On Sat, May 11, 2002 at 04:01:11AM +1200, Peter Gutmann wrote:
| General rant: It's amazing that there doesn't seem to be any published research
| on such a fundamental crypto mechanism, with the result that everyone has to
| invent their own way of doing it, usually badly. We don't even have a decent
| threat model for this, my attempt at one for password-based key wrap may or
| may not be appropriate (well, I hope it's more or less right), but it's going
| to be rather different than for a situation where you have an ephemeral
| symmetric key rather than a fixed, high-value key wrapping another key. The
| same problem exists for things like PRFs, we now have PKCS #5v2, but before
| that everyone had to invent their own PRF for lack of anything useful, with
| the result that every single protocol which needs a PRF has its own,
| incompatible, often little-analysed one.
|
| More specific rant: Looking at the security standards and protocols deployed in
| the last decade or so, you'd be forgiven for thinking that the only crypto
| research done in the last 10 years (beyond basic crypto algorithms) was
| STS/SPEKE and HMAC. There seems to be this vast gulf between what crypto
| researchers are working on and what practitioners actually need, so while
| conferences are full of papers on group key management and anonymous voting
| schemes and whatnot, people working on real-world implementations have to
| home-brew their own mechanisms because there's nothing else available. The
| RFC 3211 wrap is actually parameterised so you can slip in something better
| when it becomes available, but I can't see that ever happening because
| researchers are too busy cranking out yet another secure multiparty
| distributed computation paper that nobody except other researchers will ever
| read.
|
| (Did I miss offending anyone? :-).
The voting folks? ;)
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
