Re: [cryptography] cryptographic agility (was: Re: the spell is broken)
On Fri, Oct 4, 2013 at 11:48 PM, Jeffrey Goldberg jeff...@goldmark.org wrote: On 2013-10-04, at 10:46 PM, Patrick Pelletier c...@funwithsoftware.org wrote: On 10/4/13 3:19 PM, Nico Williams wrote: b) algorithm agility is useless if you don't have algorithms to choose from, or if the ones you have are all in the same family. Yes, I think that's where TLS failed. TLS supports four block ciphers with a 128-bit block size (AES, Camellia, SEED, and ARIA) without (as far as I'm aware) any clear tradeoff between them. Well, maybe I was too emphatic. I didn't mean that a protocol like, say, TLS, should be born with a large number of ciphersuites. It needs to be born with *two* (of each negotiable cryptographic primitive): to prove algorithm agility works. Also, none of this one-integer-to-name-combinations-of-all-algorithms -- key exchange, authentication, and KDF, should all be negotiated separately from session ciphers (but cipher modes, OTOH, should not be negotiated separately from ciphers). The rationale is that a cartesian product of algorithms in a manual registry -and with small integers!- is not really manageable. Some cipher modes can be separated from ciphers, but there's relatively few combinations of ciphers and cipher modes, so no need to separate them. The AES “failure” in TLS is a CBC padding failure. Any block cipher would have “failed” in exactly the same way. Indeed. 3DES and AES both failed because of CBC IV chaining without randomization in SSHv2. Any block cipher would have failed in the same situation because the failure was the *mode*'s. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] cryptographic agility (was: Re: the spell is broken)
On 10/4/13 3:19 PM, Nico Williams wrote: b) algorithm agility is useless if you don't have algorithms to choose from, or if the ones you have are all in the same family. Yes, I think that's where TLS failed. TLS supports four block ciphers with a 128-bit block size (AES, Camellia, SEED, and ARIA) without (as far as I'm aware) any clear tradeoff between them. As opposed to, say, if Serpent had been provided as the alternative to AES, where there would be a fairly clear trade-off. (Since Serpent was generally recognized as being more conservative, albeit slower, than AES, it would make a nice back-up cipher.) Or, today, the 1024-bit block size version of ThreeFish would add interesting diversity, since it has a radically different blocksize. And, of course, the big problem was that RC4 was the only stream cipher supported by TLS. There's now work to remedy that with a Salsa20 or ChaCha cipher suite, but that should have been done long ago, since everyone knew RC4 was getting old and broken-ish. So, my point is that you should pick certain axes such as stream versus block, or security versus speed, and then choose a small number of ciphersuites which are radically different on those axes. There's no point in defining many cipher suites that cover areas that are already well-covered. And, conversely, if a particular area is only covered by cipher suites that are getting long in the tooth, it's time to proactively cover that area with something new. --Patrick ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] cryptographic agility (was: Re: the spell is broken)
On 2013-10-04, at 10:46 PM, Patrick Pelletier c...@funwithsoftware.org wrote: On 10/4/13 3:19 PM, Nico Williams wrote: b) algorithm agility is useless if you don't have algorithms to choose from, or if the ones you have are all in the same family. Yes, I think that's where TLS failed. TLS supports four block ciphers with a 128-bit block size (AES, Camellia, SEED, and ARIA) without (as far as I'm aware) any clear tradeoff between them. The AES “failure” in TLS is a CBC padding failure. Any block cipher would have “failed” in exactly the same way. So you might be right in general, but this is not a useful example for illustrating your point about different kinds of block ciphers. Cheers, -j ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography