On 12/02/13 03:04 AM, Peter Gutmann wrote:
Nico Williams <n...@cryptonector.com> writes:
I'd go further: this could be the start of the end of the cipher suite
cartesian product nonsense in TLS. Just negotiate {cipher, mode} and key
exchange separately, or possibly cipher, mode, and key exchange, in just the
same way as you propose negotiation of encrypt-then-MAC.
Nonononono, we learned from the IKE mess that the Chinese-menu approach is
vastly worse than the cipher-suite one. TLS has already tried the
Chinese-menu approach to algorithms in TLS 1.2's ECC stuff, and it's at least
as big a mess as IKE was (well, OK, I don't think anything can quite reach the
IKE level, but it's getting there), which is why I had to write this:
http://tools.ietf.org/html/draft-gutmann-tls-eccsuites-03
Hmmm, I'd say that is 11 times longer than it needs to be :) Anything
wrong with just this:
CipherSuite TLS_ECDHE_ECDSA_P384_WITH_AES_256_GCM_SHA384 =
{ 0x00, 0xXX }
The problem with the cipher-suite explosion is that people want to throw in
vast numbers of pointless vanity suites and algorithms that no-one will ever
use (to quote Ian Grigg, "There is only one cipher suite and that is suite
#1").
http://iang.org/ssl/h1_the_one_true_cipher_suite.html :)
To ramble some. There is the obvious point over vanity suites, but I
think it goes much deeper than that. I think vanity suites are a
*symptom* and not the disease.
An awful lot has to do with the mechanism of design. By this, I mean,
who designed the protocol, and what were the circumstances in which they
did their good work? To be short and blunt and brutal, there appear to
be two camps:
SSH (1), PGP (2.3) and SSL (v1) were done by 1 or max 2 people. They
were more or less complete, more or less secure, more or less fit for
their purpose.
Then came the committees. For whatever reason, the honourable authors
of these fine protocols handed the baby + bathtub to a wider group.
From these grand and noisy washing circles came hugely more complicated
efforts, with greatly enhanced feature lists, but with no measurable
increase in security to the end-users.
As a historical hypothesis, the worst efforts came from security
committees, and the best from loners and tiny teams. Things like Skype,
IPSec, DNSSec, S/MIME, WEP, etc, back this up. Arguably, there is as
perfect a correlation as one can get within reasonable noise. By all
means, measure it, we have the years and data.
Drawing back to the issue of ciphersuites, it is also the case that the
single lone individuals used "good enough" single algorithm suites; and
it was the committees that overdosed on the cryptographic saccharin.
It seems that the lone cryptoranger has too much on plate just getting
the system going, so one ciphersuite is enough. But when people come to
help, they don't improve the protocol ... what they instead do is seek
personal gratification in trivial replacement of algorithms. What they
can't do is agree on a reasonable upgrade that takes care of the passage
of time ("we know so much more today") with a new single suite, and
instead compromise on rewarding everyone's ego with a little number
somewhere.
This underlying force to appease every participant with a vanity tweak
is so powerful, it is one of the reasons why committees consistently
succeed in generating worse results than the original founders. But
they do keep everyone happier -- so there are wider forces here ..
beyond security even.
It is therefore an additional hypothesis of mine that committees cannot
do security protocols.
Even for the ECC draft above, which is an attempt to unravel the mess
created by the Chinese-menu approach, I had requests to add all sorts of
vanity suites with no clear application, but people just wanted them anyway
(I've resisted so far, since the whole intent of the draft is to define a
fixed number of universal-standard suites that everyone supports).
We should probably ask some sociologists to study us in our natural habitat.
What we really need is a two-way mechanism, a minimal interoperable set of
suites that everything does and then a free-for-all negotiation mechanism that
anyone who wants can implement to their hearts content and everyone else is
free to ignore (I'm a firm believer in "you asked for it, you got it" design,
if anyone wants the freedom to create a mess built into a standard then they
can take care of it themselves). This is a purely political/fashion problem,
not a technical one.
I do kind of grok one point, which is if we are not capable of adding
our favoured little tweaky algorithms, then the MiB will ensure that the
one true ciphersuite is really a sugarbeet knock-off, not the real thing
(tm). Like seems to have happened with WEP and GSM. But again, this
goes back to the whole committee point, as the committee enabled both
ills, the MiB *and* the sugarbeets.
Peter.
iang
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
