12 September 2011
Can Internet Security Ever Work?
This a recent statement from a lengthy thread which includes several significant
contributions on insecurity of the Internet demonstrated by attacks on SSL
Certification Authorities. Those by Lucky Green and Peter Gutmann are indicated
below by Jon Callas but there are many excellent comments of the quality
missing in the last 15 years of great Internet growth with security promises
repeatedly broken. The full thread is the best overview and critique of
inadequate Internet security since Cryptome was set up to publish on the
issue. It should and will continue, subscribe to the mail list. Full account
at
Cryptography
archive. Jon Callas was a senior cryptographer at PGP Corporation.
From: Jon Callas <jon[at]callas.org>
Date: Sat, 10 Sep 2011 23:09:32 -0700
To: Crypto discussion list <cryptography[at]randombit.net>
Subject: [cryptography] Let's go back to the beginning on this
We're all in the middle of a maze trying to get back. It's easier to understand
things if you start at the beginning and walk your way forward. (It's often
even easier to start at the end and walk backwards, too, but I don't think
we have that option.)
When public-key crypto was created, it liberated us from shared secrets.
Alice can talk secretly with Bob without pre-exchanging keys. It's important
to also remember that if Alice and Bob can pre-exchange public keys, then
it's a huge win over pre-exchanging mere secrets.
Let me start with a story.
Mulla Nasrudin walked into a haberdashery. As he came in, he said to the
proprietor, "First things first, my good man." (You can tell from the "my
good man" that he'd been spending too much time with Richard Burton.) "Did
you just see me walk in?"
The haberdasher said, "Why, yes, good Mulla, I did." (The intelligent reader
wonders how the haberdasher knew he was a Mulla. The astute one doesn't.)
Nasrudin replied, "Ah *HAH*!" (Thus showing how intelligent he was.) He narrowed
his eyes at the haberdasher and spoke slowly to him. "I want you to answer
a question, my good man, and think very carefully before you answer." The
haberdasher nodded assent and Nasrudin asked slowly, pausing between each
word, "Have. You. Ever. Seen me. Before?"
The haberdasher thought for a moment and then replied, "No, Mulla, I haven't."
Nasrudin snorted contemptuously and said, "Then how did you know it was me?"
And indeed, how *did* the haberdasher know that it was
Nasrudin?
One of the great technologic triumphs of public-key cryptography is that
that joke is no longer funny. Perhaps the other major triumph is that if
you have a well-defended hypothesis about how the haberdasher knew it was
Nasrudin, you can get a Ph.D. at any of the world's finest universities.
My discussion continues now.
As you see, public-key cryptography creates the problem that Alice needs
to know that she's really talking to Bob, and not someone pretending to be
Bob. I'm going to call this the misidentification problem. It is *the* problem
that is created by pubic key cryptography; before 1975, it was just a cheap
Nasrudin joke. Alice can accidentally misidentify the wrong Bob, or a malicious
person can pretend to be Bob.
The so-called Man-in-the-Middle problem is merely misidentification going
maximally wrong: Mallory talks to both Alice and Bob, pretending to be each
to the other. I think there's too much stressing over MITM problems, and
a good deal of that is that MITM is a subset of misidentification. MITM is
a horrible name for the class of problems, but we're really stuck with it.
All I'll say is that anyone who wants to think about this in depth is advised
to remember that the real problem is misidentification. There are many places
where you can create identification technology and MITM protection follows
from that.
Laotse famously observed that before there were locks there were no burglars.
(Many people think that good Master Lao was against property, but actually
he was a security guy. Before there were locks, there were thieves, but there
were no burglars. Creating locks solved old problems but created new ones.
Locks thwart thieves and create burglars.) I'll paraphrase him here
and say that before Diffie-Hellman, there was no Mallory. (He's called Mallory
because that was the name of Nasrudin's haberdasher.)
There are two basic ways to solve the misidentification problem: key continuity
and certification. Each of these has a set of advantages and disadvantages,
but they're really the only two ways to solve the problem.
Let's talk about key continuity first. It's also a horrible name. The idea
here is that I know that the endpoint I'm talking to now is the same endpoint
that I was talking to last time. SSH does this, as does ZRTP. (Full disclosure,
I am a ZRTP co-author.) A cool thing about continuity (note that I've dropped
the key) is that it doesn't need an infrastructure. It just works. If I call
Bob's phone, I know I'm talking to Bob's phone. Mostly.
If the first time I try to talk to Bob, I get Mallory instead, I'm screwed.
On the other hand, Mallory has to *always* answer every time I call Bob or
I detect the break in continuity. Even if I don't twig to Mallory being there,
thinking perhaps that it's a network error, Mallory has to start all over
again. Even when Mallory succeeds, Mallory has a lot of work to do to
keep up the ruse. This is a cool thing because it makes Mallory's problem
both hard and brittle. It thus eliminates most Mallories.
Yes, Mallory may only need to keep up the ruse for a short amount of time.
However, Mallory also has to be quasi-prescient in the abstract case. This
is why continuity works for a lot of problems. Sometimes it's easy to be
quasi-prescient, and for these, continuity works badly.
Otherwise sane people worry far to much about these problems. Let me illustrate
with two anecdotes.
* Many years ago, Don Eastlake asked me if I wanted to go out to dinner with
Carl Ellison. I went out to dinner and a person introduced himself as Carl
Ellison. He gave me a cheap business card printed on orange paper with a
PGP public key fingerprint on it, and also a horrid grayscale bitmap photo.
The card claimed to be that for Carl Ellison. In the intervening years, I've
conversed with this person by email, phone, and in person. Nonetheless, I
am to this day aware of at least three grave security errors I made, continue
to make, and no doubt will make in the future. I'm sure you see them too.
Last year, to my chagrin, I learned that despite the intervening time,
I've been talking to Nicholas Bourbaki, and I forgot to ask his Erdos
number.
* Just the other week, Tamzen and I were driving and my mobile phone rang.
Let's just assume for giggles that the incoming call was protected with ZRTP.
I handed the phone to Tamzen and she answered the call saying, "Jon Callas's
phone." "Yes, this is his wife. We're in the car and he's driving. I can
relay a message." The caller did let her relay a message to me. Ooooo,
pwned!
As absurd as those two stories are, there are people who actually consider
each of them to be a security problem that needs to be solved in the protocol,
and that a protocol that doesn't solve them is broken.
The bottom line is that there are places that continuity works well -- phone
calls are actually a good one. There are places it doesn't. The SSL problem
that Lucky has talked about so well is a place where it doesn't. Amazon can't
use continuity. It is both inconvenient and insecure.
It is inconvenient because it doesn't scale well. Amazon doesn't want everyone
to have to go through a ritual saying that they think this storefront they've
never been to before is Amazon. That doesn't pass the Grandma test. It's
asking everyone to be smarter than Mulla Nasrudin.
It's mind-bogglingly insecure For something like a storefront, it doesn't
even pretend to solve the identification problem, let alone the misidentification
problem. The attacker can play the same game that spammers and phishers do.
They cast a broad net and only need a very small percentage of hits because
a small percentage times a large number works for them. This is a way of
being quasi-prescient.
The nicest thing you say about it is that it replaces an identification problem
Grandma can understand (how do you know that's Amazon -- a store you've never
been to before?) with an identification problem that she can't (how do you
know that's not someone who isn't Amazon pretending to be Amazon, a store
you've never heard of before).
Nonetheless, despite the fact that continuity works badly for the SSL problem,
for problems like SSH and ZRTP, continuity works very well.
Now on to certification.
It's also very simple. We know Alice is Alice because she wears a name tag
that says, "Hello, my name is ALICE." Similarly, Bob wears a name tag, but
his has "BOB" written on it instead of "ALICE." That's it. We're done.
Almost.
If Alice wrote her own name tag, then that's self-certification. It works
well, unless her name isn't Alice, in which case we're back to
misidentification.
The obvious way around this is to get someone else to say that they think
that's Alice, or someone like her. That's what we usually mean by
certification.
There are a lot of ways to do certification, but they all boil down to either
by consensus or by an authority.
PGP is of course the most notorious consensus system. There's a lot of good
things about it. It's very resilient in the face of unreliable authorities
(think Nasrudin). A number of proposals on how to fix the SSL problem adopt
a quasi-PGP system. I will flatter myself by assuming I don't need to
describe how it works.
There are a number of problems with the consensus approach, though. They
include:
* It's pseudonym-surly. If you want to use a pseudonym, you have to get it
certified by people whom you tell your pseudonym to, which kinda defeats
the point of having a pseudonym. All the many years I worked on PGP, I worried
that I was going to wake up one day and discover that I completed the panopticon
that Jeremy Bentham started.
At least with authorities, you can go up to Nasrudin and say, "Mulla, I know
it says Nicholas Bourbaki on my driver's license, but I'd like to be known
as Carl Ellison." If he agrees, then only he knows. In fact, given who he
is, he's likely to tell you, "I think that is wise, my child. Nicholas Bourbaki
is a really stupid name and you'd have a lot of trouble getting anyone with
a lick of sense to think it's your real name. But if I were you, I'd call
myself John Wilson instead."
* The system can be gamed. It can be charming, or it can be evil. One of
the most charming bits of gaming I remember from PGP in the late '90s was
that someone created a set of PGP keys for the Clinton White House (Bill,
Hillary, Al, etc.) and stuck them in the key server. They had nice little
web of trust there with them all, which is how you knew they were real!
The gaming can also be accidental. Careless people who certify things they
don't understand can create weird effects. More in the next bullet.
We all know that because you're selecting your own trust points, you can
untangle these things, but there are two problems. Grandma can't be expected
to do it, and other is that as the whole web of trust gets bigger, a 4chan
attack on the web of trust causes work for everyone to unravel it. It means
that as the web gets bigger, there's more lulz in mischief.
* You can't stop people from certifying things. Lots of people end up with
certifications on their key by people they don't know. I disliked that so
much that when PGP became OpenPGP, I put in features to allow key owners
to have control on who certifies what.
For a number of years, one of my fears what an attack that I called "signature
harassment." It's very simple. Create a key with a name that will offend
people. It can be the name a person who would upset some people, or just
blunt and just put racial/sexual/religious epithets in a key and start signing
away. It's childish, but as we all know, certification works because people
believe it, and this is every bit an attack on the ecosystem as attacking
an authority. I'm glad it never turned into a problem. It was one of my big
worries and I never mentioned it in more than a whisper. Any sort of
crowd-sourced system has to worry about a peanut gallery.
* Authorities arise no matter how much you avoid them. Or, self-organizing
structures have a tendency to self-organize. In the old PGP environment,
people who looked at trust paths noted that as one would expect, the Web
O' Trust had formed into a scale-free network that had a relatively few number
of super-nodes. These super-nodes were arguably the equivalents of CAs. The
SSL/X.509 world had VeriSign and Thawte, but we had Ted T'so and Rodney Thayer.
For a time, there were people who wanted me to pursue becoming a super-node,
as if that were a good thing (as opposed to just a thing; no slight is meant
to Ted or Rodney, who were each mildly creeped out by the knowledge that
they were emergent authorities).
Imagine what would happen to a web of trust in a world filled full of botnets,
Anonymous, spammers, 4chan, phishing, and so on.
* Weird social effects trump security. There are what I call "fashionable
certs." They're like autographs. ZOMG! Phil Zimmmermann signed my key! I'll
never wash it again! It's hard enough to get people who should know better
(like me) to make new keys as it is. It's worse when they lose social status.
When famous people sign a key, it pushes the Too Big To Fail problem to every
person who got a key signed by them. That key becomes Too Cool To Fail.
Ironically, the best way to solve this problem (and others above) is to create
a slut certifier that will sign anything. The only certificate worth having
is one that's not worth having.
Frankly, anyone who thinks that crowdsourcing will improve the problems we
have today hasn't thought it through. I have. At best, you'll trade one problem
for another. At worst, you end up with something that can't be fixed because
it would require a unanimous consensus to fix it. (It's possible that's true
in the X.509 world too, but if it is, they start with fewer authorities.)
Okay, so let's go on to explicit authorities, like CAs. If you have an authority
sign the name on your name tag, Nasrudin is vetting your name. What happens
when Nasrudin writes, "Robert" on your name tag instead of "Bob"? This is
a real problem when Alice knows you as Bob and wants to identify you that
way.
If you give Nasrudin 10^100 reasons why you should be Bob and not Robert
and he still says no, then Robert you are. Imagine the problem if Nasrudin
believes that no one in the world *could* be named Violet Blue or *should*
be called Identity Woman (because that would be evil) and that even after
10^100 Plus reasons, he says no. You have no other choice than to say
"badda-bing" and search for a new authority.
Now despite the fact that being able to call yourself what you want to be
called is one of the most fundamental rights there is, there also have to
be limits as well. At the rock-bottom level, if you're wanting to solve the
misidentification problem, you can't just let bad actors be misidentified.
I think there is a very interesting argument to be made that the
misidentification problem can't be solved and so therefore isn't worth trying
to solve, but I'm not interested in making it today. I could go on for paragraphs
why I think identification is a good thing, and I'm sure that you'd agree
with the basics.
The inevitable conflicts, often boil down to a simple question, "Who made
you an authority?" There are people who are rightly contemptuous of Nasrudin.
There are people who are wrongly contemptuous of Nasrudin. There are people
who think no mulla should be an authority, and those who think that only
mullas should be authorities. There are people who have their own favorite
authority. There are people who just don't like authorities and will pick
a non-authority to be their authority. In my opinion, it all comes back to
"Who made you an authority?" and all that that question brings with it.
What we know as cross-certification comes from the simple fact that no one
wants anyone else to be the ultimate creator of name tags. If Friar Tuck
says, "I delegate my own tag creation to Nasrudin" then a couple of interesting
things happen. He can gain the acceptance of all Nasrudin's work. His own
followers, many of whom have real problems with Mullas, can be told that
those are really the Friar's name tags and that way Bob doesn't have to have
two name tags and figure out which to use where. There is value to
it. This is also a way for an authority to do a power grab from other
authorities. It's also ways for cooperating authorities to divvy up the work
if they have to create millions, billions, or even 10^100 name tags. But
there are lots of problems here, especially when Nasrudin and Tuck delegate
each other. The whole point of an authority is that they're authoritative,
and when they point at each other, they are neither and both authorities
at the same time. That makes my brain hurt, and fortunately for Grandma,
she won't even recognize that those sounds are words. There are many good
reasons and venal reasons for cross-certification, but I think
cross-certification is a bad because it should always be clear what authority
is doing what.
I think it's obvious to all that I'm suspicious of authorities in general.
My last two involvements with cryptosystems, ZRTP and DKIM were each
*intentionally* authority-less. My suspicion, though, comes from the "Who
made you an authority?" part more than the belief that authorities themselves
shouldn't exist. The whole point of OpenPGP was democratizing authorities,
not eliminating them.
It's less well known that my last project at PGP was to create a CA. I called
the project Casablanca. Partially because it begins and ends with a CA, but
also because I love the ambiguous nature of all the characters in that movie.
None are truly good or truly bad. But most of all it's because I still smile
really big when I say, "I am shocked, shocked that PGP is issuing X.509
certificates." I figured that since I've never gotten a good answer to "Who
made you an authority?" then I might as well be one myself. For better or
worse, Casablanca got bought up with all the rest of PGP, and is at Symantec
with all of Greater VeriSign.
The problems we're having now occur because some authorities have not been
keeping track of their pen. From where I sit, the righteous anger and general
foment (which I share) doesn't address that. I hear people who seem to be
saying if the authorities wrote name tags with green ink instead of black,
we'd all be safe. I hear people talking about how the name tags are printed
or filled out, and how some other way would fix it. I hear people who don't
like the present authorities suggest new ways to make name tags, or new ways
to hand out pens. None of them really get to what I think are the key
issues.
* It's obvious that incompetent authorities should be divested of their pens.
How can you argue with that? We take the licenses from quack doctors. We
disbar rotten lawyers. But I don't know that mere misuse of a pen is
evidence of incompetence. We don't want to create evolutionary pressure on
the authorities so that the worst customer service wins. Misplaced righteous
anger teaches ass-covering. I think that the biggest problem with the authorities
is that the use models presume that the dominant technological gadget is
a rotary-dial phone, not laptops and smartphones. The infrastructure is only
now starting to come to terms with a ubiquitous Internet. We need that
infrastructure to run faster, not slower and running faster is going to mean
that errors are inevitable. The solution is to make errors easy to recover
from, not hard to make.
* If I were king, I'd just get rid of cross-certification. Peter and Lucky
have said it all, for me. I'd like someone to explain bridge CAs in a way
that I could understand them after a night's sleep. When I was a practicing
mathematician, I once proved a theorem I called, "I think that I should never
see // A graph as simple as a tree" and this week I'm highly in favor of
graph-theoretic simplicity.
* The infrastructure we have now is really, really passive-aggressive. On
the one hand, it's designed to succeed, not to fail. That's good. If
it were designed to fail, we'd be yelling about how it's worthless because
it's always giving false positives. For example, hardly anyone ever checks
revocation. (Which, by the way, I think is actually good in the aggregate.
More in a bit.)
On the other hand, a couple browsers (I'm looking at you, Firefox and especially
you, Chrome) have gotten utterly stupid about self-signed certificates. I
have a NAS box in my house that has a web management console, and spins its
own self-signed certificates for SSL. When I attach to it, Chrome puts up
a special page with danger icons and a blood-red background and it says,
"ZOMG! This is self-signed and if you proceed, BABIES WILL DIE!" After
proceeding, there's a blood-red X through the lock and blood-red strike-through
on the "https" part of the URL. Give. Me. An. Effing. Break. Really, these
people just don't comprehend the difference between security and trust. If
you want to see the right way, look at it in Safari.
* Related to that, there are people who think that aggressive revocation
checking is good. It's not. Geolocating IP addresses is so good that every
time you send a packet, you locate your user in space and time. Just accept
that every packet is a privacy leak of where your user is. Aggressive OCSP
checks, for example, tell any CA where the customers of its customers are.
It's the perfect surveillance tool. And I'm not really worried about CAs
doing analytics on people, I'm worried about someone else hacking systems
close to the OCSP responders and surveilling that way. It turns SSL into
the worlds biggest privacy leak.
But worse than that, it turns those revocation servers into critical Internet
infrastructure. What fun Anonymous can have when they turn the LOIC not on
Mastercard, but on an OCSP server and thus cause commerce failures to happen
everywhere. Locks create burglars, guys.
* It's obvious to me if not others that if the life of a certificate were
measured in seconds (or hours) rather than months or years, many problems
would fall away. The first fundamental axiom of data-driven programming comes
from one of Mulla Nasrudin's disciples, Kalil Gibran. My translation is not
poetry, but I translate it as, "a datum, having been emitted, cannot be
recalled." You can't revoke a certificate. You can't. Can't as in can not.
The sooner we all *believe* that revocation is impossible in the general
case, the better we can really improve things. Kerberos had it right.
If you have very short certificates, the value of a temporary compromise
of an authority is small. That means that a compromise has to be long-term,
and that makes it harder. It also makes cleanup easier. Everything is easier
with short-term certs, and gosh darn it, we have this Internet thingie now.
The way to fix the broken revocation infrastructure is to dump revocation.
It's good for privacy, it's good for everyone. Alas, it would take a lot
more structural work, but it would be worth it. Fixing OCSP, for example,
is addressing the headache, not the brain tumor.
* Crowd-sourcing, or merely creating checks and balances on authorities can
improve the problem if you do it right, but it screws it up if you do it
wrong. I haven't seen any that make it better, only different. Frankly,
suggestions I have seen just creates a half-assed version of PGP's mechanisms.
We should go for the full ass, at the very least.
* I have a half-baked, but fully-assed proposal that I think can actually
work, but I'll write it up later. I've been thinking about it for a year
or two, and did the original design after the Comodo hack. Yes, I need to
finish and circulate it. I see it as solving the maze by entering the
exit.
* Nonetheless, I don't think you can get rid of authorities. I think they
are emergent or intentional, take your pick. Frankly, I think I'd rather
have a community of intentional authorities than a vague, faceless cloud.
Not the least of the reasons is that I think you should have authoritative
pseudonyms.
That's my discussion. I think it's important to rewind to the beginning of
the discussion, because we're all too caught up in details and not in the
structure of the situation. The situation dictates what solutions are even
possible. Much of what I hear is just problem shuffling, not problem
solving.
I'll sum up with one more thing. What we call "trust" is really knowing how
to believe a name tag. I paraphrase Laotse one more time. He said that you
cannot create kindness with cruelty, no matter how much cruelty you use.
Well, you cannot create trust with cryptography, no matter how much cryptography
you use. Trust comes from the same human qualities that kindness does. The
who who make you an authority are the community, and they do it because you
act like one.
Jon
_______________________________________________
cryptography mailing list
cryptography[at]randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
|