At 04:42 AM 9/10/2013, Jerry Leichter wrote:
On Sep 9, 2013, at 12:00 PM, Phillip Hallam-Baker wrote:
> Steve Bellovin has made the same argument and I agree with it.
Proliferation of cipher suites is not helpful.
> The point I make is that adding a strong cipher does not make you
more secure. Only removing the option of using weak ciphers makes
you more secure.
The reason you need to be able to support more than one cipher suite
is so that you've got a mechanism for removing one if it's discovered
to be weak in the future, and for adding a new one if none of your
remaining suites are still strong.
1. If everyone uses the same cipher, the attacker need only attack
that one cipher.
2. If there are thousands of ciphers in use, the attacker needs to
attack some large fraction of them.
If there are thousands of ciphers in use, it's generally easier for
the attacker to get people to use one of the weak ones
than to attack a large fraction of the not-currently-known-to-be-weak ones.
The big problem PGP ran into with compatibility wasn't so much
because of cipher suites (after Bass-O-Matic was replaced),
though avoiding the IDEA patent became important after violating the
RSA patent wasn't a problem,
but because it did too much bit-twiddling to use variable-length
fields and was sloppy about boundaries,
which made it easy to exploit.
The cryptography mailing list