Re: HTTP/2 and Pervasive Monitoring from Poul-Henning Kamp on 2014-08-20 (ietf-http-wg@w3.org from July to September 2014)

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Wed, 20 Aug 2014 18:36:37 +0000
To: Martin Thomson <martin.thomson@gmail.com>
cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <23351.1408559797@critter.freebsd.dk>

--------
In message <CABkgnnVvm6vz=Tcv2n9YtH13E9-AUgdyXVY5RxLvmKkCcNSpgg@mail.gmail.com>
, Martin Thomson writes:
>On 20 August 2014 00:29, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:

>> I don't think the algorithm matters, as long as it's not buggy, the
>> bruteforcing will be done against the keys used.
>
>Let's go with this and run with it a little.  Assume that you are
>using AES-GCM or something like it.  That's 2^64 decryptions to get a
>50/50 chance of success.

Last I looked AES had 128 bit and larger keys, so that would be 2^127 ?

If you are proposing running it with reduced key size of 64 bits,
I pressume the number would be 2^63 ?

But lets take your $170K @ 65 bit key length estimate.

If I scale that down to 32bit key length, I get 2e-5 USD, which is
pretty close to my way of estimating it:

One processing unit a 4GHz can do two 32 bit keys a second and costs
$200 a year, everything included giving 3e-6 USD per key.

Your 1e-10 number I cannot find any basis for.

>USD170K might be OK, depending on what you concern yourself with.

And you seem to concern yourself with one particular users privacy ?

That is not the topic: the topic is Pervassive Monitoring, ie: the
ability to look at (essentially) *all* traffic at little or no cost.

The Snowden leaks have the cost of the current collection at only
USD 20M.  (A number which many people don't belive is comprehensive.)

If you add 1 microdollar per HTTP connection to that, their cost
will at least double at a monitoring rate of just 650.000 connections
a second.

Is that enough ?  Maybe, maybe not.

The architecture we have been able to divine from the Snowden docs
tells us it would hit them at a very inconvenient point:  First
level triage sorting.

As I've said from the beginning:  We can argue about these numbers,
and other people than me will have better basis for deciding them.

But what is clear is that *long* before the cost of breaking the
encryption on a single HTTP connection increases to a full dollar,
Pervassive Monitoring will have ceased, and only a tiny targeted
fraction of all the traffic will be monitored.

Summary:

To stop PM, we don't need unbreakable crypto, we just need crypto
which is sufficiently expensive to break.

Too expensive to break for PM can be cheap enough to deploy for
emergency services, news and porn.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Received on Wednesday, 20 August 2014 18:37:01 UTC