On Apr 8, 2012, at 7:49 04PM, James A. Donald wrote: > On 2012-04-09 9:15 AM, Steven Bellovin wrote: > > Yes, the algorithms and protocols can be very important, > > especially if you have serious enemies. They're also more > > fun for many folks (myself included) than the really hard > > engineering and development work to make the thing usable. > > They're orders of magnitude more fun than the arguments in > > standards bodies to agree on what is really necessary as an > > option, as opposed to something that most people don't want > > but some vendor insists has to be there for 2.71828% of > > their customer base. > > Seems to me that most crypto failure is usability failure. > The only massive protocol and algorithm failure is wifi.
Yup. Even there, the problem that got most of the attention -- the fact that RC4 (as used in WEP) can be cryptanalyzed -- wasn't knowable at the time. The avoidable errors -- the misuse of a stream cipher, and the lack of a standardized key management layer -- were not enough to prompt a change in the standard. > > Also, anything that comes out of a committee, particularly a > large committee containing conflicting agendas, evil people, > stupid people, and crazy people, is apt to be a massive > usability fail, and the only reason why it is usually not > also a massive algorithm and protocol fail is that the > stupid, the crazy, and the evil have difficulty following the > protocol and algorithm discussion. I'd put most of it down to conflicting agendas -- even people you regard as "evil" don't see themselves that way; they simply have a different definition -- agenda -- for "good". Craziness doesn't generally survive, nor stupidity. Granted, some folks with different agendas may (or may not) understand certain details, but if they don't it's because that isn't important to their employers' agendas. One more thing: algorithm and protocol failures are often a matter of fact, not opinion, and most people are reluctant to argue for something that everyone else can see is factually incorrect. I recall one incident when I was Security Area Director in the IETF when I blocked some SIP documents because of a cut-and-paste attack. I had a very hostile meeting with a fair number of the proponents of those documents -- until I pulled out my laptop and showed exactly how the attack worked. End of discussion, period. One can disagree on the likelihood or impact of a vulnerability, but generally not its existence, until the audience is politicians. (The disagreements, circa the late 1970s, on the susceptibility of DES to an economically feasible brute force attack come to mind.) The trouble comes when it gets to matters of taste and judgment, and what adding 17.3 new features to the protocol will do to the software's correctness and comprehensibility. --Steve Bellovin, https://www.cs.columbia.edu/~smb _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography