Minutes of the 2013-09-18 IAB Teleconference (Tech Chat & Business Meeting)
1. Roll-call, agenda-bash, administrivia
1.1. Attendance
PRESENT
- Bernard Aboba
- Jari Arkko (IETF Chair)
- Marc Blanchet
- Ross Callon
- Alissa Cooper
- Lars Eggert (IRTF Chair)
- Mat Ford (ISOC Liaison)
- Russ Housley (IAB Chair)
- Eliot Lear
- Barry Leiba (IESG Liaison)
- Xing Li
- Alexey Melnikov (RSOC Chair)
- Erik Nordmark
- Andrew Sullivan
- Dave Thaler
- Hannes Tschofenig
REGRETS
- Heather Flanagan (RFC Editor Liaison)
- Mary Barnes (IAB Executive Director)
- Joel Halpern
- Cindy Morgan (IAB Executive Assistant)
GUESTS
- Stephen Farrell (IESG, Security AD)
- Bruce Schneier
- Sean Turner (IESG, Security AD)
- Amy Vezza (IETF Secretariat, Scribe)
1.2. Administrivia
Amy Vezza reminded the IAB that the IETF 88 BoF Coordination teleconference would take place September 24, 2013 at 7am PT.
2. Tech Chat: Internet Surveillance
Bruce Schneier was invited to discuss Internet surveillance and answer questions in response to his articles that were published in The Guardian. He began with a brief overview of his perspective on how the NSA has done their best to subvert as much of the Internet as they can, from the algorithms, to the implementations, to the protocols, to the systems. He noted that it is primarily a legal problem, not a technical one, and that the Internet needs a coordinated response. He mentioned a document being circulating on how to make things PRISM-proof [see https://datatracker.ietf.org/doc/draft-hallambaker-prismproof-req/]. Bruce is also working with a team to try to figure out how to make random number generators harder to subvert. If an adversary is sneaky enough and well-funded enough there is nothing the user can do, but there are things that can be done to make surveillance more difficult.
Bruce Schneier proposed some general rules, including:
- No longer trusting elliptic curves from sources untrusted.
- No longer trusting closed systems that don’t interoperate. For instance, it is harder to subvert PGP because it interoperates with GPG, but it is easy to subvert Bitlocker because it does not interoperate with anything else, and it is developed by one private company.
Bruce Schneier indicated there will be a lot of conspiracy theories, but he can not discount any of them. He is hoping the international community can come together to say this is wrong, and can help fix the problem. He mentioned that possible steps would include:
- Mandate open designs
- Mandate interoperability
- Re-look at security protocols like IPsec
Bruce Schneier noted that he has seen documents that say the NSA would try to influence the standards process, and that they would try to influence the way a company does things. There are some, but not a lot of people coming forward to say “we were asked about back doors.”
Bruce Schneier was willing to take a question and answer period with the caveat that because of the laws in the UK, there may be things he could not talk about or mention specifically. He could only talk about the published stories, not about stories that are not published yet, or process or procedures, which made it harder. They are pushing The Guardian to publish more details and redact less, but they need to be able to go in court and affirm that there was a compelling public interest for what was published. The UK standard is much stricter than the US standard for the press.
Russ Housley noted that much of what he has read said that the NSA was getting information pre-encryption or post-decryption. Bruce Schneier replied that that is not what he was seeing happen. He mentioned that he believed the NSA is getting the information in the backbone with massive traps and decrypting it after collection. His goal is to make surveillance more expensive. He is more interested in the information in the network–the information he believes is collected from the various telcos either by stealth or by agreement with the company. The routers are vulnerable; he has many stories he is collecting and trying to get published about people seeing weird configuration settings in routers.
Ross Callon wanted to know if service providers are cooperating with the NSA either voluntarily or as compelled by law, and if the service providers can configure their own routers so the routers are going to be vulnerable. Bruce Schneier agreed that would happen where there is a law. But in many places there is not a law, and in those places they do it by stealth, and go into the routers and turn it on remotely. The question is, can we make it harder, so that if you are compelled by law it cannot be turned on. The goal is to try to build a system where there isn’t information to hand over. The goal is not to have an auditable system.
Jari Arkko requested more information about the in-the-network attacks versus at-the-source attacks, and where the defenses should be focused. For instance, thinking about the issue from the perspective of the NSA, if they legally have access into the service providers and get the real data inside encrypted tunnels, why would they also do the in-the-network attacks? Bruce Schneier replied that there were a couple of reasons for this. The surveillance state is robust and multifaceted; they go and collect everything because something may go away. Also, network attacks are safer and they work better in bulk. He made the comparison that the NSA could target each individual IAB member’s computer and collect all the information they wanted, but it is risky, time consuming, and expensive. It is far cheaper to collect absolutely everything and sift through it at the NSA. In some cases, companies are legally compelled, but in more cases the NSA either asks nicely or threatens. He mentioned that legal compulsion is new and relatively rare.
Bruce Schneier discussed unsubstantiated talk he has heard on specific things that may have been broken. He speculates that the NSA has an elliptic curve technique no one knows about that either allows them to break elliptic curves in general, or more likely, to break specific classes of elliptic curves in order to influence the choice of those curves, so they can produce a curve that they can break and other people cannot. Another possibility is a generic attack against discrete logs that allows them to break basic public keys better than we can. A third possibility is a practical attack against RC4, which is barely effective.
Bruce Schneier mentioned that he gave this list to another cryptographer and they agreed, but reversed the order of the list. He believes in lengthening public keys more than we think we should, and moving away from RC4. He believes most of the time the NSA is collecting information through exploiting known implementation weaknesses. He mentioned the work done on the randomness of public keys being not as random as expected, and whether this is being exploited.
Access to the backbone by entities like the NSA, whether by stealth or by compulsion, has been around since the seventies and eighties. Fundamentally, this issue is not new. Forcing them to produce a legal document is a win. Giving the company’s lawyers a chance to fight, giving it a chance to become public, and forcing the conspiracy to be larger is an important strategy. Bruce Schneier mentioned that the most disturbing information that he published is that the NSA has moles in companies that are providing information without the company’s knowledge.
Stephen Farrell asked about the likelihood of concrete cryptographic evidence about the specific curves that might be broken. Bruce Schneier said generally we will not see the evidence if something has been broken and how. This information is ECI (Exceptionally Compartmented Information) and barely ever written down. What he has seen is more general information about the activities the NSA does with the information, but not the information itself.
Stephen Farrell noted that if there are existing curves that are weak in some way, that would not mean all curves are going to be weak. Bruce Schneier agreed, and noted that the question we can’t answer is whether the NSA knows some math we do not. Is there a subclass of curves that we do not know exists? Bruce Schneier mentioned he had a strong belief that they are manipulating curves, and if they are, the reason could be to give them a certain characteristic. He mentioned he would take a Dan Bernstein Curve over anything else right now.
Hannes Tschofenig mentioned that the IETF works on open standards and having wide review of security specifications, but that is not enough to convince the wider Internet community they need to deploy them. This has been difficult. Hannes wondered if there would be a way to get a wider audience using Bruce’s blog posts [https://www.schneier.com/] to get deployments of Best Current Practices into circulation. Bruce Schneier agreed that he would help however he can, and the thought that technology would be NSA-proof is attractive. He mentioned US companies are already hurting because of this, and the prediction is that it will get worse. He mentioned that Brazil is now disconnected from the Internet, and that the blowback is considerable. Companies are wanting to reassure their customers.
Bernard Aboba asked that since a lot of this concerns cryptography, are there specific things the IETF can or should do to get better trust in the cryptography used in IETF standards? Are there things the IETF needs to do with respect to the process of what the IETF publishes, and the things IETF depends on? Bruce Schneier replied that he is discussing with a group of people whether there is any way to do cryptographic standards without NIST, noting that we have really relied on and trusted NIST with the new hash function and crypto-algorithms. But now that there are allegations, we know the NSA has influenced NIST’s decisions regarding the random number generator.
Crypto is different. The IETF as users of crypto can start making demands for more open standards. Bruce believes AES is good, SHA-3 is good. If there are weaknesses, they will be in implementation. Crypto users want credible algorithms that are trusted that do not come from governments.
Jari Arkko asked if there was value in the IETF doing a widespread re-review of the crypto that the IETF has. Bruce Schneier thinks a re-review is a good idea; identifying best practices for NSA-proof crypto is necessary, and to do that a review of everything to date is essential.
Eliot Lear wanted to know if Bruce Schneier had any concept of how long the hits would keep coming regarding the information fought for and released. Bruce Schneier did not know, but guesses it will be longer than six months; maybe a year. They will hit a point of diminishing returns sooner or later.
Alissa Cooper wondered about the restoration of trust. If the NSA is always ahead, how can the IETF make the guarantee that their information will be safe if users have already lost the trust in the IETF? Bruce Schneier noted that the NSA may still be ahead of the IETF, but the focus should be on making surveillance expensive. The Internet has made surveillance cheap. For example, the lesson of Snowden’s actions is that to get a (metaphorical) specific three documents off a server that houses fifty thousand, it is easier to go and get all fifty thousand documents than to find the desired three specific documents. If the NSA wanted a specific person’s phone calls, it was easier to take them all. If the IETF can change the economics of getting the information, that would be good even if the NSA will always be a step ahead. The standards bodies do not have to make it easy for them.
Andrew Sullivan asked what the IAB or IETF could do in general to restore Bruce Schneier’s personal trust. Bruce Schneier noted he doesn’t know the answer, but he knows the IETF has a lot of smart people. He suggested making encryption more ubiquitous; change the Internet’s default from anyone can eavesdrop to by default making it difficult to eavesdrop.
Andrew Sullivan noted that the IETF does not work in the user interface layer, but that the IETF operates at a level in the stack where it can recommend actions for companies actions to take. The IETF can press for greater openness in review of the crypto. Bruce Schneier noted that perhaps Andrew Sullivan is correct, and if there are other groups that need to take action we should recommend they do so. Bruce Schneier used the example of companies like Microsoft, which is going to want to do more, and want to point to something and tell their customers that they are doing what the industry believes is the right thing to do.
Jari Arkko asked if, hypothetically, we succeed in making crypto stronger, and more of the web traffic is encrypted, then what is the response from the NSA or the government of China? Bruce Schneier replied that we are already seeing this. The NSA is grabbing master keys for SSL, because SSL is strong enough that they cannot break it just by eavesdropping on the Internet; they need to do something against the endpoints. The next step is more time-consuming, risky, expensive surveillance that involves hacking endpoints. The NSA does it now because not everything is broken on the Internet, but it is a different risk equation for them. This is preferred. Allow the NSA to target the bad guys. The goal is to push the NSA into more focussed attacks and fewer broad attacks. If we increase security, we will see them do more focussed attacks.
Sean Turner mentioned a Best Current Practice (BCP) published that talks about the security bits required to protect the Internet. It says that a key exchange model of about 1200 bits protecting 80 bit symmetric key is safe even against a nation’s resources. Sean Turner asked if this BCP needs updating, and Bruce Schneier agreed that it does.
Hannes Tschofenig stated that one of the developments in the standardization ecosystem was the excitement for client-to-server communication and smartphone applications. There is a lot of proprietary protocol development happening away from standardized mechanisms, which will be difficult to deal with. Bruce Schneier agreed with this assessment. All the IETF and other SDOs can do is educate people.
Marc Blanchet noted that the public has heard a lot of assertions from the press and others, and wanted to know how much is true. Bruce Schneier replied that he would get as many hard facts as possible, but unfortunately, he thinks we will be stuck with general statements and with very few details.
Marc Blanchet noted that the system user’s weakest point is passwords. There are large clusters of companies where the same email address and authentication credentials are used everywhere. It seems this would be a weak point; if the credentials for one can be taken they will not need the whole power of decryption–they can just get the data. Bruce Schneier said that anything that can increase the NSA’s costs will force them to attack individually. They can break passwords, but breaking passwords is going to take time and be done one at a time, which is a fundamentally different type of attack than taking the information from the backbone. The consolidation has hurt the greater Internet. The Internet was much more secure when there a million ISPs and not everyone was using Gmail. The consolidation of data makes the Internet insecure.
Bruce Schneier stated that this is primarily a legal problem, not a technical problem, and we have to believe other people will do their part. Organizations like the ACLU are pushing on the legal front, and companies like Google, Facebook, Apple, and Microsoft are fighting back on the requirements to give the NSA data. The IETF will have to accept there are some parts that the IETF cannot fix, and so should concentrate on what can be fixed, and trust others will do what they can. The IETF should believe the legal people will do their part, and the technical people should do our part.
Eliot Lear noted that the IAB is struggling with the question of whether the IAB should make a very simple high-level statement of principles, or a more in-depth statement that delves into all aspects of this problem. Bruce Schneier noted the need for a neutral, trusted, non-government-tainted group to delve into these issues, and said that the IETF is in a good position to do this.
Bruce Schneier agreed he would work to put the IETF 88 meeting in Vancouver on his schedule. The IAB and IESG will change the schedule to make it possible for Bruce to address the IETF community on Wednesday morning, 6 November 2013.
Russ Housley noted that while Bruce is not able to give an exact problem statement, he can help define the boundaries, and moving from anyone can eavesdrop to requiring focussed attacks is the best characterization of the problem he has heard.
Russ Housley queried whether Bruce Schneier thought that The Guardian was waiting so long to bring the story out had to do with maintaining the news cycle, or if the story was taking that long to work through the UK News system. Bruce Schneier replied that he believes it is more the UK News system than the news cycle. The UK News editorial cycle has a mandatory requirement of giving the government advance warning and taking comments, to allow the back-and-forth of redaction. It is slow and difficult to get through the system, and they do not have many stories in the queue to maximize the media impact. A lot of this information is really subtle and the government has a lot of lawyers. The needs of engineers are different from the needs of the public who read the news.
The IAB thanked Bruce Schneier for attending the call.
3. Statement on Surveillance and Open Standards
The board discussed the issue of a joint OpenStand statement or an IAB specific statement. Many members were against a closed review period for such a statement and would prefer to have an open discussion period in the IETF if such a statement was required. There was some discussion of being part of the OpenStand statement, and following it up with an IAB statement. Eliot Lear, as the liaison to OpenStand, recommended that the statement be kept short and to the point. Discussion will continue on the mailing list.
4. TLDs and collisions
Andrew Sullivan mentioned that he and Olaf Kolkman have been working on a document regarding this issue, and he recommended that there was no IAB action required. Other IAB members concurred.
5. draft-rfced-rfcxx00-retired
Russ Housley mentioned that the IESG has written a companion document and asked if there was any reason the IAB should not publish draft-rfced-rfcxx00-retired as an RFC. There was no objection as draft-rfced-rfcxx00-retired would wait in the RFC Editor Queue for the IESG companion document.
6. Wrap-up from the RIPE Roundtable
Discussion on the wrap-up from the RIPE Roundtable was deferred to the next IAB teleconference.