W3C home > Mailing lists > Public > public-webcrypto@w3.org > October 2012

Re: my revised proposal for ECB (was: Support for ECB - proposal for a decision)

From: Mountie Lee <mountie.lee@mw2.or.kr>
Date: Mon, 8 Oct 2012 13:48:43 +0900
Message-ID: <CAE-+aYJKLXx0WrmxKMA4Tn-i3LuNcTqc-J-Twv7fBrjE_km69Q@mail.gmail.com>
To: Zooko Wilcox-OHearn <zooko@leastauthority.com>
Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Hi.
for ECB issues,
I think we have to give as much as choices to developers.

in some case I feel the security concerns became one of biggest huddle in
webcrypto discussions.

I agree Zooko's opinion.
we have to give more freedom, then we can expect more creative result.

regards
mountie

On Mon, Oct 8, 2012 at 12:32 PM, Zooko Wilcox-OHearn <
zooko@leastauthority.com> wrote:

> Dear Ryan:
>
> I'm actually quite sympathetic to your argument that the security of
> an app is ultimately determined more by the authors of that app than
> by the authors of the crypto library's API. That is the sort of
> argument that is very plausible to me, and I'm sure that it is often
> correct.
>
> However, we also have empirical evidence to the contrary: that
> sometimes the design of the crypto API can determine the security of
> the apps that use it. There are plenty of historical examples of apps
> using ECB mode for encrypting plaintexts and thus failing to provide
> confidentiality, but of course the meaning of such examples is open to
> interpretation. You can always wonder if the security failure wasn't
> due to writers of the app rather than to the crypto library that they
> used. Maybe the same app writers would have made a different fatal
> mistake if the library hadn't offered them ECB mode.
>
> That's why this recent example of the "Beaker" middleware is so
> informative: it is a case where the same people (the maintainers of
> Beaker), addressing exactly the same use case, implemented it twice
> using two different crypto APIs. One implementation was flawed due to
> its use of ECB mode, and users that rely on it are vulnerable to
> having their sessions hijacked by an attacker. The other
> implementation — using the crypto library that I designed — has no
> such vulnerability.
>
> This should be taken as evidence that crypto API design can affect the
> safety of actual people.
>
> This is something that I value.
>
> Now, this doesn't mean that all other values pale in comparison and we
> have to spend the rest of our lives debating how many security angels
> can dance on the head of a pin. Engineering is about trade-offs, and
> I'm willing to support trade-offs that sacrifice some of my values in
> order to gain more of others. I agreed, in last week's conference
> call, to support the inclusion of ECB because it can be used to
> implement certain other algorithms efficiently, and among efficient
> ways to do that, it is the easiest for everyone to understand.
> Efficiency and ease of understanding are things I value, too.
>
> So, if you're willing to go along with this, then let's talk about how
> to spell out the standard in a way that is easy for us to finish
> writing and for others to read, and also, if possible, avoids leading
> our readers into traps. My current proposal is to avoid classifying
> ECB as an "encryption mode" like CBC or CTR, since that is what
> previous APIs have often done, and it has often led people into
> thinking that ECB can be used to encrypt their data, which it can't
> safely do. (* Except in the case that their data is <= 16 bytes in
> length.)
>
> In addition to the possible benefit of avoiding such security
> failures, this kind of documentation may also aid readability, which
> you've said is a value to you.
>
> How about this?
>
>  • Public key encryption: RSA-OAEP, RSAES-PKCS1-v1_5
>  • Public key digital signature: ECDSA, RSA-PSS, RSASSA-PKCS1-v1_5
>  • Key agreement: ECDH, Diffie-Hellman
>  • Authenticated encryption: AES-OCB, AES-GCM
>  • Unauthenticated encryption: AES-CTR, AES-CBC
>  • Message authentication code: HMAC-SHA256
>  • Key-derivation functions: HKDF, PBKDF2
>  • Hash functions: SHA-2-256, SHA-3-256
>  • Primitives: AES-ECB
>
> I also still want us to agree on a clearly worded warning message in
> the documentation of ECB. The text I suggested earlier still sounds
> good to me:
>
> "NOTE: This function does not, except in special cases, conceal the
> content of the message and cannot, except in special cases, be used
> for encryption. It is included only for the use of cryptographers to
> implement other cryptographic algorithms. For an encryption function,
> please see the functions listed under Authenticated Encryption or
> Unauthenticated Encryption."
>
> This is more accurate than, for example, the warning about ECB in the
> OWASP glossary ¹:
>
> "This mode should not be used under any circumstances."
>
> ☺
>
> As to the issues about padding, I think what you wrote is right. ECB's
> issues with padding are the same as CBC's and no doubt we'll want
> their APIs to handle padding in the same way.
>
> ¹ http://owasp.com/index.php/Glossary#Electronic_Code_Book_mode
>
> Regards,
>
> Zooko Wilcox-O'Hearn
>
> Founder, CEO, and Customer Support Rep
>
> https://LeastAuthority.com
>
>


-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World

Received on Monday, 8 October 2012 04:56:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 8 October 2012 04:56:52 GMT