Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 15:39 UTC (Thu) by zooko (guest, #2589)
In reply to: Transport-level encryption with Tcpcrypt by djao
Parent article: Transport-level encryption with Tcpcrypt

> The Firefox example is a dramatic illustration of the absurdity that arises when programmers without cryptography expertise try to write security software.

Now hold on there, mister. The PKI paradigm in which public keys are supposed to be vetted by a centralized trusted third party can be blamed squarely on the cryptographers who invented public key encryption in the first place.

The reason Mozilla and every other user-facing app has this stupid design is a direct consequence of them trusting in cryptographers to give them good advice about security distributed systems design.

(Now granted, we all should have known at the start that cryptographers are the wrong people to go to for secure distributed systems design.)

Anyway, I can't hold silent while you reverse the history and saying that application hackers like the Netscape engineers are the ones to blame when they should have listened to cryptographers. That's backward! They did listen to cryptographers, and that's how we got here!

Since then a lot of distributed systems hackers (myself included) have pushed alternative models instead of the PKI model, and more recently (*after* we distributed systems hackers made significant progress) cryptographers like Prof. Boneh have started working on it too.

to post comments

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 15:49 UTC (Thu) by Trelane (subscriber, #56877) [Link] (4 responses)

Link to these other models, for those of us non-cryptographer non-distributed people in the audience? Thanks!

Transport-level encryption with Tcpcrypt

Posted Sep 4, 2010 4:52 UTC (Sat) by zooko (guest, #2589) [Link] (3 responses)

Self-certifying filesystem:

ftp://cag.lcs.mit.edu/pub/dm/papers/mazieres:thesis.ps.gz

ssh's model which Peter Gutmann calls the "baby-duck" model or "key continuity"

Web of Trust by Phil Zimmermann

The FreeS/WAN project by John Gilmore, Hugh Daniel et al., known as "Opportunistic Encryption".

The Capability Access Control model:

original:

http://www.cs.washington.edu/homes/levy/capabook/Chapter3...

modern synthesis:

http://erights.org/talks/thesis/index.html

Zooko's Triangle and Pet Names:

http://www.skyhunter.com/marcs/petnames/IntroPetNames.html

ZRTP:

http://en.wikipedia.org/wiki/ZRTP

Tahoe-LAFS:

http://tahoe-lafs.org

(Those last three are self-citations.)

The overall theme here is that the good ideas about robust decentralized security came originally from systems researchers and hackers, not from cryptographers. Cryptographers traditionally focused on elegant mathematical models and (with almost no explicit justification) they settled on the globe-spanning, centralized, hierarchical security model that we all know and love today as "PKI".

Transport-level encryption with Tcpcrypt

Posted Sep 6, 2010 3:20 UTC (Mon) by zooko (guest, #2589) [Link] (2 responses)

I was remiss in omitting Carl Ellison:

Carl Ellison. Establishing Identity Without Certification Authorities. In Proc. Sixth USENIX Security Symposium, pages 6776, Berkeley, 1996. Usenix.

Again, this is a fellow who is basically a systems researcher, not a cryptographer as such (he has no publications in crypto theory to my knowledge), and he was publishing good ideas along these lines back in '96.

Oh, and of course Ron Rivest was doing a very similar thing in '96: http://people.csail.mit.edu/rivest/sdsi10.html

So there's the first example I can come up with of a bona fide cryptographer giving us something more robust and decentralized than the PKI model.

Transport-level encryption with Tcpcrypt

Posted Sep 6, 2010 3:26 UTC (Mon) by zooko (guest, #2589) [Link] (1 responses)

Oh, and I see that Rivest's SDSI 1.0 in '96 cites:

Matt Blaze, Joan Feigenbaum, and Jack Lacy. Decentralized trust management. In Proceedings 1996 IEEE Symposium on Security and Privacy, page (to appear), May 1996.

Also real cryptographers.

But I should emphasize that while SDSI and to a lesser extent PolicyMaker were influential, these were exceptions to the centralized hierarchical PKI model that dominated cryptography, and they were too late. By 1996 the damage had already been done when Netscape engineers baked the PKI model into their socket encryption protocol, SSL.

Transport-level encryption with Tcpcrypt

Posted Sep 6, 2010 3:27 UTC (Mon) by zooko (guest, #2589) [Link]

I wrote "by 1996 the damage had already been done...", but I meant that it had already been done two years earlier, when Netscape invented SSL.

Okay I'm definitely going to stop following-up to myself now. :-)

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 15:56 UTC (Thu) by djao (guest, #4263) [Link]

I do not, did not, and never have faulted the original Netscape engineers. They did the best job that they could at the time. In particular, Netscape predates SSH, and SSH was the first program to demonstrate that crypto is much easier to deploy without a PKI. (SSH is also, incidentally, the only crypto protocol in history successful enough to have driven its corresponding unencrypted alternative to extinction.) I also fully agree that cryptographers are largely at fault for the colossal PKI mistake.

But Firefox was developed well after the rise of SSH, and the particular design decision that I am criticizing, namely the decision to change the warning dialogs for unauthenticated encrypted connections from one mild warning to three consecutive very big scary warnings, was made in Firefox 2.0, released in 2006. The Netscape engineers had valid excuses for their mistakes. The Firefox engineers do not.

Transport-level encryption with Tcpcrypt

Posted Aug 29, 2010 1:54 UTC (Sun) by zooko (guest, #2589) [Link]

Oh hey I see David Mazières is on the Tcpcrypt project. I have to give him props for Self-certifying Filesystem (circa 2000) as being an early part of what I call the "good" tradition.