. I would say any reasonably gifted maths grad student who has chosen the right combination of subjects (the requisite math, some cryptography, along with a low-level programming course or two), would be able to start working on attacks on EC systems.
Do those people grow on trees? No, because it's a much less common specialisation than most others (like aiming for the financials industry, or statistics/analytics/big data) simply because of the number of paying jobs in each field.
Seriously. It takes something like seven years, not counting undergraduate studies, to become a practicing physician. And once you achieve that, you can still only handle one physician's worth of case load. It takes far less time to learn enough math to become dangerous to a particular subfield of cryptography --- and once you achieve that, you have a decent shot at changing the state of the art for the entire world.
And we just experienced a major consequence of the culture of agencies favoring offense over defense. The NSA could have been working with American companies to help secure their systems instead of hoarding exploits. And now civilian organizations are vulnerable to hacking by foreign powers. Election manipulation is what you get when you favor offense over defense. We're now not in control of our own coutry anymore.
Was it worth it? I guess for the stock prices of the contractors and the people the foreign power favors at the time. But everyone else gets screwed.
> Russia has effectively compromised President Trump, according to the CIA and FBI.
Just on face value of that statement, I suggest you temper the urge to emit hyperbole. ["influence" & "control"]
> CIA and FBI.
As far as national defense institutions go, I have far greater trust in the our military than the barely accountable agencies that cloak themselves in secrecy and operate in the shadows.
As far as Russian and their earlier incarnation as Soviets and influencing other nations, /and their populations/, I suggest you stop your (apparent) regiment of taking the word of Corporate media as gospel and acquaint yourself with the methodology of destabilizing target nations as practiced by the Russians. (They are old hands at it.)
Let me assure you: if this nation is destabilized and if well meaning but entirely naive Americans permit yourselves to be used as useful tools of external actors, America & Americans will be the biggest losers.
It's hard to take seriously an article and media outlet that claims the Number 1 "explosive allegation" is this:
information allegedly includes a videotape of Trump watching several Russian sex workers urinate on the bed the Obamas slept in at the Ritz Carlton in Moscow.
Really? Who cares.
As to the second point, how dramatic. Russia rigged the US election? I far simpler explanation is that US politics really is on the path suggested in the film Idiocracy. You don't need an external enemy to account for your bizarre politics, yourselves will suffice.
Right, I got that. I was attempting to draw attention to the fact that the article I was referring to put the erotica first in the enumerated list.
If it's true, that Russia influenced the election, then the major scandal is not that Russia [whatever], rather it's that the US fell for it.
Anyway, I still have trouble getting past the idea that the Electoral College system in the US can result in a president who didn't win the popular vote. Before we go blaming anyone else for anything, perhaps we should get our own affairs in order. Generally speaking.
It's amusing to me that this keeps coming up, because I'm 99.9% sure I know exactly who Gilmore is referring to here, and they're definitely not an NSA operative. Never attribute to state-sponsored malice that which is adequately explained by simple douchebaggery.
I think this is the case, but I haven't confirmed it
I kind of feel like your comment here and the one you linked to are a bit of an appeal to authority - for me anyway, I'm no expert in this area, and you appear to know what you're talking about (generally speaking).
But then you added this gem at the end of the link comment:
Enemy action? No. Crypto standards groups don't need enemy action. They are intrinsically evil, and need to be avoided.
I'm not seeing the appeal to authority. I'm saying I looked into Gilmore's claim about the IPSEC working group shenanigans, particularly about CBC IVs, that Gilmore appears to be wrong, and that the reality is komedy gold.
I meant insofar as I personally find myself thinking tptacek is usually on the ball. I meant I find myself deferring to the knowledge of HN comments. Probably didn't word it right.
This is in need of a blog post to link to when it comes up.
I read your comment and I find the topic/context is possiblly too vague or complex to use this as a reference. Not that your not busy enough, but it would be useful for progressing this discussion going forward.
We'd all benefit from not obsessing over crypto standards as lay people and let the professionals handle that for us. I don't have to trust that they'll be honest but trusting that nerds will work towards the optimal technical system is sufficient for me. Instead rather focusing on the implementation issues (or lack there of) that the general HN audience is more inclined to specialize in.
I should be more careful. I believe standards groups are evil. My rhetoric is strongly influenced by that belief: I think we shouldn't try to pick apart specific bad actors inside of standards groups but rather reject the entire enterprise and try different approaches.
The IPSEC working group discussions I've read are infuriating. I hope it's clear that I believe cryptographic scientists could have improved IPSEC, but were prevented from doing so by cliques in the IETF. That's the "douchebaggery" I'm talking about.
I have different personal feelings about different people involved in this drama. But I don't mean to compound those feelings into the point I'm trying to making. I'm afraid that's what I end up doing when I use words like "douche". So: my apologies. I'd delete that part of my comment if I could.
Regarding end-to-end encryption on phone calls, it's pretty much illegal for telcos to deploy in the US or Europe due to lawful intercept requirements. That, not NSA meddling in standards committees, is what keeps carriers from deploying it.
While it could be the NSA, I think with things like IPSEC simple over engineering is more likely.
Over engineering is an absolute plague in software. In ordinary cases it just makes things buggy, hard to maintain, and bloated and inefficient. In crypto though the consequences are much more severe since every little ounce of complexity in a cryptosystem exponentially increases the likelihood of exploitable bugs.
It was a combination of over-engineering, a lack at the time of understanding of the field of cryptography and a pervasive belief among IETF types that the field could be understood from first principles by anyone who was good at Unix, and standard-issue bloody-mindedness.
Phil Rogaway is one of the world's great cryptographers; it's from him that we get OCB, OAEP, PSS, UMAC, XTS, SIV, and many others. Even non-cryptographers might be familiar with him for his "Moral Character of Cryptography" paper†.
I finagled a spot next to him at a dinner in Chicago once and asked him why he doesn't participate in IETF crypto standards (even with a recent renaissance of CFRG with Kenny Paterson at the helm, more expertise is badly needed). The impression I got from his answer is that he'd foresworn that kind of work.
If you look at his experience trying to contribute to the IPSEC standard, you can see why: he enters mailing list threads making clear, obvious statements about cryptographic soundness --- for instance, "it's a bad idea to chain CBC IVs". He's immediately attacked --- and attacked personally, for instance by being referred to as a "so-called" cryptographer (or something like that; I'm going from memory) by a clique of standards nerds. Rogaway goes so far as to circulate a petition/critique from other cryptographers --- people like Ron Rivest --- and that's shot down as well. The standard is finalized with things like chained IVs in it.
That's not enemy action. Or, if it is, the enemy is the standards process, not the NSA.
I'll find the actual mailing list post, but to get a flavor for what Rogaway dealt with at IPSEC, here's a snippet from a post Pinboard coughed up for a simple [rogaway ipsec] search. This is Perry Metzger, who is just my favorite.
It appears that by failing to be as vicious as possible about Phil
Rogaway's lack of understanding of the architecture of IPSP that I
have inspired people to take him seriously. It also appears that Phil
has been lobbying people to have them comment. I can understand how
even an intelligent reader, going through his comments, could become
confused about the architectural issues here. However, let me say that
I found his comments to be almost completely without merit. Other than
a few comments about places where the text used ambiguous language
(i.e. textual ambiguity) I found almost nothing of value in what he
had to say.
Later:
Found it. It's Bill Simpson:
> You do not facilitate analysis
> by saying that Photuris is only required to work when its
> primitives are drawn from a certain concrete set of possibilities;
> exactly the opposite-- you render cryptographic analysis impossible.
>
Thank you, thank you!
It gladdens my heart to hear that *self-described cryptographers* find
that analysis is impossible!
I was worried that there would be some subtle flaw that would facilitate
cryptanalysis. Now that you have assured us that it is not possible,
that makes Photuris the only protocol that has ever come to perfection!
Here is the problem: Bill Simpson is actually very smart, and well-respected. But IETF-land is an alternative universe that strongly prefers its own norms and processes above any other influences. People get involved in standards work and build social capital within IETF working groups, and feel threatened by and dismissive of outsiders. This happens with, I think, all standards groups.
The irony is that the IETF was created in part as a reaction to these standards group pathologies. But they're too powerful to resist.
Reading the exchange between Ron Rivest and Perry Metzcar here[1] is almost painful. Bill Simpson has a post near the end and it seems in character for the "anyone who was good at Unix, and standard-issue bloody-mindedness." observation that tptacek made.
Yes, I've seen standards committees and this is very typical. For most committees take the average IQ of all members and divide by member count. The only exceptions are those that are very well run by people with social skills and a good understanding of communication and where that kind of behavior and character assassination is banned.
It's just that the consequences of stupidity in crypto are higher, as I said.
Gilmore's IPSEC claims have already assumed urban legend status. Since only 0.000001% of those who see Gilmore's claims will ever see threads like these, we can be assured that the legend will be retold over and over again.
47 comments
[ 4.4 ms ] story [ 89.0 ms ] threadThe power of strong and asymmetric cryptography led a lot of programmers into the belief that this is a political problem that can be solved with technical solutions but it is not.
Whether it is a subtle influence as is described here or as a heavy handed approach like in China, politics trump technological means.
If your government is actively trying to undermine the security and privacy of your technological solution, you need to be outspoken about it.
Something I find a bit disturbing is how much of our understanding of particular issues seems to depend on brilliant individuals. This is a bit like the Bernstein monoculture article that was discussed here recently but I'm also thinking of several of the items from Boneh's RSA attack overview paper, or maybe Xiaoyun Wang's hash function stuff.
Clearly all discoveries are going to be made and published by someone, but something about the academic field of cryptography keeps striking me as "wow, we're really lucky to have that person in this field". And that's a bit concerning because this phenomenon seems to suggest either that the field is still pretty small or still pretty immature, and in that sense may still be missing several important discoveries, for all the progress that it's made since the early nineties.
Bernstein is a bit of an odd duck in this regard, but if you look at some of the other "great personages of cryptography", you'll see that they're minting PhDs who are themselves going on to do important work, so the capacity of the field is expanding, not contracting to a single Bernstein monoculture point.
Bernstein's position in the field of practical cryptography is a product of an almost monomaniacal focus on commodity hardware performance and ease of use. The Bernstein monoculture will pass --- probably soon, after CAESAR finishes, or if people start taking pq crypto more seriously.
I think I had that sense about individual items there, like Coppersmith's attack.
> if you look at some of the other "great personages of cryptography", you'll see that they're minting PhDs who are themselves going on to do important work, so the capacity of the field is expanding, not contracting to a single Bernstein monoculture point.
That's great news.
It's like a marketing issue to me. He focused on what type of crypto there was a large demand for. His solutions now have the First Mover advantage. Others can still compete although his will stay widely deployed or long-lasting in legacy systems.
It's not just in crypto. I was looking at the guts of web sockets the other day and was like WHY WHY WHY WHY WHY. I usually find myself asking "what problem does this solve?" over and over when I look at modern systems.
Of course even with my strong bias against it I am still occasionally guilty of over engineering. I just rewrote a major system to de-engineer it. I just keep thinking I will need it even when I have YAGNI tattooed on the inside of my eyelids.
Unlike in politics, we've had success with technical solutions: strong E2E encrypted messaging is now normal, TLS is getting massive deployment, we have better crypto in general from key agreement to ciphers to libraries, and so much more.
To compare, what political solutions have equally improved the landscape? What's the political equivalent of getting Curve25519 into the hands of billions of users? What's the political equivalent of Signal Protocol going mainstream?
I've seen this same basic comment a lot in technical circles, and they ~all seem to subtly discredit technical solutions.
It makes me wonder: do people in political groups say, "let's stop with the political solutions and instead learn programming and cryptography and make technical solutions!" I sure hope not.
Just like all of the talk of crypto backdoors were DOA regardless of all the polticial rhetoric about its merits and downsides.
Do those people grow on trees? No, because it's a much less common specialisation than most others (like aiming for the financials industry, or statistics/analytics/big data) simply because of the number of paying jobs in each field.
It takes only a few years of mathematical training.
I'm not seeing the legitimate concern here.
Was it worth it? I guess for the stock prices of the contractors and the people the foreign power favors at the time. But everyone else gets screwed.
So who is in control of our country "now"?
"Intel Chiefs Presented Trump With Claims That Russia Has ‘Compromised’ Him" - http://nymag.com/daily/intelligencer/2017/01/cia-presented-t...
Just on face value of that statement, I suggest you temper the urge to emit hyperbole. ["influence" & "control"]
> CIA and FBI.
As far as national defense institutions go, I have far greater trust in the our military than the barely accountable agencies that cloak themselves in secrecy and operate in the shadows.
As far as Russian and their earlier incarnation as Soviets and influencing other nations, /and their populations/, I suggest you stop your (apparent) regiment of taking the word of Corporate media as gospel and acquaint yourself with the methodology of destabilizing target nations as practiced by the Russians. (They are old hands at it.)
Let me assure you: if this nation is destabilized and if well meaning but entirely naive Americans permit yourselves to be used as useful tools of external actors, America & Americans will be the biggest losers.
information allegedly includes a videotape of Trump watching several Russian sex workers urinate on the bed the Obamas slept in at the Ritz Carlton in Moscow.
Really? Who cares.
As to the second point, how dramatic. Russia rigged the US election? I far simpler explanation is that US politics really is on the path suggested in the film Idiocracy. You don't need an external enemy to account for your bizarre politics, yourselves will suffice.
If it's true, that Russia influenced the election, then the major scandal is not that Russia [whatever], rather it's that the US fell for it.
Anyway, I still have trouble getting past the idea that the Electoral College system in the US can result in a president who didn't win the popular vote. Before we go blaming anyone else for anything, perhaps we should get our own affairs in order. Generally speaking.
You believe pissgate was anything more than fanficfion/4chan trolling?
Further explanation:
https://news.ycombinator.com/item?id=13221923#13223326
I think this is the case, but I haven't confirmed it
I kind of feel like your comment here and the one you linked to are a bit of an appeal to authority - for me anyway, I'm no expert in this area, and you appear to know what you're talking about (generally speaking).
But then you added this gem at the end of the link comment:
Enemy action? No. Crypto standards groups don't need enemy action. They are intrinsically evil, and need to be avoided.
Yep, Design by Committee.
I read your comment and I find the topic/context is possiblly too vague or complex to use this as a reference. Not that your not busy enough, but it would be useful for progressing this discussion going forward.
We'd all benefit from not obsessing over crypto standards as lay people and let the professionals handle that for us. I don't have to trust that they'll be honest but trusting that nerds will work towards the optimal technical system is sufficient for me. Instead rather focusing on the implementation issues (or lack there of) that the general HN audience is more inclined to specialize in.
The IPSEC working group discussions I've read are infuriating. I hope it's clear that I believe cryptographic scientists could have improved IPSEC, but were prevented from doing so by cliques in the IETF. That's the "douchebaggery" I'm talking about.
I have different personal feelings about different people involved in this drama. But I don't mean to compound those feelings into the point I'm trying to making. I'm afraid that's what I end up doing when I use words like "douche". So: my apologies. I'd delete that part of my comment if I could.
Over engineering is an absolute plague in software. In ordinary cases it just makes things buggy, hard to maintain, and bloated and inefficient. In crypto though the consequences are much more severe since every little ounce of complexity in a cryptosystem exponentially increases the likelihood of exploitable bugs.
DJB's boring crypto talk is worth reading:
http://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf
Phil Rogaway is one of the world's great cryptographers; it's from him that we get OCB, OAEP, PSS, UMAC, XTS, SIV, and many others. Even non-cryptographers might be familiar with him for his "Moral Character of Cryptography" paper†.
I finagled a spot next to him at a dinner in Chicago once and asked him why he doesn't participate in IETF crypto standards (even with a recent renaissance of CFRG with Kenny Paterson at the helm, more expertise is badly needed). The impression I got from his answer is that he'd foresworn that kind of work.
If you look at his experience trying to contribute to the IPSEC standard, you can see why: he enters mailing list threads making clear, obvious statements about cryptographic soundness --- for instance, "it's a bad idea to chain CBC IVs". He's immediately attacked --- and attacked personally, for instance by being referred to as a "so-called" cryptographer (or something like that; I'm going from memory) by a clique of standards nerds. Rogaway goes so far as to circulate a petition/critique from other cryptographers --- people like Ron Rivest --- and that's shot down as well. The standard is finalized with things like chained IVs in it.
That's not enemy action. Or, if it is, the enemy is the standards process, not the NSA.
† http://web.cs.ucdavis.edu/~rogaway/papers/moral.html*
That would be an astoundingly stupid thing to say about Phil Rogaway...
It appears that by failing to be as vicious as possible about Phil Rogaway's lack of understanding of the architecture of IPSP that I have inspired people to take him seriously. It also appears that Phil has been lobbying people to have them comment. I can understand how even an intelligent reader, going through his comments, could become confused about the architectural issues here. However, let me say that I found his comments to be almost completely without merit. Other than a few comments about places where the text used ambiguous language (i.e. textual ambiguity) I found almost nothing of value in what he had to say.
Later:
Found it. It's Bill Simpson:
Emphasis mine.The irony is that the IETF was created in part as a reaction to these standards group pathologies. But they're too powerful to resist.
[1] http://theory.csail.mit.edu/ftp-data/pub/ftp/people/rivest/i...
It's just that the consequences of stupidity in crypto are higher, as I said.
http://www.mail-archive.com/cryptography@metzdowd.com/msg124...
another one: http://www.mail-archive.com/cryptography@metzdowd.com/msg124...
Reposting spurious allegations years after they've been debunked does not help anyone.
I had no idea this was the case.