IETF Floats Draft PRISM-Proof Security Considerations

hypnosec writes "PRISM-Proof Security Considerations, a draft proposal to make it harder for governments to implement and carry out surveillance activities like PRISM, has been floated by the Internet Engineering Task Force (IETF). The draft highlights security concerns as a result of government sponsored PRISM-like projects and the security controls that may be put into place to mitigate the risks of interception capabilities. Authored by Phillip Hallam-Baker of the Comodo Group the draft is however very sparse on details on how the Internet can be PRISM-proofed."

Not an IETF Draft

[petithug]

An IETF draft starts with "draft-ietf-". This is merely a proposal by a member of the IETF to discuss this subject.

Re:Not an IETF Draft

[Zero__Kelvin]

The summary doesn't say it is a draft standard, it specifically says: "a draft proposal". This means that he is proposing that they create a draft standard.

Re: Not an IETF Draft

[petithug]

What I mean is that "floating by the IETF..." is misleading. Anybody can submit an I-D for standard track. Few are adopted by the IETF.

Re: Not an IETF Draft

[mellon]

Drafts aren't draft standards. They are drafts of documents that might someday become standards. Drafts that start with draft-ietf are drafts that have the consensus of some IETF working group to work on them, and are therefore somewhat closer to becoming standards. But they still aren't standards, and many of them die on the vine.

What PHB's document is is an individual submission. It's not got any kind of consensus yet. Not shocking, since the first version was published this morning. It's possible that it might be adopted by a working group, or be the basis for forming a new working group. Just as likely, several competing drafts that say similar things but differ on some key points will also be published, and there will be discussion about which one to work on, if any, or about combining the work. Eventually some document might reach a point where there is consensus to publish it, and then it would be a standard.

It's a messy and sometimes frustrating process, but by virtue of being a completely open process, it's hard to subvert it without leaving tracks, which is a big win for this particular subject.

This topic has generated a huge amount of interest in the IETF, and we're going to try to have a session on the topic in Vancouver, and also hopefully a presentation to the entire IETF in the meeting plenary. None of that is cast in concrete yet, because we have to get people to agree to come, and for that matter to come up with something to say. But it is something a lot of us would like to see happen, and it's being seriously worked on by the leadership.

Re: Not an IETF Draft

[Can't log in due to another slashfail, I wrote the draft]

Yeah, I did rather wonder about that when I got sent the Register article. They didn't even ask me for comment before publishing or I would have told them.

This is merely a summary I wrote of the traffic on a private list that we have been discussing PRISM on. It is not even all my work. And the main point is simply to set a baseline for the three drafts to follow so that we can avoid prolonged discussion of purported PRISM capabilities.

The next draft divides the problem space into two parts, first things that we already have good solutions for, second things that we need to improve on. Much of that is taken from the work I did on secure email in my book 'dotCrime Manifesto'. At the moment we have two email security solutions, neither of which is viable. S/MIME has ubiquitous deployment, PGP has mindshare. It does not matter how long we try, we are not going to get everyone on the Internet to use PGP. It is just too complicated for people to understand. And so is S/MIME. But there are parts of S/MIME and STARTTLS that we can just build on without modification. S/MIME message format works fine and many email clients can receive S/MIME encrypted mail without any horrid user issues. Key validation and distribution on the other hand is not done at all well. So we need a standard for a 'socket' that can fit into a MUA that allows them to access a module that does those well.

The idea of that draft is that there are four are five people who are working on innovative PKI schemes to address key distribution. But users don't want to have to bet on any one of those being the 'winner'. Plus we have lots of people who just want to hack cool crypto code into Thunderbird or the like. So if we define the interface between the two groups then we can both work in parallel and without wasted effort. And if there are enough people implementing sockets in MUAs then pretty much everyone can use encrypted email with their favorite mail client.

The third draft deals with key generation and proposes that we have a tool that generates keypairs and (optionally) submits them to some service that will be the gateway to the key distribution scheme. Although there are keygenerators out there, there are issues that just make them unsuited and none offers a good way to backup a private key or transfer it into another device. [No encrypting your private key with a human readable password with 40 bits of entropy is not a good approach). That draft goes beyond the current capabilities but is something I think we can all agree on as a common infrastructure.

The final part will be my solution to the researchy part of the problem. I doubt mine will be the only one. I am looking at building on the ideas in Google's Certificate Transparency but without the transparency proofs in the cert part which I find silly and for email is unnecessary since we do not worry about shaving a hundred milliseconds off latency. There is also a second layer of notaries, the inter-notary infrastructure.

Re: Not an IETF Draft

[mellon]

Private IETF list? Do tell!

Re: Not an IETF Draft

[Zeinfeld]

It is not even meant to be a proposal.

The point of the document is that I took all the points that had been made five or more times already and put them into one document so that we can move the discussion on to the next stage. Otherwise every time we get a new person joining the group we have to go through the same thing all over. And the third or fourth time round it becomes 'we already know that', 'NOO you are trying to censor me, NSA plant!'.

It isn't meant to become an IETF draft, they would make me take out all the fun parts. Like pointing out the abject incompetence of an organization that lets a 29 year old contractor with a pole dancer for a girl friend have access to that material six months after joining. Why do Alexander and Clapper still have jobs? And spying on US citizens and then trading the raw SIGINT with foreign powers that are certain to share it with my commercial competitors? What were these idiots thinking?

There is work going on in IETF and in fact we started before his Bruce-ship made his call to arms. I doubt the PRISM-PROOF branding will stick. But it is powerful mind share as this story proves. We have botched deployment of almost all the security protocols developed in IETF except for TLS and that succeeded before it went in. This is a chance to hit the reset button and fix the mindbogglingly stupid deployment gaps. Like having no standard way to discover recipient keys and having two different message formats (OpenPGP and S/MIME) forcing people to choose between two key endorsement schemes rather than allow them to pick the one suited to their needs.

Yes, I do think there was interference in the past efforts but I suspect it was subtler than most imagine and not coming from the NIST folk. Rather, I think the interference came from folk who would encourage both sides in technical disputes to dig in and refuse to compromise, folk who participate with no visible means of financial support and seem to have limitless time to write drafts but are not very technical.

Re: Not an IETF Draft

[Zeinfeld]

Not an IETF list.

It's called IPv6 DNSSEC

[VortexCortex]

Mandatory end to end security was in IPv6. The Feds didn't like that, so guess what? It got removed.

If you ask me, it's time to shit-can the IETF too.

Re:It's called IPv6 DNSSEC

[steelfood]

At this point, does it even matter? IPv6 is taking forever to adopt. By the time any new PRISM-proof standard gains any amount of traction, the NSA would have developed a new system to work around it. And that's assuming that the NSA hasn't sabotaged its efforts either by directly convincing the standard-writers to put in back doors, or indirectly by convincing companies not to adopt secure portions of the standards.

Communication has been, and always will be about trust. Without trust, no communication can take place.

Re:It's called IPv6 DNSSEC

[Zero__Kelvin]

Hindsight is 20/20. If they did that today then I would agree with you, however I'm assuming that happened prior to the Snowden Enlightenment, in which case you are criticizing them for not knowing what you didn't know either at the time.

Re:It's called IPv6 DNSSEC

[cookYourDog]

Aren't you still trusting certs to a third party with DNSSEC? Hasn't the NSA already subverted that model of trust?

And doesn't this only protect resolution confidentiality and integrity? What about actual http requests?

Re:It's called IPv6 DNSSEC

[Zero__Kelvin]

Bullshit. When IPv6 was first proposed (2000-10-05) hardware was far less capable, and requiring all systems that participated in the internet via IPv6 to do on the fly encryption was not a smart idea. Again, you are speaking as if this all happened today, with current knowledge of PRISM and current hardware capabilities.

Re:It's called IPv6 DNSSEC

[AHuxley]

Only the GCHQ and NSA can shape international telco standards and end user cryptography. They set the early EU/NATO export grade cypher machine standards, the consumer digital age was theirs to shape. The idea that some country with some satellite dishes and mirroring all optical in their region can have global reach is a joke.
You need physical global reach and a deep under standing of the systems in use. Very few countries ever had that.

Re:It's called IPv6 DNSSEC

[mellon]

You can publish your PKI cert in DNSSEC. This forces an attacker not only to get a CA to sign their fake cert, but also to subvert the DNSSEC hierarchy. The cert protects the integrity and confidentiality of the communication. So in fact DNSSEC can play a role in that, and result in a system that's harder to subvert.

Furthermore, the NSA hasn't entirely subverted that model of trust. It is not _as_ trustworthy as people thought, but systematically snooping on https traffic with faked certs is still something that's not practical—you can do a targeted snoop, but the wider you cast the net, the more likely it is that your attack will be noticed. So yes, subverting the PKI is a risk, but no, it doesn't mean the PKI, or DNSSEC, is useless.

Re:It's called IPv6 DNSSEC

[slick7]

Aren't you still trusting certs to a third party with DNSSEC? Hasn't the NSA already subverted that model of trust? And doesn't this only protect resolution confidentiality and integrity? What about actual http requests?

Here's the circle of trust and you're not in it.

Re:It's called IPv6 DNSSEC

[cookYourDog]

Good information, thanks for the reply. Unfortunately, I think it's far easier than faking certs. A national sec letter delivered to a CA seems to render the entire hierarchy useless. Am I wrong here?

Re:It's called IPv6 DNSSEC

[rtb61]

Well, right now the US Administration has a choice, either get the NSA back under control or face the global exclusion of US software, hardware and computer services and US companies are fully entitled to send the bill for losses straight to the NSA. If fact they should start the court cases for damages right now.

Re:It's called IPv6 DNSSEC

[Burz]

Only encrypted onion routing such as this can provide end-to-end security that does not leave reams of metadata (all of the who / when / where details of our communications) on the NSA's front porch every morning. No carrier can tell you what your addressing or NAT scheme can be, nor interfere with packet delivery in any fashion other than all-on-or-all-off. You even get to decide the number-of-hops vs speed tradeoff for different applications, and your address doubles as the cryptographic key that affirms your identity (only to the others you communicate with).

DNSSEC is a rubric of centralized control that leaves security as much subject to the secret courts and NSA "workarounds" as does PKI over IPv4.

Re:It's called IPv6 DNSSEC

[Zero__Kelvin]

They did make plans for the future. That is why end to end security is an option. End to End security has advantages and disadvantages, so it is pretty hilarious and ironic that you would accuse me (and the rest of the experts who know far more than you) of being the short-sighted ones.

"You really are a narrow-minded individual."

Thanks for that. I needed a good laugh this morning!

Re:IETF is better than NIST, how?

[icebike]

I can't imagine what difference it would make.

Well not being owned by the US Government might be a good start, don't you think?

There is some (debated) evidence that NIST was compromised by directions from above, by external control of its budget, etc.

Lets face it, security and privacy were not designed into the protocols we use on the internet today, they were bolted on afterward, and the government played a big (and self serving) part of that effort. Any amount of data hardening would be welcome at this point. There will still be metadata that can be collected but content should be able to be kept private by default.

I would rather have a community of enraged engineers driving the design and management than a bunch of federal paper pushers with a police mentality.

Maybe PRISM is a US government; I don't know.

[Zero__Kelvin]

"PRISM is reputed to be a classified US government that involves covert interception of a substantial proportion of global Internet traffic."

He repeats this line at least twice, which I am assuming is a result of copy and paste. Unless he is saying that PRISM is a second government, I guess my first suggestion would be to add the word "program" in there somewhere ;-)

Re:cat & mouse

[causality]

Why play cat and mouse with your own governing body? PRISM is illegal. Put effort towards ending it. Otherwise, you're helping terrorists... (rolls eyes)

Out-of-control governments are the real terrorists. Al-CIA-da would salivate at doing one one-thousandth the damage a cancerous government can do.

Re:IETF is better than NIST, how?

[Anachragnome]

"Lets face it, security and privacy were not designed into the protocols we use on the internet today, they were bolted on afterward, and the government played a big (and self serving) part of that effort."

For those that doubt that statement, please read the documentation provided by the none other than the NSA itself.

http://www.nsa.gov/ia/programs/suiteb_cryptography/

That page was posted by the NSA 4 1/2 years ago and updated in May 2013. Surprisingly, they name names--exactly who worked on what--and even go so far as to provide addresses and personal information for these people. These names can be used to locate networks of "cooperation", just like the NSA uses metadata to find out things about us. For instance, one of the key writers in this document ( http://www.ietf.org/rfc/rfc6318.txt?number=6318 ) when Googled is linked to this document-- https://www.google.com/patents/US6243467 , which in turn adds more names. Follow the names, and see just how much trust you have afterwards.

Dig through the links! Very informative! Start asking yourself what crypto might be safe from the NSA, and you'll quickly realize--the further you dig--that none of it is safe from the NSA. They've identified and created "secure" versions of almost every protocol, for themselves (Suite B), and stuck the rest of the world with lesser versions, versions that would obviously be crackable given that they possess something better.

To be honest, I'm a little surprised that page is still available. I suspect it won't be for long.

Sparse Details

[Nethemas+the+Great]

the draft is however very sparse on details

Don't worry the NSA and GCHQ will help fill in those details.

Re:Sparse Details

[slick7]

the draft is however very sparse on details

Don't worry the NSA and GCHQ will help fill in those details.

And you still won't have a clue what they are.

Re:IETF is better than NIST, how?

[george14215]

Like the 100k civilian dead in Iraq? How in the world do we have any right pontificating on Syria?

Corrections

[WaffleMonster]

Anyone can submit an I-D for anything. With few exceptions they are uploaded automatically with no human review, zero buy-in, endorsement, weight..etc by anyone. This ID has not even been adopted by a particular WG.

Then theres question of what is it this draft proposes reads more like a hapazard list of one mans problems.

To be clear I'm not attacking the I-D I'm attacking the warped characterization of it by people who should know better.

Re:IETF is better than NIST, how?

[george14215]

GF implied that intervention was called for based on 100k dead. Anyway, so we are outraged at 4000 killed by CW and that's the red line? The first 100k dead didn't matter? It makes the current case for intervention even more absurd.

Re:IETF is better than NIST, how?

[hedwards]

I'm sorry, but that has nothing to do with Syria.

The reason that there are 100k Iraqi civilians dead has nothing to do with the decision about whether or not to invade. The 100k is an argument for actually spending the time to make sure the plans are realistic. Had there been an adequate number of troops in Iraq that would never have happened.

It's beyond me how idiots like you can confuse the issue.

Re:IETF is better than NIST, how?

[george14215]

That's small comfort to the 100k DEAD and their friends/family, idiot. Very convenient rationalizing 100k dead based on an "if". Oops! bureaucratic mistake, no harm no foul! How asshats like you can be so cavalier about human life is beyond me.

Anything is better than NIST

[Taco+Cowboy]

If the IETF is serious about foiling NSA's PRISM scheme, there is one item that they should add in their proposal ...

DO NOT USE ANY CISCO DEVICE

All CISCO devices come with NSA backdoor pre-installed

Re:IETF is better than NIST, how?

[Score+Whore]

My point is that the reason US pols started getting antsy had nothing to do with how many people were killed, it was the way they were killed.

According to the internet, over a quarter million people die every day. A portion of those can't be saved, but a good portion probably could. Where's the line drawn between sacrificing the future well being of my immediate family for the benefit of someone I've never met, never would meet and quite possibly who will, no matter what outside parties try to do, continue to make bad decisions and will drain you dry if you let them. At some point you have to recognize that taking action can result in a net negative result. The whole moral requirement goes both ways, you may say that those who are better off have an obligation to those who are worse off, but at the same time those who are worse off have an obligation to improve their lot and become a net contributor. Much like a life guard and a drowning swimmer, sometimes they'll take you down with them.

I read an article today where they were talking to Syrian refugees and the people in the refugee camp are developing anti-American sentiment because we're not fighting on their side. If the US intervenes then they get lambasted. If they don't they get lambasted. Well fuck it then.

Not sure if I made a point or not.

First things first

[Mister+Liberty]

Is this guy kosher?

Re:IETF is better than NIST, how?

[icebike]

The best encryption is the kind that even when they hand you the algorithm you can't break it.
If we could just get government spooks out of the development chain and do it all in opensource we could prevent the backdoors they demand.

If we went to a plug-able encryption module web servers, mail servers, etc could support many of them, and the user could take their choice.
There are a lot of methods we could improve, and every single one of them is easier than your recommended restructuring of government.

Re:IETF is better than NIST, how?

[AHuxley]

New Zealand and Australia may soon be getting the keys to the net encryption too.
http://www.smh.com.au/technology/technology-news/whistleblower-reveals-australias-spy-agency-has-access-to-internet-codes-20130906-2tand.html

Re:The problem is that PRISM is all-seeing

[mellon]

Watching all Tor endpoints and coordinating the traffic between them is an O(N^2) problem. Not a problem for a targeted attack, not so easy for attacking everybody, unless not many people use it. So people who bittorrent through Tor are, ironically, doing a public service.

Re:It can't be PRISM proofed

[mellon]

You can have end-to-end security any time you want. The problem is, most people don't know to want it.

Individual submission, not IETF document

[klapaucjusz]

This is an individual submission, not an IETF working group draft, and does not appear to either be proposed for an IETF wg draft or to be in the RFC Editor's queue. In short, it has nothing to do with the IETF.

Re:IETF is better than NIST, how?

[SuricouRaven]

The number of civilians killed in the 9/11 attack was approximately equal to a little over a month of fatal traffic accidents in the US for 2001. If the government had spent even a fraction of the money spent on security and military action after 9/11 on road safety and public transport instead, they could have prevented several 9/11s each year.

Politics and public reaction are not rational.

Re:IETF is better than NIST, how?

[daem0n1x]

I'm European. As far as I'm concerned you can keep your troops and guns at home, thank you very much.

I'm pretty sure most of my fellow Europeans feel the same.

But then, where would you spend all those shiny weapons your military-industrial complex keeps making and selling you?

Re:IETF is better than NIST, how?

[daem0n1x]

If you are really so concerned about the Syrian people, stop arming foreign terrorists and sending them there. Haven't you learned anything from all the fuck-ups you did before?

Before anyone calls me an anti-American, that goes for France and UK, too.

Re:IETF is better than NIST, how?

[causality]

My point is that the reason US pols started getting antsy had nothing to do with how many people were killed, it was the way they were killed.

Yes. When the news reports about the chemical weapons first started coming out, they kept making a big deal out of this. I kept wondering, "and if those people had been shot instead, would that make you feel better?" Seems I'm not the only one to think of that.

Re:IETF is better than NIST, how?

[causality]

Politics and public reaction are not rational.

More like, the media discovered long ago that sensationalism sells better than rational thinking because emotions are much easier to manipulate. Being mostly followers who have been conditioned not to think critically, the public and thus the public's representatives simply follow.

Root Root Root for IETF

[JohnReynolds425]

We need this. Without a way to make sure the NSA isn't invading our privacy, we need to take matters into our own hands. Laws won't do the job. My God, the NSA's philosophy is "We're hunting terrorists. We don't need no stinking 4th Amendment." Unfortunately, I doubt that encryption will keep NSA out entirely, but it will make it harder for them to pick us out of the crowd. Decrypting still takes extra time & effort and that little bit of hassle may be enough to keep their noses out of your business. One thing we can do right now is stop storing stuff on Dropbox, iCloud, etc., where it's easy pickings for NSA Take it down and stash everything in a CloudLocker (www.cloudlocker.it), which works just the same but it's private and stays in your home where they still need a warrant to see inside.