[146914] in cryptography@c2.net mail archive
Re: [Cryptography] The One True Cipher Suite
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Mon Sep 9 14:59:54 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <522D7F93.6010104@iang.org>
Date: Mon, 9 Sep 2013 12:00:54 -0400
From: Phillip Hallam-Baker <hallam@gmail.com>
To: ianG <iang@iang.org>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============5324078164155363011==
Content-Type: multipart/alternative; boundary=001a11c3dfba372ad804e5f57e53
--001a11c3dfba372ad804e5f57e53
Content-Type: text/plain; charset=ISO-8859-1
On Mon, Sep 9, 2013 at 3:58 AM, ianG <iang@iang.org> wrote:
> On 9/09/13 02:16 AM, james hughes wrote:
>
> I am honestly curious about the motivation not to choose more secure
>> modes that are already in the suites?
>>
>
> Something I wrote a bunch of years ago seems apropos, perhaps minimally as
> a thought experiment:
>
>
>
> Hypothesis #1 -- The One True Cipher Suite
>
>
> In cryptoplumbing, the gravest choices are apparently on the nature of the
> cipher suite. To include latest fad algo or not? Instead, I offer you a
> simple solution. Don't.
>
> There is one cipher suite, and it is numbered Number 1.
>
> Cypersuite #1 is always negotiated as Number 1 in the very first message.
> It is your choice, your ultimate choice, and your destiny. Pick well.
>
> If your users are nice to you, promise them Number 2 in two years. If they
> are not, don't. Either way, do not deliver any more cipher suites for at
> least 7 years, one for each hypothesis.
>
> And then it all went to pot...
>
> We see this with PGP. Version 2 was quite simple and therefore stable --
> there was RSA, IDEA, MD5, and some weird padding scheme. That was it.
> Compatibility arguments were few and far between. Grumbles were limited to
> the padding scheme and a few other quirks.
>
> Then came Versions 3-8, and it could be said that the explosion of options
> and features and variants caused more incompatibility than any standards
> committee could have done on its own.
>
> Avoid the Champagne Hangover
>
> Do your homework up front.
>
> Pick a good suite of ciphers, ones that are Pareto-Secure, and do your
> best to make the combination strong [1]. Document the short falls and do
> not worry about them after that. Cut off any idle fingers that can't keep
> from tweaking. Do not permit people to sell you on the marginal merits of
> some crazy public key variant or some experimental MAC thing that a
> cryptographer knocked up over a weekend or some minor foible that allows an
> attacker to learn your aunty's birth date after asking a million times.
>
> Resist the temptation. Stick with The One.
>
Steve Bellovin has made the same argument and I agree with it.
Proliferation of cipher suites is not helpful.
The point I make is that adding a strong cipher does not make you more
secure. Only removing the option of using weak ciphers makes you more
secure.
There are good reasons to avoid MD5 and IDEA but at this point we are very
confident of AES and SHA3 and reasonably confident of RSA.
We will need to move away from RSA at some point in the future. But ECC is
a mess right now. We can't trust the NIST curves any more and the IPR
status is prohibitively expensive to clarify.
--
Website: http://hallambaker.com/
--001a11c3dfba372ad804e5f57e53
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Mon, Sep 9, 2013 at 3:58 AM, ianG <span dir=3D"ltr"><<a href=
=3D"mailto:iang@iang.org" target=3D"_blank">iang@iang.org</a>></span> wr=
ote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border=
-left:1px #ccc solid;padding-left:1ex">
On 9/09/13 02:16 AM, james hughes wrote:<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
I am honestly curious about the motivation not to choose more secure modes =
that are already in the suites?<br>
</blockquote>
<br>
Something I wrote a bunch of years ago seems apropos, perhaps minimally as =
a thought experiment:<br>
<br>
<br>
<br>
Hypothesis #1 -- The One True Cipher Suite<br>
<br>
<br>
In cryptoplumbing, the gravest choices are apparently on the nature of the =
cipher suite. To include latest fad algo or not? Instead, I offer you a sim=
ple solution. Don't.<br>
<br>
=A0 =A0 There is one cipher suite, and it is numbered Number 1.<br>
<br>
Cypersuite #1 is always negotiated as Number 1 in the very first message. I=
t is your choice, your ultimate choice, and your destiny. Pick well.<br>
<br>
If your users are nice to you, promise them Number 2 in two years. If they =
are not, don't. Either way, do not deliver any more cipher suites for a=
t least 7 years, one for each hypothesis.<br>
<br>
=A0 =A0 =A0 =A0 =A0 =A0And then it all went to pot...<br>
<br>
We see this with PGP. Version 2 was quite simple and therefore stable -- th=
ere was RSA, IDEA, MD5, and some weird padding scheme. That was it. Compati=
bility arguments were few and far between. Grumbles were limited to the pad=
ding scheme and a few other quirks.<br>
<br>
Then came Versions 3-8, and it could be said that the explosion of options =
and features and variants caused more incompatibility than any standards co=
mmittee could have done on its own.<br>
<br>
=A0 =A0 =A0 =A0 =A0 =A0Avoid the Champagne Hangover<br>
<br>
Do your homework up front.<br>
<br>
Pick a good suite of ciphers, ones that are Pareto-Secure, and do your best=
to make the combination strong [1]. Document the short falls and do not wo=
rry about them after that. Cut off any idle fingers that can't keep fro=
m tweaking. Do not permit people to sell you on the marginal merits of some=
crazy public key variant or some experimental MAC thing that a cryptograph=
er knocked up over a weekend or some minor foible that allows an attacker t=
o learn your aunty's birth date after asking a million times.<br>
<br>
Resist the temptation. Stick with The One.<br></blockquote><div><br></div><=
div><br></div><div>Steve Bellovin has made the same argument and I agree wi=
th it. Proliferation of cipher suites is not helpful.=A0</div><div><br></di=
v>
<div>The point I make is that adding a strong cipher does not make you more=
secure. Only removing the option of using weak ciphers makes you more secu=
re.</div><div><br></div><div>There are good reasons to avoid MD5 and IDEA b=
ut at this point we are very confident of AES and SHA3 and reasonably confi=
dent of RSA.=A0</div>
<div><br></div><div>We will need to move away from RSA at some point in the=
future. But ECC is a mess right now. We can't trust the NIST curves an=
y more and the IPR status is prohibitively expensive to clarify.=A0</div>
<div>=A0</div></div>-- <br>Website: <a href=3D"http://hallambaker.com/">htt=
p://hallambaker.com/</a><br>
</div></div>
--001a11c3dfba372ad804e5f57e53--
--===============5324078164155363011==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============5324078164155363011==--
