NSA employee will remain as co-chair on crypto standards group
NSA employee Kevin Igoe will continue to be one of the two co-chairs of the Crypto Forum Research Group (CFRG), which helps the Internet Engineering Task Force (IETF) review the applicability and uses of cryptographic mechanisms, and give crypto advice to the organization’s various Working Groups.
The request for his removal from the position has been voiced in December by Trevor Perrin, a widely respected professional cryptographer and a regular contributor to the group’s discussions.
“As CFRG co-chair for the last 2 years, Kevin has shaped CFRG discussion and provided CFRG opinion to WGs,” he noted, and pointed out that “Kevin’s handling of the ‘Dragonfly’ protocol raises doubts that he is performing these duties competently. Additionally, Kevin’s employment with the National Security Agency raises conflict-of-interest concerns.”
Dragonfly is a password-authenticated key exchange protocol that has been proposed to the CFRG two years ago.
After analyzing in detail the CFRG mailing list and meeting minutes, Perrin noticed that Igoe had been enthusiastic in backing the protocol while other of the group were skeptical.
“Twice Kevin suggested a technique for deriving the Dragonfly password-based element which would make the protocol easy to break. He also endorsed an ineffective attempt to avoid timing attacks by adding extra iterations to one of the loops,” Perrin noted. “These are surprising mistakes from an experienced cryptographer.”
“It’s entirely possible these are just mistakes by a novice chair who lacks experience in a particular sort of protocol and is being pressured by IETF participants to endorse something. But it’s hard to escape an impression of carelessness and unseriousness in Kevin’s work,” he added. “One wonders whether the NSA is happy to preside over this sort of sloppy crypto design.”
After mentioning the issue of the NSA actively backing a NIST standard for random number generation that used a backdoored Deterministic Random Bit Generator, he asked for the IRTF to consider replacing Igoe with a party who is above suspicion.
But RTF chair Lars Eggert disagreed and has declined his request on Sunday.
“David McGrew, the CFRG’s other co-chair, has already posted a detailed timeline of events… and concluded that the research group process has been followed imperfectly. I share this conclusion. However, while unfortunate, the mistakes made were not of a severity that would warrant an immediate dismissal of Kevin Igoe as co-chair. It is also the first such occurrence that I am aware of,” he stated in an email to the mailing list.
He says that “IRTF co-chairs are little more than group secretaries” and that “their ability to influence the technical work of the group is little different from that of any other group participant.”
“Research groups typically have multiple co-chairs from different organizations, and all currently chartered research groups have open membership, so all IRTF business is conducted in the open, on public mailing lists and in public meetings,” he added. “Any participant suspecting misconduct can raise any issue either in the group or to the IRTF chair, as Trevor Perrin has done in this case. This is how our process should work, and this is why any individual participant – co-chair or not – is unlikely to be able to subvert ongoing research group work.”
He also noted that if this type of affiliation is enough to ban someone from participating in the CFRG, there is the danger of eliminating valuable contributions and, consequently, of adversely affecting the ability of the research group to perform its duties.
Perrin voiced his disappointment at the decision, and argued that in practice, “chairs are responsible for creating agendas, running meetings, deciding when and how to call for consensus, interpreting the consensus, and liaising with other parties,” and not simply a “little more than group secretaries”. “All this gives them a great deal of power in steering a group’s work,” he claims.
He also addressed Eggert’s claim that IETF / IRTF’s “open processes” are an adequate safeguard against subversion by any party. “I worry about soft forms of sabotage like making Internet crypto hard to implement securely, and hard to deploy widely; or tipping groups towards dysfunction and ineffectiveness. Since these are common failure modes for IETF / IRTF crypto activities, I’m not convinced IETF / IRTF process would adequately detect this.”
Finally, he pointed out that Eggert didn’t consider that, given Igoe’s NSA affiliation and the aforementioned recent revelations of NSA sabotage of a crypto standard, him remaining in the co-chair position sends the message that the IETF / IRTF accepts the sabotaging of crypto standards, and will result in the public and security experts distrusting the organisations.
Perrin concluded with asking the Internet Architecture Board to review Eggert’s decision, so this is likely not the end of this discussion.