On Thu, Sep 8, 2016 at 1:53 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> The only data point I have is that every time I've tried to disable DES in > a new release (and by DES I mean single DES, not 3DES) I've had a chorus of > complaints about it vanishing. ... > Alarms, for example, send data > quantities measured in bytes, so some academic attack that would take 500 > million years to acquire the necessary data isn't going to lose anyone any > sleep. It's a nice piece of work, but you need to look at what practical > effect it has on real, deployed systems... > To this class of examples, the problem seems to be less the implications for security of the specific systems making use of weak crypto, and more the effect the survival of weak options for crypto might have on other systems. We don't want more general systems to be subject to attacks that may not be applicable to the resource-constrained target systems, but that requires us to answer a few questions about those constrained systems: (1) Is the target system isolated, such that a compromise cannot either leverage transitive trust to another system or provide an attacker a beach head from which to attack (surreptitiously probe, etc.) other systems? (2) Is the weak crypto being used by the target system in a way that renders both the known and expected attacks inapplicable? If we can answer #1 "yes", then all a user is dealing with is a device that might malfunction in a well-defined/delineable way upon compromise, with no impact on other systems. It might be hard to definitively answer because, for instance, a light bulb malfunctioning might create a safety incident if the light bulb is a control panel indicator for some problem, so I don't want to minimize the difficulty of coming to a "yes" answer here. If the answer to #1 is "no" or is too difficult to answer, however, then we have to actually analyze the weaknesses in the crypto with respect to how the device could be used. Where I'm going with this is that #1 is going to be particularly difficult to answer if the protocol making use of the weak crypto is TLS and the device is connected to the internet, simply because the potential for complex interactions is so high. The safest course may be to continue to deprecate weak crypto for TLS, IPsec, etc. under the assumption that the systems making use of those protocols are both powerful enough and well-connected enough to cause a problem if compromised. Nothing stops resource-constrained systems from continuing to use old implementations of TLS that do support weak crypto, though I question the wisdom of producing parts with no upgrade path that speak such a complex, general transport protocol rather than something naturally 0-RTT in the steady state that would use less CPU and power, have a smaller TCB, and not rely on an ASN.1 implementation for domain isolation (e.g., Kerberos). Which leads directly into the issue of the potential for implementation vulnerabilities, something that is probably even more likely to lead to loss of control than weak crypto, and which may ultimately force users to demand IoT devices for which the answer to #1 is always "yes". So I wonder if all the worrying about weak crypto is just a red herring compared with the exploits we are actually going to encounter. Kyle
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
