[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Idea: Prizes for protocol problems in key agreement



Cliff Stoll's talk here at Crypto '96 mentioned that crypto is all
about trust, and that trust comes from a process of suspicion,
followed by scrutiny, followed by trust if no problems are found.  You
can also see this as a Quality Assurance procedure.

Given the current state of IPSEC key agreement protocols, I am
thinking it would be prudent to run a competition for people to
scrutinize some candidate key agreement protocols (e.g. Photuris,
SKIP, ISAKMP/Oakley, and whatever comes out of the smoke-filled room).
I have a serious concern that we'll end up standardizing on a protocol
that has not had the scrutiny required to validate its security.  For
this audience I need not point out that if the key agreement protocol
is insecure or subvertible, it doesn't matter how strong our packet
encryption is, nor how solid our public-key infrastructure is.

I'm particularly concerned that Photuris has not had recent scrutiny,
that ISAKMP/Oakley is sufficiently complex and new that it has not
been fully defined or analyzed, and that the smoke-filled protocol, if
any, will of course be new and need critical examination.

EFF has recently decided that they want to help my S/WAN efforts to
deploy IPSEC technology widely and rapidly.  I'm thinking of funding
prizes that EFF would offer for protocol problems found and posted to
the IPSEC mailing list.  The kinds of things that would qualify as
"problems" include:

	*  Revealing session keys or parts thereof to observers or attackers
	*  Revealing private keys or parts thereof to observers or attackers
	*  Enabling session keys to be forced to known or partly-known values
	*  Inability to scale to daily use on the entire Internet
	*  Revealing user identities to observers (if user keying is involved)
	*  Failure to provide perfect forward secrecy for packet traffic
	*  Enabling traffic to move in the clear which should be encrypted
	*  Designs that are trivial to circumvent or bypass

My current thought is that the "best" problems will win more money and
glory, but that everyone who finds a legitimate problem (in the
judges' opinion) will get some money and glory out of it.

I hope that we can do something similar for some of the reference
implementations, once the protocols are nailed down.

There might be big money for the protocol authors here -- they can
define buggy protocols and then collect by pointing out the problems!
But I think the increased general scrutiny is worth that risk.

Does anyone have objections to this kind of quality assurance process?

Please give me your reactions and suggestions about this idea.
Suggestions for a set of standards to judge the protocols against would
be particularly useful.  Also suggestions on the appropriate sizes,
numbers, and categories of prizes, and potential judges.

	John Gilmore
	'an equal opportunistic encryptor'