The National Academies Press

Currently Skimming:

4 Engineering at Scale and User Implications
Pages 39-52

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 39... ... Sara "Scout" Sinclair Brody of Simply Secure offered a perspec tive informed by the field of user-centered design, explaining how security and agility can be enhanced by better defaults, communication, education, and transparency -- not only for end users, but also for developers themselves. TRANSPORT LAYER SECURITY AND THE DOWNSIDES OF AGILITY Matthew Green, Johns Hopkins University Matthew Green is an assistant professor at the Johns Hopkins Information Security Insti tute and also writes a well-known cryptography blog titled "A Few Thoughts on Crypto graphic Engineering."1 Like other speakers at the workshop, he offered examples of the benefits of agility (which he defined as having the ability in place to react quickly and 1 The website for Green's blog is http://blog.cryptographyengineering.com/, accessed November 18, 2016. Read the entire page →
From page 40... ... Cipher suites, authenticated encryptions, fast stream ciphers, and fast authenticated stream ciphers were all developed to increase security. However, Green explained, "it turns out that there were applications that we had not really considered." RC4 was fast but not necessarily secure; to attain something fast and secure, design ers are now looking at nonstandard cipher suites such as ChaCha20 and Poly1305 and considering whether it would be worth pursuing standardization of these suites by the Internet Engineering Task Force (IETF) Read the entire page →
From page 41... ... Digging deeper, the researchers discovered that there had been an implementation vulnerability that allowed attackers to downgrade from a more secure protocol to export RSA, which could then be exploited -- the Factoring Attack on RSA-EXPORT Keys CVE-2015-0204 (FREAK) vulnerability. Read the entire page →
From page 42... ... This is not actually what the TLS design community had been assuming, though; they had thought that as long as the intersection of the two sets of algorithms contained secure protocols, that was enough. However, he noted that this work showed that downgrade attacks can still find a way to use the insecure protocols, if they are also supported. Read the entire page →
From page 43... ... Apple, Google, and others scanned the Internet and found that removing the 512-bit DiffieHellman would break 3 percent of the Internet, including many older Internet of Things devices that cannot be upgraded. That experience underscored Green's conclusion that "we are stuck with these kinds of legacy devices that are dragging us back into the past." Adam Langley noted that Google did remove the 512-bit Diffie-Hellman modules internally, though the decision had some negative repercussions for at least one Google team. Read the entire page →
From page 44... ... He also offered examples illustrating how extensibility plays out in real-world situations -- for better or worse. Extensibility in Transport Layer Security Langley described examples of extensibility mechanisms in TLS. Read the entire page →
From page 45... ... Agreeing that national security goals are likely part of the motivation for these cipher suites, Langley cautioned that the approach can backfire, arguing that making their own primitives, for example, would likely leave countries in a worse situation. Another draw back is that accommodating national cipher suites increases costs to everyone: While the nation in question may pay to create the cipher, the world bears the cost of supporting it. Read the entire page →
From page 46... ... However, Langley suggested that expecting a complex electronic product to have a lifespan of a decade or more is "increasingly nonviable." A significant downside of agility is that supporting outdated security can encourage its persistence, and new products may even be released today with cryptography from the bottom of the stack. People buying these products are unaware that they might have a very short lifespan because "they have jumped on this conveyor belt and we are about to turn the crank and they are about to fall off." Making such decisions, Langley said, "is not a job you want if you wish to be well liked." While large numbers of people will ben efit from overall improved security, a concentrated group of users will pay the cost. Read the entire page →
From page 47... ... However, it is not without problems: Hypertext Transfer Protocol Version 2 (HTTP/2) , for example, was built to be usable only with modern cipher suites, but it ended up creating significant configuration problems. Read the entire page →
From page 48... ... It is difficult to conceive of a system for replacing so many devices currently in use by a wide array of people that could continue to support the needed functionality but provide upgraded security, he said. 48 Forum on Cyber Resilience Read the entire page →
From page 49... ... In considering this second group of users, she urged attendees to include not only elite developers, such as those in attendance at the workshop, but also the vast majority of developers who are simply not experts in cryp tography or agility. It is those developers, she noted, who are working on start-ups whose products may be insignificant now but could quickly balloon to include millions of users: "Ultimately, they are sort of the front line of cryptographic agility." Beyond solving the very large problems being discussed at the workshop, Brody asserted the need to com municate effectively with this vast developer community about agility principles and policies. Read the entire page →
From page 50... ... On the subject of legacy cryptography, she agreed with previous speakers that continuing to run insecure software, especially somewhere with sensitive data to protect, like a hospital, is a scary proposition. However, she noted that it is important to recognize 50 Forum on Cyber Resilience Read the entire page →
From page 51... ... End users, she said, should be able to determine which security library their various applications are running in order to evaluate the threat posed to them personally by a new vulnerability or attack. Such transparency would also be helpful to citizens in the context of national cipher suites and potential government surveillance. Read the entire page →
From page 52... ... Rather, she suggested having at least the ability to investigate one's computer security is helpful both for the general population and for populations whose security might be most at risk, such as journalists or human rights activists who might face threats of government surveillance. Those groups could benefit from increased security transparency because they have a particular need or interest in knowing the safety of their communications. Read the entire page →

From page 39...

... Sara "Scout" Sinclair Brody of Simply Secure offered a perspec tive informed by the field of user-centered design, explaining how security and agility can be enhanced by better defaults, communication, education, and transparency -- not only for end users, but also for developers themselves. TRANSPORT LAYER SECURITY AND THE DOWNSIDES OF AGILITY Matthew Green, Johns Hopkins University Matthew Green is an assistant professor at the Johns Hopkins Information Security Insti tute and also writes a well-known cryptography blog titled "A Few Thoughts on Crypto graphic Engineering."1 Like other speakers at the workshop, he offered examples of the benefits of agility (which he defined as having the ability in place to react quickly and 1 The website for Green's blog is http://blog.cryptographyengineering.com/, accessed November 18, 2016.

Read the entire page →

From page 40...

... Cipher suites, authenticated encryptions, fast stream ciphers, and fast authenticated stream ciphers were all developed to increase security. However, Green explained, "it turns out that there were applications that we had not really considered." RC4 was fast but not necessarily secure; to attain something fast and secure, design ers are now looking at nonstandard cipher suites such as ChaCha20 and Poly1305 and considering whether it would be worth pursuing standardization of these suites by the Internet Engineering Task Force (IETF)

Read the entire page →

From page 41...

... Digging deeper, the researchers discovered that there had been an implementation vulnerability that allowed attackers to downgrade from a more secure protocol to export RSA, which could then be exploited -- the Factoring Attack on RSA-EXPORT Keys CVE-2015-0204 (FREAK) vulnerability.

Read the entire page →

From page 42...

... This is not actually what the TLS design community had been assuming, though; they had thought that as long as the intersection of the two sets of algorithms contained secure protocols, that was enough. However, he noted that this work showed that downgrade attacks can still find a way to use the insecure protocols, if they are also supported.

Read the entire page →

From page 43...

... Apple, Google, and others scanned the Internet and found that removing the 512-bit DiffieHellman would break 3 percent of the Internet, including many older Internet of Things devices that cannot be upgraded. That experience underscored Green's conclusion that "we are stuck with these kinds of legacy devices that are dragging us back into the past." Adam Langley noted that Google did remove the 512-bit Diffie-Hellman modules internally, though the decision had some negative repercussions for at least one Google team.

Read the entire page →

From page 44...

... He also offered examples illustrating how extensibility plays out in real-world situations -- for better or worse. Extensibility in Transport Layer Security Langley described examples of extensibility mechanisms in TLS.

Read the entire page →

From page 45...

... Agreeing that national security goals are likely part of the motivation for these cipher suites, Langley cautioned that the approach can backfire, arguing that making their own primitives, for example, would likely leave countries in a worse situation. Another draw back is that accommodating national cipher suites increases costs to everyone: While the nation in question may pay to create the cipher, the world bears the cost of supporting it.

Read the entire page →

From page 46...

... However, Langley suggested that expecting a complex electronic product to have a lifespan of a decade or more is "increasingly nonviable." A significant downside of agility is that supporting outdated security can encourage its persistence, and new products may even be released today with cryptography from the bottom of the stack. People buying these products are unaware that they might have a very short lifespan because "they have jumped on this conveyor belt and we are about to turn the crank and they are about to fall off." Making such decisions, Langley said, "is not a job you want if you wish to be well liked." While large numbers of people will ben efit from overall improved security, a concentrated group of users will pay the cost.

Read the entire page →

From page 47...

... However, it is not without problems: Hypertext Transfer Protocol Version 2 (HTTP/2) , for example, was built to be usable only with modern cipher suites, but it ended up creating significant configuration problems.

Read the entire page →

From page 48...

... It is difficult to conceive of a system for replacing so many devices currently in use by a wide array of people that could continue to support the needed functionality but provide upgraded security, he said. 48 Forum on Cyber Resilience

Read the entire page →

From page 49...

... In considering this second group of users, she urged attendees to include not only elite developers, such as those in attendance at the workshop, but also the vast majority of developers who are simply not experts in cryp tography or agility. It is those developers, she noted, who are working on start-ups whose products may be insignificant now but could quickly balloon to include millions of users: "Ultimately, they are sort of the front line of cryptographic agility." Beyond solving the very large problems being discussed at the workshop, Brody asserted the need to com municate effectively with this vast developer community about agility principles and policies.

Read the entire page →

From page 50...

... On the subject of legacy cryptography, she agreed with previous speakers that continuing to run insecure software, especially somewhere with sensitive data to protect, like a hospital, is a scary proposition. However, she noted that it is important to recognize 50 Forum on Cyber Resilience

Read the entire page →

From page 51...

... End users, she said, should be able to determine which security library their various applications are running in order to evaluate the threat posed to them personally by a new vulnerability or attack. Such transparency would also be helpful to citizens in the context of national cipher suites and potential government surveillance.

Read the entire page →

From page 52...

... Rather, she suggested having at least the ability to investigate one's computer security is helpful both for the general population and for populations whose security might be most at risk, such as journalists or human rights activists who might face threats of government surveillance. Those groups could benefit from increased security transparency because they have a particular need or interest in knowing the safety of their communications.

Read the entire page →

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.

4 Engineering at Scale and User Implications Pages 39-52

4 Engineering at Scale and User Implications
Pages 39-52