[146970] in cryptography@c2.net mail archive
Re: [Cryptography] The One True Cipher Suite
daemon@ATHENA.MIT.EDU (Bill Stewart)
Tue Sep 10 15:07:47 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 10 Sep 2013 11:52:43 -0700
To: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <55D4E31C-CDCB-4A87-9BDF-F9DC4F9FFFAC@lrw.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
At 04:42 AM 9/10/2013, Jerry Leichter wrote:
>On Sep 9, 2013, at 12:00 PM, Phillip Hallam-Baker wrote:
> > Steve Bellovin has made the same argument and I agree with it.
> Proliferation of cipher suites is not helpful.
> > The point I make is that adding a strong cipher does not make you
> more secure. Only removing the option of using weak ciphers makes
> you more secure.
The reason you need to be able to support more than one cipher suite
is so that you've got a mechanism for removing one if it's discovered
to be weak in the future, and for adding a new one if none of your
remaining suites are still strong.
>1. If everyone uses the same cipher, the attacker need only attack
>that one cipher.
>2. If there are thousands of ciphers in use, the attacker needs to
>attack some large fraction of them.
If there are thousands of ciphers in use, it's generally easier for
the attacker to get people to use one of the weak ones
than to attack a large fraction of the not-currently-known-to-be-weak ones.
The big problem PGP ran into with compatibility wasn't so much
because of cipher suites (after Bass-O-Matic was replaced),
though avoiding the IDEA patent became important after violating the
RSA patent wasn't a problem,
but because it did too much bit-twiddling to use variable-length
fields and was sloppy about boundaries,
which made it easy to exploit.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
