Educated Guesswork

EG Mark 2

After a bunch of hacking, I've managed to get a partially operative version of EG at http://www.educatedguesswork.org/wordpress. It's not totally working yet, but good enough to complain about. I'll be fixing some of the problems and transitioning the site over the next week or so. If the site gives you problems, post a comment or let me know via e-mail.

Notes on NSA's elliptic curve licensing agreement

John Stasak from NSA gave a talk at IETF on their ECC licenses from Certicom, for which they paid around $25 million.

• Current US Govt cryptographic equipment inventory is 1.3 million
• Average equipment lifetime is 30 years.
• Next generation US Govt cryptography will use ECC.
• Licensed patents are curves over GF(p) where p is a prime greater than 2²⁵⁵. This is rather larger than the EC public keys in common use, which are closer to 2¹⁶⁰. Pretty much all the interesting algorithms (point compression, ECDSA, MQV, etc.) are covered.
• The license applies to products which are either FIPS 140-2 or used for National Security or State/Federal/Local Mission Critical applications. Note, these products may not be exportable.
• NSA is currently planning to license the patents for free. They currrently don't plan to allow sublicenses but the license from Certicom allows them to.
• If you get your product approved for these purposes and you actually sell it for these purposes your license also covers any other sales of the product, so as long as you can get your product used in these applications you get a free pass.
• It's not clear what the status of toolkits is. NSA wants to control the quality of the software that uses these licenses, so they are reluctant to just let you get e.g., OpenSSL certified for a single national security use and then have it transfer rights to all OpenSSL-using applications. The audience/ADs pressed on this sort of sublicensing being very desirable.

Slides here. List of patents covered is here.

UPDATE: Re-explained the terms. According to Russ Housley, FIPS 140-2 evaluation alone is enough. So, even if your software has no national security applications, you can still take advantage of this. This is a big deal.

BOF report: EasyCert

Summary: Strangely demand for products is a lot higher when owning them
is mandatory.

Background: end-users don't have certificates. People think this is bad. Is there some say to make this easier? That's the point of this BoF.

First talk is by Jeff Schiller, about the MIT cert infrastructure. The way this works is that they have their own CA and the certs are to a first order only used for browser client auth. They skirt the enrollment issue by using the Kerberos account to authenticate the cert request.

Second talk is by Bob Stahl from Johnson & Johnson. They've got a big corporate PKI. The important point is that it's unbelievably complicated to use this thing, but people do it anyway.

Third presentation from Sandy Roddy from DoD. They have a PKI too, which people in the military are required to use.

The take home point of these talks seems to me to be that it's a lot easier to get PKI working if the potential users have absolutely no choice but to use it. In all three cases, it seems to be basically impossible to do anything at all in the environment without a certificate, and in the military, it appears that you're basically ordered to get one.

The central fact of the failure of PKI deployment is the lack of voluntary user uptake in distributed non command and control organizations. No doubt it's interesting to hear about how to make it easier to for such large command and control organizations to deploy PKI, but that doesn't really move the ball forward in terms of getting global deployment. As long as having a third-party certificate doesn't actually buy you anything, it's hard to see the activation energy barrier getting low enough for people to want them.

In that context, this session was largely like hearing a series of talks about technology for laminating ID cards. Obviously, it's a lot better when cards are laminated and perhaps it's possible that some kinds of plastic are better than others, and that's no doubt a topic of great interest to lamination wonks, but it's not like the world is full of people saying "I'd love to have an ID card if only I could figure out how to laminate it."

IETFers on drugs

Jon Peterson:

I used to get really baked and sit around eating these.

(While eating Tastykakes).

Anonymous:

My mom buys her pot from a friend of mine.

Pete Resnick:

I was interviewing for a clearance and the interviewer asks me:

Have you ever been convicted of a felony?

No.

Could you pass a drug test?

[I think about my answer]

If you had time to study?

Yes, I think I could

In answer to e-mailed questions, names used by consent.

How the Internet really works

I spent a while talking to Bill Woodcock from Packet Clearing House last night and he pointed me to this presentation which describes his banana theory of Internet economics: "Banana farms are where bananas are made. Internet exchanges is where bits are made..."

Report on Better Than Nothing Security BOF

Report from the IETF Better Than Nothing Security BOF.

The background here is the TCP RST vulnerabilities published earlier this year. The obvious defense against those vulnerabilities is to use IPsec but people obviously aren't using that.

The rationale for this WG comes from an observation and two claims:

1. The pool of off-path attackers is larger than the pool of on-path attackers.
2. IKE keying is very annoying due to the requirement to have certified keys.
3. Full ESP/AH is too computationally expensive for wide-scale usage.

What is being proposed is two things:

1. Relax the constraint in IKE for using full certificates, presumably using leap of faith.
2. Reduce the coverage of AH so that it only covers part of the packet, thus improving performance.

There was a lot of support for (1) but mixed support for (2). In particular, there's skepticism about whether the perf problem addressed by (2) is real. A number of people seemed to want to not undertake (2) at all, unless they had data. The discussion there was very contentious. Michael Richardson called it a "premature optimization".

A hum was strongly in favor of (1) and strongly against (2).

My take:
It's worth doing (1), which is very easy. It's not really even a technical change. You just legalize a common practice of using self-signed certs. Joe seems to want to write an extended policy document about how to handle self-signed certs, but seeing as IKE certificate handling is kind of witchcraft anyway, maybe this should just go into pki4ipsec.

I don't buy the performance argument and would want to see some real data supporting the claim that it is a problem, before we embark on this path. Michael Richardson made an interesting argument on this point: It's true that IPsec processing is very slow but the problem is the need to decide what kind of processing to apply to the packet--which is often done via very inefficient algorithms--rather than the actual crypto. I don't know if this is correct or not.

What's wrong with NoDoz?

I'm currently at the DC IETF. Formal meetings start at 9 AM and run through 10 PM. If you're on the IAB/IESG, things get going at 8 and run through 10. Informal meetings start earlier and end later. The combination of long hours and jet lag means that an extraordinary amount of caffeine is consumed.

As is the American norm, almost all this caffeine is consumed in the form of coffee or soda. This can actually be a problem because the coffee in the hotel is apparently subpar--not to mention the expense of purchasing your fourth latte of the day. And yet as far as I can tell, not one of these people has seriously considered replacing their beverage with caffeine pills, which are cheaper and more convenient. A few people I mentioned this to said they liked the taste of coffee, but the general sense seemed to be that taking it explicitly in pill form would be crossing some line between consuming food and taking drugs, as if you're only a few all-nighters away from being a full-on speed freak. I guess "Just Say No" worked after all.

Digital joy?

Check out Microsoft's new Digital Joy. I can't see anything on the inside cause it's Flash-only and I'm not Flash enabled here, but if you just look inside, you can find the evil Dr. Zaius residents/dr-zaius.php from Planet of the Apes experiencing Digital Joy.

Not exactly a heartwarming moment

I recently caught a West Wing episode that got me thinking. The basic plot is that the White House is trying to pass a Family Wellness Act. Senator Stackhouse stages a filibuster to try to force them to put in a $47 million provision for autism research. He's been up at the podium for hours and is clearly fading fast. Everyone's annoyed until a staffer works out that the Senator's grandchild is autistic, at which point everyone's attitude changes. The West Wing staff arranges for some other Senators to spell him, effectively scuttling its own bill, with the implication that they'll revisit it later with the autism provision. Heartwarming, right?

Well, not really. Let's get rid of the autism angle and just look at the form of the transaction. Say the White House is trying to pass an energy bill and a Senator mounts a filibuster to force the White House to add a $47 million program for research into geothermal power. It's discovered that one of his grandchildren owns a geothermal power company. Heartwarming? Not really. The word that comes to mind is corrupt.

The situation isn't any different in the autism case. The Senator is using his political position to force a policy change that benefits one of his relatives--a change that wouldn't be made without him using his influence. Why should personal motives be acceptable in one case and not the other?