On Fri, Oct 4, 2013 at 11:48 PM, Jeffrey Goldberg <jeff...@goldmark.org> wrote: > On 2013-10-04, at 10:46 PM, Patrick Pelletier <c...@funwithsoftware.org> > wrote: >> On 10/4/13 3:19 PM, Nico Williams wrote: >> >>> b) algorithm agility is useless if you don't have algorithms to choose >>> from, or if the ones you have are all in the same "family". >> >> Yes, I think that's where TLS failed. TLS supports four block ciphers with >> a 128-bit block size (AES, Camellia, SEED, and ARIA) without (as far as I'm >> aware) any clear tradeoff between them.
Well, maybe I was too emphatic. I didn't mean that a protocol like, say, TLS, should be born with a large number of ciphersuites. It needs to be born with *two* (of each negotiable cryptographic primitive): to prove algorithm agility works. Also, none of this one-integer-to-name-combinations-of-all-algorithms -- key exchange, authentication, and KDF, should all be negotiated separately from session ciphers (but cipher modes, OTOH, should not be negotiated separately from ciphers). The rationale is that a cartesian product of algorithms in a manual registry -and with small integers!- is not really manageable. Some cipher modes can be separated from ciphers, but there's relatively few combinations of ciphers and cipher modes, so no need to separate them. > The AES “failure” in TLS is a CBC padding failure. Any block cipher would > have “failed” in exactly the same way. Indeed. 3DES and AES both "failed" because of CBC IV chaining without randomization in SSHv2. Any block cipher would have failed in the same situation because the failure was the *mode*'s. Nico -- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
