Schneier on Security

ab praeceptis • June 2, 2017 11:45 PM

Ben A, all

I've read both pro- and anti SHA3 articles. Thanks for the links (from reddit and hn, I take).

I might say that I'm shocked because one of them simply hasn't understood security and the algorithms and the other one is even comparing apples with dogs. But I don't because I'm not (anymore) shocked.

I read imperial violet quite frequently for one simple reason: it's like a window into googles (and others like mozillas, etc) way of thinking.

What I'm not at all surprised about is Joes and Janes understanding. SHA3 came many years *after* SHA2 and SHA3 is officially supposed to be better than SHA3 - ergo Joe and Jane have their common (wo)mans answer. Which btw is OK in my opinion. Gazillions of end users need simple answers and guidelines.

What makes me really dislike the "discussion" between the two "experts" though isn't even their professional sloppiness (I try to avoid using the term "incompetence", in part because it's probably more about ignorance).
What I dislike is how they boil it down.

imperial violet, for instance, is not off with his desire for speed. And no, that's not simply because google and the likes care mostly about speed (as the other one indicates). Speed is important for many reasons, such as small MCUs (there are **way more** 430ies, even 8051s, a plethora of arm MCUs, etc out there that fast desktop or server cpus...) and - an important point - about acceptance and hence uptake. I hope I need not remind of the reason why even today many web user databases use md5 passphrase hashes...

If you run a web site or service with a significant amount of users, speed *is* of concern - and way more than many think. One reason for that is that one can't arbitrarily scale. Once you have your 16 or 48 or whatever xeon or power core busy you hit a quite hard wall; it's simply not good enough to add more servers as doing that opens another box of pandora.
Short: Doing something tens or hundreds of thousand times per second or otherwise massively, e.g. pumping out terabytes per hour, it makes a very major difference whether a core algorithm runs at 1 cycle/byte or at 15 cycles/byte.

But the decisive points are not limited to that and both miss that to a large degree. To name an example: state size of an algorithm isn't just performance relevant but also security relevant. On the other hand the possibility to extend an algorithm is (imo) next to irrelevant. Other quite important points were utterly ignored; keyability is an example.

In case anyone is interested: My personal preference is blake2. For Joe and Jane (who typically don't run massive scenarios) SHA3, the official thing, is a fine algorithm. For others who are more adventurous but still prefer to stay within a safe zone Skein, an algorithm which was co-designed by our host, Bruce Schneier, is a fine alternative, too.

Btw: Do we need 512 bit algos? No, we don't, except for very, very rare scenarios. In fact, even 256 are somewhat (but healthily) larger than 99.99% of all scenarios need. So let us stop that mundane and silly bigger-is-better hunt, which specifically in the crypto field is silly (because there it's much more about smarter is better).

Which brings me to my last point: Somehow we have become a society where only winners count. Just as if 2nd and 3rd places were without any value or merit. I consider that immature and unwise.
*All finalists* in a crypto competition have run through a merciless and hard parcour and "the winner" (like Keccak/SHA3) is usually not somehow superior but has been chosen based on a certain profile which happens to favour 1 algorithm over the other finalists which are *first class*, too, and usually in some respects even better (and slightly worse in others).

ab praeceptis • June 3, 2017 12:29 AM

Anura

Correct. That's why I said that there is much more than speed (and tag size) to consider. In reference to your example: people usually see speed as given by some source; that, however, is usually cycles per byte in a given scenario which usually is a large one (say hashing a GB).

Reason (which is often not seen): There isn't just the running phase; there's also the setup phase - which can be quite considerable.

Now what if you run something that has many, many connections but just a couple of bytes for each? Then suddenly the setup phase gains a lot of weight and a 256 bit tag is simply waste (possibly up to the point that you need to change your whole design).

My advice: Don't look just at the nice throughput numbers. Also compute them for a small packet, very frequent algo setup scenarios and suddenly the performance picture looks quite different and the "speed deamons" become snails.

So, again: We need both a Joe and Jane and everybody algorithm (like SHA3) and alternatives that are chosen wisely and knowledgably by professionals.

P.S. One the two on which I recurred in my other post actually compared x cycles/byte hashing algo and 25519 which is PK!!! If at least he had compared it with sym crypto. Truely a new peak of idiocy.

ab praeceptis • June 4, 2017 2:05 AM

Ministry of Truth

"super high EAL" etc. - Forget it. windows has eal. eal means nothing but "someone (usually a large corp) coughed up the major money for a golden "secure" sticker. Same with fips and others.

Let me tell you why we are where we are - and why we will stay there for quite a while.
First the latter: We will stay there for quite a while for 2 reasons: a) we don't understand why we are there, and b) to get out of that ugly hole we'll need to walk a 1000 step staircase up.

Now to the why. 2.5 main reasons:

a) computing was, from the first day on, mainly driven by greed and irresponsible playing. Listen around, the holy currency still is either money or "fun". Go to any developer conference and you can drown in "it's fun!", "we do it for fun!" statements.
The IT field, particularly software dev. is basically another "go west, get rich!" with disney park thrown in on top.

b) foss. Many will hate me but I'm absolutely sure about that. That's not to say that foss is only and always bad, it isn't, but in summary foss broke down the last few walls of reason plus, to make it worse, it damaged the whole field.
foss broke down the last walls of reason because you can't ask for *anything*. From a payed developer you can demand to work properly (not that many would do that, but one *could* demand it), from a foss dev. you can't ask anything. From a software vendor you could demand at least minimal standards, quality, compensation, foss very clearly states "f*ck you!"; you use that foss software without its developers standing for anything, not even formally. A company must fear negative reactions, foss need not care, there simply are no consequences at all.

c) universities and the grant system are rotten. What little useful outcome research produces is almost always either hidden away and/or abandoned or used to spin off a company.

So, forget those "crazy super eal" OSs. Yes, there are a few, *very* few, but they are either abandoned or spun off at a rather early stage or they are private corp stuff from the beginning. And, that's important, they usually are *not* secure OSs but rather "not rididulously f*cked up crap". An example would be what came out of Oberon.

As for the 1000 steps stair back to sanity: We are at a very early stage and acceptance, let alone uptake, is sadly low. C is cool and fun, Ada or Eiffel aren't (so they think), fuzzing is cool and fun, properly spec'ing and verifying isn't (so they say).

And just btw: Think a moment about the kind of money one could earn by being able to sell some actually reasonably secure OS! (And about the efforts and investment that would need). Do you really think that would be given away for free? I certainly don't. As for foss, forget it; they are about cool and fun and blabla.

And btw, I'm quite sure that Bruce Schneiers "theater" image does hold here, too. Most people do *not* (really) care about security; what they do care about is *feeling* secure and comfortably so (read: spending 29$/year is O.K., activating ones brain and acting reasonably is not).

ab praeceptis • June 5, 2017 1:39 AM

@n/a

blog.torproject.org got changed big and now needs JAVASCRIPT to comment. NSA took it over??

IF that was true I wouldn't be surprised at all. I personally consider tor as tainted since quite some time.

@Ministry of Truth

Of course there are pleasant exceptions, e.g. Minix which I myself talked about occasionally and in a quite positive way. But before we can repair a situation we must properly assess it and fact is that the whole field is rotten grosso modo.

Ad "you can repair foss software yourself" - Oh really, is that really so? I don't think so; I think that that's nice sounding blabla like so much with foss. IF that were true then why don't we just repair, say OpenSSL or linux? Maybe because we can't? Maybe because C is ambivalent and hence unverifiable, because fuzzing and all those other funny techniques don't really cut it, and, very importantly to repair something one needed a proper specification of what "working properly" as opposed to being a clusterf*ck means? Usually even that doesn't exist. So all them funny test are run against what reference?

"unit, integration and whatnot tests" - Well intended but worthless blabbering. See above. And keep Dijkstra in mind: Testing can prove the presence of bugs but not their absence.

Just like the 1000 eyes blabbering. Sounds nice and oh so convincing but it consistently fails. For heartbleed, for instance, not even the promised 4 eyes (connected to working brains) were available.

Do I *like* microsoft? Certainly not; hate them since decades. But, you see, this is no sympathy competition. Fact is that evil microsoft has sunk millions upon millions into research and if tomorrows programmers write more reliable software then it will to a major degree be due to microsoft sinking millions into research and development of better tools.
If in a dire situation like ours I have to choose between evil Microsoft having seen the problem and actually delivering vs. "fun! fun! and freedom as in speech!" shouting sectarians with an utterly bad track record I'll choose Microsoft. Trust me, I'm the last guy on this planet who likes microsoft, let alone to laud them, but we'll never achieve safety and security if we can not even recognize reality and prefer to cling to some sectarian creed.

And btw. my education wasn't cheaper than that of other engineers. You see, there is a major difference between a, say electrical engineer helping on in his won free will with some, say, school or town project vs. accusing all electrical engineers as somehow evil, if they charge a fee for their services.
What do you think you get with that foss model? Let me tell you: More often than not you'll get losers and lousy amateurs because the good professionals want and need to and can earn a living with their profession.

And you know what? I still follow the 3 step model; in fact I always suggest it by myself to my clients: downpayment, payment on delivery plus a considerable part, say 20%, only 4 - 6 weeks after delivery, i.e. when my work has been tested and shown to perform as agreed.
Which leads me to my final point: microsoft (and a few other companies) actually pay professionals for cleaning up and repairing what they messed up. foss ... oh well...

ab praeceptis • June 5, 2017 2:40 AM

Nick P

Well, VerCors is pretty much about new front ends (java, C) for the (excellent) Viper infrastructure. I personally will stay with verifast but would not hesitate to recommend VerCors/Viper for java and C people, particularly less experienced ones.

As for the problems with concurrent and or distributed mode I have my own theory and many won't like it. I'm under the impression that that whole problem zoo is largely hype; useful hype, of course, as it feeds many academic projects. Why do I say that? The answer should be obvious when asking "What exactly is the problem?". A closer look will reveal that all those concurrency problems are but a special case of memory (and, one might argue, temporal) safety. I'm somewhat smirking because it comes down to the fact that the software people are way behind the hardware people. The decisive difference that is behind that problem class boils down to "Oh! It's not just me running on this system/cpu!". Another reason for me smirking is that in the end it comes down to some hardware fencing like, say CAS - which is well expressible in logic.
A variable is about access and value. Usually the safety problem is about access. With concurrency sometimes value dependence (i.e. a temporal problem) is added. That's not something hard to understand or to deal with - iff one has achieved enlightenment; the problem is mindset, not registers, memory, or warp holes *g

As for microsofts low* I just sigh. Yet again they've ignored the law of readability. Functional concepts with gratuitously thrown in C notation might look cool and impressive but will have many developers ending up in non-acceptance or, if they are brave and try it, bad usage, problems, and pain.
But still, they should be lauded for their work and engagement, if alone for clearly demonstrating that formal design and verification is a *must*.
(Side note: the functional approach remind me of McKenna's "give me one miracle and I'll explain the universe" in another form ("Give me monads and I'll do everything side effect free") haha).

And I very much liked the name Kremlin for the compiler (actually more of a transpiler with lots of magic thrown in). Smiling there; I have reasons for being a big ETH and Inria fan...

Now to the really funny bit: I laughed out loud seeing their examples. Why? Because I can have almost all of that - and much simpler and more elegant - with sparked Ada, haha.

ab praeceptis • June 5, 2017 5:19 AM

Dirk Praet

What I said was clearly in the context of software development and in that area, that's fact, microsoft is spending lots of money and working really hard - and in a credible way.

Would I buy (or use, even for free) ms windows or office? Certainly not, no way.

But that's today. Maybe in a not too far away future ms introduces and sells a (at least much more than windows) safe, reliable and sound OS.
Would I use it? Probably not, i.a. for the reasons you mentioned. But then, I'm not Joe or Jane.

The factors you mentioned are a different issue; an earnest one and one where we should be prudent (read mistrusting) but another one. And one that, unlike safe development, can (and certainly should) be solved politically/legally.

ab praeceptis • June 5, 2017 9:30 AM

Thoth

the mindset of Linus Torvalds of treating security and safety as typical second class has to change

Just a short remark: No.

I get your point but linux can not possibly be made secure. For one the linux bloat bubble consists of millions and millions of loc. Moreover, safety, reliability, and security have to be designed from the start. All attempts to somehow turn crap into something sound are bound to fail.

But my remarks were of a general nature, anyway. *Of course* there is also good or even high quality foss stuff (though typically not with gpl; little surprise there). OpenBSD is an obvious example (although compromised by its roots (posix)); those people do quite good work. That said, I've also seen really good and open sourced work come from companies.

Generally speaking, though, foss has rotten the whole field. One very regrettable symptom is the wide spread expectation that not only must software free (beer) but, in fact, foss software is better than commercial software - which, of course is utter bullsh*t.