Recently in COMSEC Category

This paper on a new fault-based attack on RSA has been making the rounds (Pellegrini, Bertacco, and Austin, "Fault-Based Attack of RSA Authentication). The general idea here is that you have a system that is doing RSA signatures (e.g., an SSL/TLS Web Server). You induce faults in the signature computation by reducing the power to the processor, which causes the process to produce invalid signatures which can then be analyzed by the attacker to recover the private key. They demonstrate this attack on OpenSSL.

Theoretically, this is interesting, but I'm not sure how much practical impact it has: in order to mount this attack, you need direct physical access to the machine in order to control the input voltage supply. Unless you're working with a computer that is fairly heavily secured, physical access generally translates into being able to take control of the device and extract the private key in any case. Second, the attack as implemented was performed on a FPGA-based SPARC implementation, and the researchers seem to have directly controlled the input power to the processor. In most computers (though DC-based datacenters may be different) the power to the chip is pretty heavily controlled by the power supply, and so it's at least an open question if you would be able to get good control over the chip input voltage by manipulating the AC line voltage. So, it's not like there are a huge number of environments in which this attack would be feasible.

Based on my reading of this paper, because the attack relies on invalid signatures, the simple countermeasure is just to check signatures before you emit them, which OpenSSL doesn't currently do (I'm not sure I agree wih the authors call OpenSSL's failure to do this a "serious vulnerability", but I'm not sure I agree with this characterization, since my understanding is that it's pretty standard practice not to do so). Because RSA signature verification is about 20x faster than RSA signature generation, adding this additional check would not cause significant performance overhead. However, even without this countermeasure, this doesn't seem like a significant risk to most uses of RSA.

OpenDNS (a free DNS service) has decided to adopt DNSCurve to secure its traffic. Some background might be helpful here: DNS, of course, is susceptible to a variety of forgery attacks, which is why the IETF has spent approximately 10 trillion man hours developing DNSSEC. There's a fair amount of dissatisfaction with DNSSEC (I'm not that thrilled with it either) and Dan Bernstein has developed an alternative called DNSCurve.

At a very high level, the approaches stack up like this:

• DNSSEC is an object security system. Each DNS zone has an asymmetric (public/private) key pair which is used to sign the records in the zone.
• DNSCurve is a channel security system. Each DNS server has a Diffie-Hellman (actually ECDH) key pair. When a client connects to the server, it does an ECDH key exchange and the shared key is used to authenticate traffic between the client and server.

The primary argument for DNSCurve seems to be performance: DNSCurve has better performance than DNSSEC in two respects: the packets are smaller and under certain conditions the load on the server is lower. These properties are related but not identical. The packets are smaller partly because DNSSEC replaces the digital signature with a symmetric integrity check. These can be a lot smaller than digital signatures using RSA (and a fair bit smaller than even the smallest digital signatures). Second, because DNSCurve uses elliptic curve cryptography, the keys that need to be carried in packets are smaller. (This is mostly relevant in packets which carry the key for a zone rather than packets which carry other data).

The packet size argument is straightforward. The load argument is more complicated. As I noted above, DNSCurve uses elliptic curve cryptography, which is faster and has smaller keys than RSA (the basic algorithm used by by DNSEC). This means that it's inherently faster to set up a DNSCurve association than it is to sign a DNSSEC record using RSA. In addition, DNSCurve has a mechanism for the client and server to cache the DH shared secret. The upshot of this is that it's substantially cheaper to authenticate a new DNS record with DNSCurve than it is with DNSSEC. In the worst case, it involves an ECDH operation. In the best case, it just involves a symmetric crypto operation. So, in this respect the performance of DNSCurve is superior.

However, this isn't really a heads-up comparison: in the DNSSEC model, you sign the zone once whenever it changes (possibly using a key thats kept offline) and then just send copies of it to any requester, so no cryptographic operations are needed after the initial signature. By contrast, because DNSCurve uses a symmetric, rather than asymmetric, integrity mechanism, the DNS server needs to compute that integrity check for each new request. This means that while DNSCurve is faster if you change your DNS data frequently and don't serve that many requests, it's slower if you don't change it often but serve a lot of requests. In addition, it means that while DNSSEC signing can be done offline with a key that is never on an Internet accessible machine, DNSCurve requires that the private key to the zone be kept on the DNS server, thus potentially exposing it to theft if the server is compromised. By contrast, if DNSSEC is used in an offline signing mode, then compromise of the server does not enable forgery attacks. Where DNSCurve has a major advantage is if your server provides dynamic responses (e.g., for DNS load balancing), in which case offline signing isn't that useful and the performance advantage of DNSCurve is most significant.

It's also worth noting that the use of faster algorithms isn't an inherent advantage of DNSCurve. DNSSEC (like all relatively modern COMSEC protocols) supports multiple algorithms and there have been proposals to add ECC (see, for instance, draft-hoffman-dnssec-ecdsa). An ECDSA-enabled DNSSEC would still be slower than DNSCurve if run in a dynamic environment, but performance would be a lot closer and how much slower would depend on how many repeat requests you got from the same client; if each client only makes one request, then performance would be more or less equivalent. The packet size of ECC DNSSEC would be a little worse, but probably not enough worse to make a big difference.

This isn't to say that there aren't other factors to consider (see the DNSCurve site for the other arguments in favor of DNSCurve). However, the performance argument doesn't seem to me to be dispositive, since which solution is faster depends on your deployment model and assumptions about the client environment.

For some reason, the silly idea of universal personal authentication for Internet users seems to have an undue appeal on tech executives. Here's Barbara Kiviat reporting on Microsoft's Craig Mundie:

What Mundie is proposing is to impose authentication. He draws an analogy to automobile use. If you want to drive a car, you have to have a license (not to mention an inspection, insurance, etc). If you do something bad with that car, like break a law, there is the chance that you will lose your license and be prevented from driving in the future. In other words, there is a legal and social process for imposing discipline. Mundie imagines three tiers of Internet ID: one for people, one for machines and one for programs (which often act as proxies for the other two).

...

Mundie pointed out that in the physical world we are implicitly comfortable with the notion that there are certain places we're not allowed to go without identifying ourselves. Are you allowed to walk down the street with no one knowing who you are? Absolutely. Are you allowed to walk into a bank vault and still not give your name? Hardly.

This is one of those ideas that comes up so often and initially seems like a natural analogy, but on closer inspection just starts to look confused.

First, a drivers license isn't principally a form of general purpose authentication but rather a permit from the state to drive. It has a biometric component in order to permit the police to determine that you're the actual holder of the permit and not someone who just has their license. Of course, because the license is so ubiquitous, it's widely used as a form of general ID, but if you do something to lose your license, the state will still issue you an identification card; indeed you can generally get an id card even if you're ineligible to drive. (Here's what California has to say). So, on the one hand Mundie says you don't have a right to complete anonymity (which I at least sort of agree with) and that his proposed Internet driver's license would serve as a form of ID and on the other hand, he suggests that you could lose your right to use the Internet for some unspecified set of misbehaviors. So, which is it, a permit or a form of ID?

Second, if it's a permit, under what conditions might it be revoked? Having your machine compromised? Failure to keep your software updated? If it's just for bad system hygiene then you're going to see a huge number of revocations. If it's for actual malfeasance then aren't you just going to revoke the licenses of people who would be in serious legal jeopardy in any case? Internet security problems come from two kinds of users: those who are genuinely malicious and those who are just careless. The problem with the first is finding them, not punishing them once you've done so. As for the second, revoking their right to use the Internet seems rather excessive.

On the other hand, if the idea is to just have a form of ID, then I don't really see why we need something government sponsored. Can't sites decide for themselves whether to to try to authenticate you?

This is seriously not good. It turns out that both military aircraft and drones transmit unencrypted video feeds of their activities:

How'd the militants manage to get access to such secret data? Basically by pointing satellite dishes up, and waiting for the drone feeds to pour in. According to the Journal, militants have exploited a weakness: The data links between the drone and the ground control station were never encrypted. Which meant that pretty much anyone could tap into the overhead surveillance that many commanders feel is America's most important advantage in its two wars. Pretty much anyone could intercept the feeds of the drones that are the focal point for the secret U.S. war in Pakistan.

Using cheap, downloadable programs like SkyGrabber, militants were apparently able to watch and record the video feed - and potentially be tipped off when U.S. and coalition forces are stalking them. The $26 software was originally designed to let users download movies and songs off of the internet. Turns out, the program lets you nab Predator drone feeds just as easily as pirated copies of The Hangover.

And here's the real scandal: Military officials have known about this potential vulnerability since the Bosnia campaign. That was over 10 years ago. And, as Declan McCullagh observes, there have been a series of government reports warning of the problem since then. But the Pentagon assumed that their adversaries in the Middle East and Central Asia wouldn't have the smarts to tap into the communications link. That's despite presentations like this 1996 doozy from Air Combat Command, which noted that that "the Predator UAV is designed to operate with unencrypted data links."

...

Meanwhile, military officials assure are scrambling to plug the hole. "The difficulty, officials said, is that adding encryption to a network that is more than a decade old involves more than placing a new piece of equipment on individual drones," the Journal notes. "Instead, many components of the network linking the drones to their operators in the U.S., Afghanistan or Pakistan have to be upgraded to handle the changes."

So, obviously this isn't the best design anyone has ever heard of. It would be interesting to ask whether the control channels used to send commands to the drones are are similarly unprotected.

In any case, there are two major technical obstacles to adding encryption to a system like this. The first is key management, as mentioned in the first linked article; you need to somehow get keys to the relevant people. The second is the problem of sending encrypted data around, as mentioned in the last graf.

I'm not overly worried about the need to upgrade individual network elements in between the drones and the operators: unless those elements actually process the data instead of passing it along, they should be relatively indifferent to whether the video is encrypted or not. I can imagine a couple of types of processing that would cause problems. For instance, if the intermediate elements compress the data with some lossy compression algorithm, this will interact badly with encrypted data, which is not only incompressible but also extremely sensitive to any damage. But if they're just relaying the data (which seems likely given that this seems to be all built with commodity protocols), that seems unlikely to cause any problems. It's not like all the routers on the Internet need to be upgraded whenever you get a new version of your Web browser.

As usual, the key management problem is more serious, as suggested by this paragraph:

"Can these feeds be encrypted with 99.5 percent chance of no compromise? Absolutely! Can you guarantee that all the encryption keys make it down to the lowest levels in the Army or USMC [United States Marine Corps]? No way," adds a second Air Force officer, familiar with the ROVER issue. "Do they trust their soldiers/Marines with these encryption keys? Don't know that."

As there are no encryption keys at all in the current environment, it's hard to see how the situation could get any worse by giving them to every marine in the field, but it's understandable that one would want to do a little better. In this case, we actually have two kinds of capabilities to deal with: those required to view the video feed and (in the case of drones) those required to remotely control them. These aren't necessarily going to be issued to the same people: you may want soldiers in the field to be able to view the video feed from the drones, but fun as it might be there's no real reason to let them pilot the thing. Since only authorized pilots are likely to be allowed to operate the drone, key management here seems pretty simple: just have a key manually shared between the operator and the drone.

One-way video feeds to soldiers in the field require a slightly more sophisticated system, but it's not inherently complicated, as we can use the same schemes used for broadcast encryption: We have a key of the day (or the hour or whatever) and we use that to encrypt the video. Each device has its own key and we periodically broadcast the key of the day encrypted under the device key. If a device gets lost or stolen, we just stop encrypting under that key. This doesn't work that well for video encryption because it's easy to get a decryption box and so attackers can just get a box and extract the key. Presumably soldiers in the field do a better job of keeping their viewing units in their possession and don't deliberately give them to the Taliban and we can periodically verify that they still have them. And as noted above, it's not like any encryption system we deploy is going to make the system less secure, so it's not like it has to be perfect.

Acknowledgement: Perry Metzger pointed this story out to me.

Cryptome has posted the lawful intercept compliance policies of a bunch of ISP and telephone providers. I haven't done more than skim these, but so far what's shocking seems to be how un-shocking they are. It's certainly no secret that network providers need to comply with law enforcement requests for lawful intercept, and the purpose of these guides seems to be to streamline the process by documenting what the LEA neads to provide in order to get an intercept. There seems to be some complaining on /. about the fact that these policies contain the the amount providers expect to be reimbursed for various kinds of activities, but given that (1) the providers do in fact have to comply with subpoenas and (2) CALEA provides for reimbursement, it's not like it's unreasonable for them to get reimbursed. At less than $100 per request, it's not like it's going to be a big revenue source for Yahoo.

A little more distressing is that none of the policies I looked at (remember I didn't study them that carefully) seem to explicitly say that they won't provide intercept services except when legally required to (this is not the same as when legally permitted to.) That's something I think I would like my service provider to adopt as a policy, but I can't say I'm surprised that they haven't done so.

Marsh Ray has published a new attack on the TLS renegotiation logic. The high level impact of the attack is that an attacker can arrange to inject traffic into a legitimate client-server exchange such that the TLS server will accept it as if it came from the client. This may allow the attacker to execute operations on the server using the client's credentials (e.g., order a pizza as the client). However, the attacker does not (generally) get to see the response. Obviously this isn't good, but it's not the end of the world. More details below.

TLS Details
The attack exploits TLS's renegotiation feature, which allows a client and server who already have a TLS connection to negotiate new parameters, generate new keys, etc. Renegotiation is carried out in the existing TLS connection, with the new handshake packets being encrypted along with application packets. The difficulty is that they're not otherwise tied to the channel, which gives the attacker a window. The simplest form of the attack is shown below [cribbed from draft-rescorla-tls-renegotiate.txt]

Client                        Attacker                        Server
------                        -------                         ------
                                  <----------- Handshake ---------->
                                  <======= Initial Traffic ========>
<--------------------------  Handshake ============================>
<======================== Client Traffic ==========================>

So, in order to mount the attack, the attacker first connects to the TLS server. He can communicate with the server as much as he wants, including making an arbitrary number of requests/responses, etc. This traffic is all encrypted and shown as ==. Then when he's ready, he hijacks the client's connection to the server (in practice he might start by hijacking the connection and then connect to the server but it doesn't matter) and just proxies the client's traffic over the encrypted channel. The client negotiates with the server and from that point on the client and the server communicate directly. Note that the client is communicating with the attacker in the clear but the second handshake is encrypted and goes over the attacker's channel. Thus, the client does not know that he is renegotiating. However, the server thinks that the initial traffic with the attacker is also from the client. There are also other (probably less useful) variants where both sides see a renegotiation but of different connections.

Impact on Existing Applications
TLS itself is just a security protocol, so the impact of this attack depends on the application protocol running over TLS. The most important of these protocols is of course HTTP over TLS (HTTPS). Most Web applications do initial authentication via a username/password pair and then persist that authentication state with HTTP cookies (a secret token that is sent with any request). An attacker might exploit this issue by sending a partial HTTP request of his own that requested some resource. This then gets prefixed to the client's real request.

E.g., the attacker would send:

GET /pizza?toppings=pepperoni;address=attackersaddress HTTP/1.1 
X-Ignore-This:

And leave the last line empty without a carriage return line feed. Then when the client makes his own request

GET /pizza?toppings=sausage;address=victimssaddress HTTP/1.1 
Cookie: victimscookie

the two requests get glued together into:

GET /pizza?toppings=pepperoni;address=attackersaddress HTTP/1.1 
X-Ignore-This: GET /pizza?toppings=sausage;address=victimssaddress HTTP/1.1 
Cookie: victimscookie

And the server uses the victim's account to send a pizza to the attacker.

You can mount a similar attack if the server uses certificate-based client authentication: it's common (well, common in the small number of cases where client certs are used at all) for the server to let the client connect and request a resource and then if the resource is protected renegotiate asking for a certificate. The attacker can exploit this by doing the initial handshake and asking for the resource and then letting the client do the renegotiation, at which point the server acts as if the initial request was made by the client.

It's important to note that in both the cases we just described the attacker doesn't get to see any sensitive information directly: that's just sent back encrypted to the client. However, he can exploit side effects of the exchange, e.g., to get a pizza. It may also be possible to exploit HTTP features to directly access the data. For instance, he might be able to generate a combined request that would cause the server (or perhaps somehow mirrored through the client) to send the original client request to the attacker. If the request contains the client's cookie or password, this would cause their credentials to leak. It's not clear to me if this is possible, but I'm hoping some of the Web security specialists will weigh in.

The impact on other protocols (IMAP, SIP, etc.) would depend on those protocols and I haven't seen complete analyses of these yet.

Mitigations
Eventually there will be a TLS level protocol fix (see below). However, in the meantime options are limited.

For 99+% of applications, the mitigation is very simple: the server should simply disable all renegotiation, which stops the attack. (OpenSSL will helpfully automatically renegotiate which facilitates the attack even if the application isn't otherwise set up to do renegotiation). Unfortunately, there is no similar defense on the client side. In the example I showed above, the client is unaware that renegotiation happened. Moreover, the client can't tell that the server will refuse renegotiation (it could explicitly probe but the attacker could of course fake a failure). So, the client can't really do anything useful to protect itself.

The second drawback is that there are a small number of cases (e.g., the certificate authentication one I described above) where renegotiation actually should happen. The most practical defense on the server side is to restructure the site so that requests which require client auth are redirected to a different address or port which always requests a certificate and itself refuses renegotiation. However, this obviously requires major work on many sites.

There are a few other legitimate reasons for renegotiation, but they're mostly things one doesn't need to do. For instance, people sometimes renegotiate to force the generation of fresh keying material. This is not necessary with modern cryptographic algorithms. Another example provided by Ray is sites that support algorithms with differential strength. Again, this isn't really necessary. Unless you're doing certificate-based client authentication it's very unlikely you need to renegotiate and if you are using it, the workaround above is the simplest.

Long-Term Defense
Despite the existence of some defenses, it seems clear that TLS should really defend against this. There's a fairly obvious defense that at least three people have independently come up with: carry information about handshake n-1 in handshake n (if n==1 you just carry an empty field). This prevents attacks where the client and server have different views of the negotiation state. The predisclosure group that worked on this after Ray discovered this worked to develop a draft describing this technique which can found at draft-rescorla-tls-renegotiate.txt and we'll be submitting it to the TLS working group shortly. Of course, this will take a very long time to make it into enough clients and servers to make a real difference, so for now we're mostly stuck with the mitigations I've described.

The Software Situation
People have also developed patches for existing implementations. These fall into two categories:

• Just disable renegotiation (really important for OpenSSL because of the aforementioned automatic renegotiation) issue.
• Implement the long-term fix.

As far as I know none of these have been formally released yet. Ben Laurie's OpenSSL disabling patch can be found here. I've developed a patch that performs the long-term fix protocol pieces but it doesn't disable non-fixed renegotiation so it's usable primarily for interop testing right now. That can be found here. Expect both of these to eventually appear in official OpenSSL distributions/patches. I don't know the release status of other fixes.

Big Picture Perspective
Now that we've covered how this attack works, how bad is it? It's being billed as a man-in-the-middle attack, but it's really far more limited than your classic MITM. Rather, it's a plaintext injection attack. I'm not saying that's good, but we need to put it into perspective: over the past two years, we have seen two separate issues that allow a complete TLS server impersonation: the Debian PRNG bug (see our paper here for a description of the issue [which we did not discover] and its impact) and the TLS certificate "NULL" issue. Both of these issues had much more severe impact since they allowed the attacker access to all the data sent by the client. However, it's worth noting that they differed from this issue in that they were detectable/fixable on the client side so people could in principle protect themselves. As a practical matter, however, most clients never checked the Debian keys against a blacklist, so that protection was minimal at best.

Second, it's important to remember that even simple MITM attacks with fake certificates don't seem that hard to mount. Cranor et al. report that users very frequently ignore browser warnings of bad certificates, which more or less obviates any security protections TLS provides. If the user will accept the attacker's certificate, there's no need to do anything as limited as the attack described here. Obviously, that's not information that should give you a huge amount of confidence in any form of Internet communications security, but it does provide some perspective on the marginal impact of this attack.

One other comparison point is a remote vulnerability in the server. TLS implementations have historically had and continue to have remote vulnerabilities which would allow an attacker to subvert the server. Such an attacker could read all your traffic to that server. As with this issue, you can't really detect that from the client side and need to rely on the server being upgraded. So, this issue is somewhat less serious than a remote vulnerability in a really popular server stack like OpenSSL. It's primarily unusual because it's an issue in the protocol not the software and those are quite rare.

Bottom Line
As I said at the beginning, this obviously isn't good. We'd like SSL/TLS to provide it's nominal security guarantees and it clearly doesn't. There likely to be exploitable attack paths using this issue. It's far less clear whether they will actually see exploitation, given that these attacks aren't necessarily as powerful as other already known paths. In the not too distant future you should expect most important servers to have fixed, at which point most of your Web server interactions will be safe (even though you can't verify it easily). In the long term, most clients and servers will adopt the protocol fix at which point clients will be able to be sure that the servers they are interacting with are safe.

Eugene Kaspersky argues that one should need to have a "passport" to use the Internet (via /.):

That's it? What's wrong with the design of the Internet?

There's anonymity. Everyone should and must have an identification, or Internet passport. The Internet was designed not for public use, but for American scientists and the U.S. military. That was just a limited group of people--hundreds, or maybe thousands. Then it was introduced to the public and it was wrong to introduce it in the same way.

I'd like to change the design of the Internet by introducing regulation--Internet passports, Internet police and international agreement--about following Internet standards. And if some countries don't agree with or don't pay attention to the agreement, just cut them off.

Isn't it enough to have everyone register with ISPs (Internet service providers) and have IP addresses made known?

You're not sure who exactly has the connection. I can have a Wi-Fi connection and connect using a password, or give away the password for someone else to use that connection. Or the connection could be hacked. Even if the IP address is traced to an Internet café, they will not know who the customer or person is behind the attacks. Think about cars--you have plates on the cars, but you also have driver licenses.

Unfortunately, Kaspersky didn't elaborate on how this would actually work, which is too bad because it's not really that clear to me how one would develop such a system. Let's stipulate for the moment that we had some mechanism for giving everyone who was allowed to access the Internet some sort of credential (the natural thing here would be an X.509 certificate, but of course you could imagine any number of other options). All that you would need to accoplish this would be to somehow positively identify every person on the planet, get them to generate an asymmetric key pair, issue them a certificate, and give them some way to move it around between all their Internet-connected devices (and it's not at all unusual to have both a PC and a smartphone), as well as find some way for them to use it in Internet cafes, libraries, etc. And of course, having the credential is the easy part: we still need to find some way to actually verify it.

At a high level, there are three places we could imagine verifying someone's credentials: (1) at the access point (2) in the network core (3) at the other endpoint. None of these is particularly satisfactory:

Access Point
The naive place to verify people's identity is at the point where they connect to the Internet. Of course, in the vast majority of cases (home service, mobile, etc.), no "passport" is required, because the user has a subscriber relationship with the service provider, so as long as the service provider keeps adequate records it's relatively straightforward to track down who was using any given IP address at a given time. This leaves us with a variety of "open access" type situations where someone has a network that anyone can use, such as libraries, conferences, and people's home networks. One could imagine requiring that those people program their network access elements to authenticate anyone who wanted to use them, but since this would require reprogramming an untold number of Linksys access points which are currently running whatever firmware they were loaded with when they were manufactured in 2006, this doesn't sound like a very practical proposition. Even if one did somehow manage to arrange for a mass upgrade, people who run open APs don't have a huge amount of incentive to keep them secure, so it wouldn't be long before there was a large population of APs which couldn't be trusted to properly report who had used them and we're back to where we started.

Network Core
Moving outward from the access point, one could imagine doing authentication somewhere in the network core (which is sort of what Kaspersky's comments imply). Unfortunately, this would involve some pretty major changes to the Internet architecture. Remember that as far as the core is concerned, there are just a bunch of packets flowing from node to node and being switched as fast as possible by the core routers which don't have any real relationship with the endpoints. Unless we're going to change that (pretty much out of the question no matter how ambitious you are), then about all that's left is having the endpoints digitally sign their packets with their credentials. And of course, those signatures would then have to be verified at something approaching wire speed (if you don't verify them in real time, then people will just send bogus signatures; if you only verify a fraction, then you need some sort of punishment scheme because otherwise you just reduce traffic by that fraction). And of course, the signatures would create massive packet bloat. So, this doesn't sound like a very practical retrofit to the existing Internet.

Other Endpoint
This leaves us with verifying the users's identity at the other endpoint, which is probably the most practical option, given that we already have technology for this in the form of IPsec, SSL/TLS, etc. Again, we have the retrofit problem, and also a huge incentive issue; most sites are primarily interested in having a lot of visitors and don't much care who they are, so they're not really incentivized to verify user identities, especially during the (extended) transition period when requiring authentication would mean rejecting traffic from legitimate visitors. Still, it's at least technically possible, though it's not clear to me why one would want to require this form of authentication through some regulatory process: the major entity which is hurt by being unable to verify whoever is sending them traffic is after all the other endpoint, so if they don't care to authenticate their peer, why would we want to require it.

 

Unfortunately, even the above issues (which aren't very promising) aren't the real obstacle. Remember that we're going to require everyone who wants to access the Internet have one of this credentials. That includes your grandmother, who hasn't ever run Windows update and has over half of her hard drive taken up with assorted varieties of malware. It's not going to be at all difficult for attackers to get their hands on an arbitrary number of "Internet passports" belonging to other people (remember that attackers don't have any trouble getting credit cards, which people actually do have some interest in protecting).

The bottom line, then, is that unless I'm missing something, it's not clear to me that fits Kaspersky's description is likely to be particularly useful.

Richard Barnes pointed me to the joint ICANN/VeriSign presentation from RIPE 59 (today in Lisbon) on their plans for rolling out signing of the root zone. For those who aren't up on DNSSEC, each TLD (.com, .net, .us, etc.) will sign the domains under it, but the design calls for the information for each of those domains to be signed as well at the root of the tree. There's some question about how important this really is from a technical perspective but the DNSSEC community seems convinced (wrongly in my opinion) that it's essential, so it's socially important even if not technically important.

Anyway, Richard pointed out something interesting to me: they plan to roll over the root Zone Signing Key (ZSK) four times a year (see slide 19) which doesn't really make sense to me. Actually, the whole key rollover scheme doesn't make much sense to me.

It might be helpful to start with a little background. The way things are going to work is this: ICANN is going to have a long-lived (2-5 years) Key Signing Key (KSK). The public half of this key will be built into people's resolvers. But the KSK will not be used to directly sign any user data. Rather, it will be used to sign a short-lived (3 months) ZSK [held by VeriSign] which will be used to sign the data. Because the relying party (i.e., your computer) knows the KSK, it can verify any new ZSK without having to get it directly.

Why are they doing this? As far as I can tell the rationale is as follows:

• The security of RSA key pairs is directly connected to key length, which is also the length of the signature that the key pair produces.
• Space in DNS packets is limited.

The combination of these two factors means that if you want to use longer (higher security) key pairs to sign zone data, you start running into size limitations in the packet. That's perfectly understandable, but why does having two keys help. The idea here is that you have a big (2048-bit) and a short (1024-bit) ZSK. But because the ZSK is changed frequently, you don't need as strong a key and can still get good security. I wasn't able to find a good description of this in the DNSSEC documents, but Wikipedia came through:

Keys in DNSKEY records can be used for two different things and typically different DNSKEY records are used for each. First, there are Key Signing Keys (KSK) which are used to sign other DNSKEY records and the DS records. Second, there are Zone Signing Keys (ZSK) which are used to sign RRSIG and NSEC/NSEC3 records. Since the ZSKs are under complete control and use by one particular DNS zone, they can be switched more easily and more often. As a result, ZSKs can be much shorter than KSKs and still offer the same level of protection, but reducing the size of the RRSIG/NSEC/NSEC3 records.

The only problem with this reasoning is that it's almost completely wrong, as can be seen by doing some simple calculations. Let's say we have a key with lifespan one year that requires C computations to break. An attacker buys enough hardware to do C computations in two months and then is able to use the key to forge signatures for the next 10 months (I'll try to write about keys used for confidentiality at some later point.) If we think about a series of keys, they will be vulnerable 10/12 of the time. Now, let's say that we halve the lifespan of the key to 6 months, which shortens the window of vulnerability to 4 months per key, or 2/3 of the time. But if the attacker just buys 2C compute power, he can break the key in 1 month, at which we're back to having the keys vulnerable 10/12 of the time. If we generalize this computation, we can see that if we increase the frequency of key changes by a factor of X, we also increase the attacker's workload by a factor of X.

More concretely, if we originally intended to change keys every 4 years and instead we change them every quarter, this is a factor of 16 (4 bits) improvement in security. Opinions vary about the strength of asymmetric keys, but if we assume that 1024-bit RSA keys have a strength of about 72 bits [*] then this increases the effective strength to around 76 bits, which is somewhere in the neighborhood of 1100 bit RSA keys, a pretty negligible security advantage and nowhere near the strength of a 2048 bit RSA key (> 100 bits of security). It's certainly not correct that this offers the "same level of protection".

The more general lesson here is that changing keys rapidly is nearly useless as a method of preventing analytic attacks. It's almost never practical to change keys frequently enough to have a significant impact on the attacker's required level of effort. If you're that close to the edge of a successful attack, what you need is a stronger key, not to change your weak keys more frequently. In the specific case of DNSSEC, just expanding the size of the packet by 10 bytes or so would have as much if not more security impact at a far lower system complexity cost.

My comments can be found here. You may also be interested in ACCURATE's comments which can be found here.

A number of political blogs (e.g., Obsidian Wings, Matthew Yglesias, etc.) seem to have a problem with comment impersonation. The general pattern is that someone will show up and post something more or less blatantly offensive under the name of a well-known commenter. This is then followed by a series of posts asking "was that really John or just a comment spoofer?" "Can someone check/block their IP?", and often eventual removal of the offending comment, leaving everyone confused about what the fuss is about.

Obviously, the underlying source of the problem is that most blog software has completely open commenting: you don't need to register and you can provide any identity you want and it will just accept it. This is convenient if you regularly post from random machines, but makes this sort of impersonation trivial. The natural "security guy" defense here is of course to require actual user authentication [this seems to be supported by most blog software], but that's really overkill for this situation, where all we really want to do is stop random people from impersonating random other people. Here, then, is my suggestion for a small set of changes which would make most casual impersonation very difficult:

1. The first time a given identity is used, record the IP from which it is used and install a cookie in the browser which is used to make the comment.
2. In future, restrict use of that identity to requests which either come from that source IP or present the right cookie.
3. If you see a request from a different source IP that present the right cookie, add that source IP to the whitelist.
4. If you see a request from a whitelisted source IP without a cookie, install the cookie.
5. Have a manual mechanism (e.g., e-mail challenge response) for allowing a new computer to post comments under an existing name.

This isn't perfect in a number of respects. First, it doesn't provide perfect security. For instance, if I ever post from a hotspot (which generally has a NATted network) anyone else from that hotspot will be able to post as me. However, that seems relatively unlikely given the form of attack which we're generally seeing here, which is mostly trolls trying to disrupt the conversation. The second problem, of course, is that it's a little inconvenient if you have multiple computers, but even people who do post from multiple computers generally only have a few and those would quickly be whitelisted. The big advantage of this scheme is that it provides reasonable deterrence against a common attack and is generally pretty transparent to most users. We don't have a comment impersonation problem here on EG, and I'm too lazy to implement it for the public good, but I'm a litle surprised that hosting services like Typepad haven't implemented something similar.