Eric Rescorla – How paranoid should we be?

Eric Rescorla is a man who speaks frankly about internet security. You might have guessed that from the name of his consultancy – RTFM – an acronym politely translated as “read the friendly manual”… except that it’s usually not politely translated. He’s the co-designer of secure HTTP, and now works on security issues with Skype.

In a conversation about cyberwarfare at Princeton, his assertion – “The internet is still too secure” – raises a few eyebrows. But his key message – “things could be a lot worse” – is a useful counterpoint to the rhetoric of cyberwarfare that Dr. Lin explores, and helps show the tensions between the computer security community and the defense community (not to mention with the human rights community.)

Rescorla asserts the following:

We have nearly unbreakable crypto primitives.
AES resists all practical attacks, RSA isn’t quite as strong as we’d like – but there is good new stuff in the pipeline, and there’s been significant progress made on addressing collisions in SHA-1. “There is no serious concern we’re going to run out of crypto any time soon.” The problem instead is getting the new stuff into use – we’re not using the strong stuff that we already have.

We think we know how to build secure protocols.
There’s been no basic change in security design since 2000. We’ve got good protocols for data object security (S/MIME, PGP), for stream security (SSL/TLS, SSH), for packet security (IPsec, STLS) and for authentication (Kerberos). Our work isn’t on deploying new protocols – it’s on addressing flaws in existing implementations – updating to newer hash functions after MD5/SHA-1 attacks, for instance. And it’s on gluing together existing protocols, none of which have really changed since 2004.

We can’t build systems that are reliably secure.
Good implementations are hard. We recently saw an attack on OpenSSL where a single “record of death” can crash the whole system. Debian managed to break their psuedorandom number generator, which meant that Debian keys were highly predictable and crackable with a table of only 32,000 keys. This probably affected 1% of internet connected machines.

This is just the security critical code. As Steven Bellovin at Columbia has pointed out, “Software has bugs. Security software has security relevant bugs.” And we’re bad at finding these bugs – audits are time consuming and there’s no evidence that they significantly affect the discovery rate for bugs. And affected implementations are slow to go away.

User practice is appaling.

Users are careless. They install random software from untrusted sources. They ignore our carefully constructed messages designed to prevent man in the middle attacks. And crypto doesn’t do much for you if your system’s been compromised.

Things could be a lot worse.

Despite all this, things aren’t so bad. Why is computer security so poor despite twenty years of work on the topic? We’ve been working on personal security for 10,000 years – why aren’t human beings invulnerable? Security people always think about the worst case scenario, but the actual attacks we experience are fairly primitive.

The Debian PRNG bug is about as bad as it gets, but there was no evidence of practical attacks in the field. You can mount a DOS on the whole internet pretty easily – publish bogus BGP routes, as Pakistani ISPs did while trying to block YouTube. As a practical matter, we can almost always get to YouTube. The internet shouldn’t work, but it does. Perhaps the question we need to be asking ourselves is “What’s a rational level of paranoia?”

This entry was posted in Geekery. Bookmark the permalink.

3 Responses to Eric Rescorla – How paranoid should we be?

  1. Pingback: Dasgeht.net » Blog Archiv » Emailverschlüsselung mit Enigmail OpenPGP und Thunderbird

  2. Susan J. says:

    Who are you kidding? A former NSA employee tells us to trust AES because there are no effective attacks even though algorithms like threefish are (most likely) better. Telling us to trust the successor of sha1, made by NAS and NIST without open competition, proposing to use ECDH rather then RSA even though ECDH is way more vulnerable to weak random number generators, something the “criminal anti-human-rights organisation NSA” likes to fuck with.
    Mentioning the complicated IPSec protocol but not openVPN and pointing out the weaknesses of Open Source Linux Systems like Debian and the openSSL library to possibly push people to use your backdoored RSA(Company) number generators?

    How the fuck do you explain your part in Dual EC DRBG I wonder?
    How are we supposed to trust in anything that you or the NSA (publicly) considers to be save?
    How are we supposed to trust the new TLS standard that you are working on, or even firefox for that matter, as you are working for Mozilla.

    Please, don’t hesitate to rebuild that trust that you have lost and proove somehow that there is something that people like you can do and that we “paranoid” people can set our trust in.
    I wonder how that would be possible…

  3. Fran Kee says:

    According to Germany’s leading IT website heise.de, Eric Rescorla was involved in the “Extended-Random”-Implementation, aka NSA backdoor… just saying, worth investigating.

    http://www.heise.de/newsticker/meldung/Mehr-Details-zur-Hintertuer-im-Zufallszahlengenerator-Dual-EC-DRBG-2159523.html

    Also on slashdot, people got an opinion…
    http://news.slashdot.org/story/14/03/31/1459259/nsa-infiltrated-rsa-deeper-than-imagined#comment_top_46622877

Comments are closed.