
Cryptography Discussion: Speculation on "BULLRUN" (2013) - wfunction
http://www.mail-archive.com/cryptography@metzdowd.com/msg12325.html
======
Iv
Said it before and will say it again: privacy on internet is a technical
problem only up to a certain point. It becomes a political problem at one
point.

The power of strong and asymmetric cryptography led a lot of programmers into
the belief that this is a political problem that can be solved with technical
solutions but it is not.

Whether it is a subtle influence as is described here or as a heavy handed
approach like in China, politics trump technological means.

If your government is actively trying to undermine the security and privacy of
your technological solution, you need to be outspoken about it.

~~~
aburan28
Another point to add to yours is that there are so few people capable of
understanding these convoluted protocols and cryptosystems. How many people
are actively attempting to find weaknesses in AES, Elliptic Curves, SHA1, DLP,
IFP? Also, often times those people currently examining these systems are the
same exact people that were performing the state of the art cryptanalysis in
the 90's

~~~
tptacek
Like, the whole academic field of cryptography?

~~~
schoen
It's impressive how much progress that field has made since the 1990s. I know
there are other criticisms of _Applied Cryptography_ , but we understand so
much now that we didn't at the time it appeared.

Something I find a bit disturbing is how much of our understanding of
particular issues seems to depend on brilliant individuals. This is a bit like
the Bernstein monoculture article that was discussed here recently but I'm
also thinking of several of the items from Boneh's RSA attack overview paper,
or maybe Xiaoyun Wang's hash function stuff.

Clearly all discoveries are going to be made and published by _someone_ , but
something about the academic field of cryptography keeps striking me as "wow,
we're really lucky to have _that person_ in this field". And that's a bit
concerning because this phenomenon seems to suggest either that the field is
still pretty small or still pretty immature, and in that sense may still be
missing several important discoveries, for all the progress that it's made
since the early nineties.

~~~
tptacek
That's kind of a strange takeaway from Boneh's RSA attack paper, which is a
survey of other researchers; IIRC, no two of the attacks in that paper came
from the same researcher.

Bernstein is a bit of an odd duck in this regard, but if you look at some of
the other "great personages of cryptography", you'll see that they're minting
PhDs who are themselves going on to do important work, so the capacity of the
field is expanding, not contracting to a single Bernstein monoculture point.

Bernstein's position in the field of practical cryptography is a product of an
almost monomaniacal focus on commodity hardware performance and ease of use.
The Bernstein monoculture will pass --- probably soon, after CAESAR finishes,
or if people start taking pq crypto more seriously.

~~~
schoen
> That's kind of a strange takeaway from Boneh's RSA attack paper, which is a
> survey of other researchers; IIRC, no two of the attacks in that paper came
> from the same researcher.

I think I had that sense about _individual_ items there, like Coppersmith's
attack.

> if you look at some of the other "great personages of cryptography", you'll
> see that they're minting PhDs who are themselves going on to do important
> work, so the capacity of the field is expanding, not contracting to a single
> Bernstein monoculture point.

That's great news.

------
tptacek
It's amusing to me that this keeps coming up, because I'm 99.9% sure I know
exactly who Gilmore is referring to here, and they're definitely not an NSA
operative. Never attribute to state-sponsored malice that which is adequately
explained by simple douchebaggery.

Further explanation:

[https://news.ycombinator.com/item?id=13221923#13223326](https://news.ycombinator.com/item?id=13221923#13223326)

~~~
TheSpiceIsLife
From your linked comment:

 _I think this is the case, but I haven 't confirmed it_

I kind of feel like your comment here and the one you linked to are a bit of
an _appeal to authority_ \- for me anyway, I'm no expert in this area, and you
appear to know what you're talking about (generally speaking).

But then you added this gem at the end of the link comment:

 _Enemy action? No. Crypto standards groups don 't need enemy action. They are
intrinsically evil, and need to be avoided._

Yep, Design by Committee.

~~~
tptacek
I'm not seeing the appeal to authority. I'm saying I looked into Gilmore's
claim about the IPSEC working group shenanigans, particularly about CBC IVs,
that Gilmore appears to be wrong, and that the reality is komedy gold.

~~~
TheSpiceIsLife
I meant insofar as I personally find myself thinking _tptacek_ is usually on
the ball. I meant I find myself deferring to the knowledge of HN comments.
Probably didn't word it right.

------
dguido
There's a reply _in the thread_ that directly refutes all these claims about
IPSEC:

[http://www.mail-
archive.com/cryptography@metzdowd.com/msg124...](http://www.mail-
archive.com/cryptography@metzdowd.com/msg12497.html)

another one: [http://www.mail-
archive.com/cryptography@metzdowd.com/msg124...](http://www.mail-
archive.com/cryptography@metzdowd.com/msg12411.html)

Reposting spurious allegations years after they've been debunked does not help
anyone.

~~~
wfunction
> Reposting spurious allegations years after they've been debunked

I had no idea this was the case.

~~~
tptacek
Gilmore's IPSEC claims have already assumed urban legend status. Since only
0.000001% of those who see Gilmore's claims will ever see threads like these,
we can be assured that the legend will be retold over and over again.

------
diafygi
And we just experienced a major consequence of the culture of agencies
favoring offense over defense. The NSA could have been working with American
companies to help secure their systems instead of hoarding exploits. And now
civilian organizations are vulnerable to hacking by foreign powers. Election
manipulation is what you get when you favor offense over defense. We're now
not in control of our own coutry anymore.

Was it worth it? I guess for the stock prices of the contractors and the
people the foreign power favors at the time. But everyone else gets screwed.

~~~
eternalban
> We're now not in control of our own [country] anymore.

So who is in control of our country "now"?

~~~
diafygi
Russia has effectively compromised President Trump, according to the CIA and
FBI.

"Intel Chiefs Presented Trump With Claims That Russia Has ‘Compromised’ Him"
\- [http://nymag.com/daily/intelligencer/2017/01/cia-
presented-t...](http://nymag.com/daily/intelligencer/2017/01/cia-presented-
trump-with-claims-that-russia-compromised-him.html)

~~~
TheSpiceIsLife
It's hard to take seriously an article and media outlet that claims the Number
1 "explosive allegation" is this:

 _information allegedly includes a videotape of Trump watching several Russian
sex workers urinate on the bed the Obamas slept in at the Ritz Carlton in
Moscow._

Really? Who cares.

As to the second point, how _dramatic_. Russia rigged the US election? I far
simpler explanation is that US politics really is on the path suggested in the
film Idiocracy. You don't need an _external enemy_ to account for your bizarre
politics, yourselves will suffice.

~~~
nitrogen
The allegation in the media was that Russia hacked the DNC email servers to
discredit Clinton and allow Trump to win.

~~~
TheSpiceIsLife
Right, I got that. I was attempting to draw attention to the fact that the
article I was referring to put the erotica _first_ in the enumerated list.

If it's true, that Russia influenced the election, then the major scandal is
not that Russia [whatever], rather it's that the US _fell for it_.

Anyway, I still have trouble getting past the idea that the Electoral College
system in the US can result in a president who didn't win the popular vote.
Before we go blaming anyone else for anything, perhaps we should get our own
affairs in order. Generally speaking.

------
api
While it could be the NSA, I think with things like IPSEC simple over
engineering is more likely.

Over engineering is an absolute plague in software. In ordinary cases it just
makes things buggy, hard to maintain, and bloated and inefficient. In crypto
though the consequences are much more severe since every little ounce of
complexity in a cryptosystem exponentially increases the likelihood of
exploitable bugs.

DJB's boring crypto talk is worth reading:

[http://cr.yp.to/talks/2015.10.05/slides-
djb-20151005-a4.pdf](http://cr.yp.to/talks/2015.10.05/slides-
djb-20151005-a4.pdf)

~~~
tptacek
It was a combination of over-engineering, a lack at the time of understanding
of the field of cryptography and a pervasive belief among IETF types that the
field could be understood from first principles by anyone who was good at
Unix, and standard-issue bloody-mindedness.

Phil Rogaway is one of the world's great cryptographers; it's from him that we
get OCB, OAEP, PSS, UMAC, XTS, SIV, and many others. Even non-cryptographers
might be familiar with him for his "Moral Character of Cryptography" paper†.

I finagled a spot next to him at a dinner in Chicago once and asked him why he
doesn't participate in IETF crypto standards (even with a recent renaissance
of CFRG with Kenny Paterson at the helm, more expertise is badly needed). The
impression I got from his answer is that he'd foresworn that kind of work.

If you look at his experience trying to contribute to the IPSEC standard, you
can see why: he enters mailing list threads making clear, obvious statements
about cryptographic soundness --- for instance, "it's a bad idea to chain CBC
IVs". He's immediately attacked --- and attacked personally, for instance by
being referred to as a "so-called" cryptographer (or something like that; I'm
going from memory) by a clique of standards nerds. Rogaway goes so far as to
circulate a petition/critique from other cryptographers --- people like Ron
Rivest --- and that's shot down as well. The standard is finalized with things
like chained IVs in it.

That's not enemy action. Or, if it is, the enemy is the standards process, not
the NSA.

†
_[http://web.cs.ucdavis.edu/~rogaway/papers/moral.html*](http://web.cs.ucdavis.edu/~rogaway/papers/moral.html*)

~~~
Ar-Curunir
> "so-called" cryptographer

That would be an astoundingly stupid thing to say about Phil Rogaway...

~~~
tptacek
I'll find the actual mailing list post, but to get a flavor for what Rogaway
dealt with at IPSEC, here's a snippet from a post Pinboard coughed up for a
simple [rogaway ipsec] search. This is Perry Metzger, who is just my favorite.

 _It appears that by failing to be as vicious as possible about Phil Rogaway
's lack of understanding of the architecture of IPSP that I have inspired
people to take him seriously. It also appears that Phil has been lobbying
people to have them comment. I can understand how even an intelligent reader,
going through his comments, could become confused about the architectural
issues here. However, let me say that I found his comments to be almost
completely without merit. Other than a few comments about places where the
text used ambiguous language (i.e. textual ambiguity) I found almost nothing
of value in what he had to say._

Later:

Found it. It's Bill Simpson:

    
    
        > You do not facilitate analysis
        > by saying that Photuris is only required to work when its
        > primitives are drawn from a certain concrete set of possibilities;
        > exactly the opposite-- you render cryptographic analysis impossible.
        >
        Thank you, thank you!
    
        It gladdens my heart to hear that *self-described cryptographers* find
        that analysis is impossible!
    
        I was worried that there would be some subtle flaw that would facilitate
        cryptanalysis.  Now that you have assured us that it is not possible,
        that makes Photuris the only protocol that has ever come to perfection!
    

Emphasis mine.

~~~
Ar-Curunir
Wow, this Bill Simpson person does not sound like a nice person, nor a smart
one...

~~~
tptacek
Here is the problem: Bill Simpson is actually _very_ smart, and well-
respected. But IETF-land is an alternative universe that strongly prefers its
own norms and processes above any other influences. People get involved in
standards work and build social capital within IETF working groups, and feel
threatened by and dismissive of outsiders. This happens with, I think, all
standards groups.

The irony is that the IETF was created in part as a reaction to these
standards group pathologies. But they're too powerful to resist.

~~~
api
... and now we know why most network protocols are over engineered junk.

------
debatem1
Regarding end-to-end encryption on phone calls, it's pretty much illegal for
telcos to deploy in the US or Europe due to lawful intercept requirements.
That, not NSA meddling in standards committees, is what keeps carriers from
deploying it.

------
aburan28
Just take for example Elliptic Curves which sit at the crossroads of analytic
theory, theory of functions, abstract algebra, algebraic geometry and number
theory. It is nearly impossible for a single person to bear the cognitive
overhead needed just to understand how might one approach attacking Elliptic
Curve systems

~~~
Ar-Curunir
Not really, there's a bunch of groups around the world that work on breaking
elliptic curve crypto.

It takes only a few years of mathematical training.

~~~
tptacek
Seriously. It takes something like seven years, not counting undergraduate
studies, to become a practicing physician. And once you achieve that, you can
still only handle one physician's worth of case load. It takes _far_ less time
to learn enough math to become dangerous to a particular subfield of
cryptography --- and once you achieve that, you have a decent shot at changing
the state of the art _for the entire world_.

I'm not seeing the legitimate concern here.

