> At the risk of feeding the conspiracy angle, I note that there is only one
> stream cipher for SSL/TLS (RC4). All the others in common use are CBC modes,
> with that same predictable IV weakness as IPsec (i.e. BEAST). There are no
> DHE cipher suites defined for RC4. So if you want PFS, you have to accept
> predictable IVs. If you want resistance to BEAST, you have to give up PFS.
>
> Personally, I don't interpret this as anything more than the IETF process and
> some vendor biases back in the 90s. But it shows that designing for this
> concept of 'agility' is important, in particular for reasons you don't know
> at the time.
Oh, please.
I'm sorry, Marsh, but this is just silly, suggesting that there are vendor
biases against stream ciphers and agility. After all, if we look through the
library of publicly-available, well-trusted stream ciphers there is, ummmm,
well, there's always, urrrrr, well. Oh, I know! Counter mode! Yeah, that's it.
On the agility front, most people seem to be against it. Weren't we in a huge
no-choices-are-the-only-security mood a few weeks ago?
Stream ciphers are hard. They're hard to build correctly, hard to use
correctly, and have been the red-headed-stepchild of cipher design for really
good reasons. Remember WEP? The most damning problem in it to my mind was the
order-2^24 attack caused by using a stream cipher (and a 24-bit pseudo-IV).
Any stream cipher that gets created has to answer this really good question:
Why are you better than AES-CTR? The next question would be why it's better
than Serpent-CTR, or Twofish-CTR, or heck why not use Threefish-CTR?
Of course right now, the best thing to do stream-cipher-wise is to use GCM
mode, with is in TLS 1.2, but hardly deployed at all, no doubt because of bias
against wanting to use something that's authenticated, right? After all,
wouldn't the surveillance state want us all to be vulnerable to CBC attacks
like BEAST, and people who are preventing that must be in cahoots with the NSA,
right?
But of course, GCM mode is part of Suite B, and that's the NSA's push for using
an authenticated data stream. So that means that the people who are pushing for
stream ciphers are also in cahoots with the surveillance state by pushing for
authenticated modes, too!
In case anyone missed it, the sarcasm bits should have been showing up in the
UTF-8 over the last couple of paragraphs at some point or other.
Come on. This discussion has descended past whacko, which is where it went once
the "broken by design" discussion started. Yeah, security is hard, but it's
software. We know how to do that, once we understand the problems. The wrong
questions have been asked for so long in this long discussion that I think the
only reasonable people are the ones ignoring the whole thing.
Jon
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography