[147173] in cryptography@c2.net mail archive
Re: [Cryptography] The paranoid approach to crypto-plumbing
daemon@ATHENA.MIT.EDU (ianG)
Tue Sep 17 10:48:24 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 17 Sep 2013 12:48:03 +0300
From: ianG <iang@iang.org>
To: cryptography@metzdowd.com
In-Reply-To: <r422Ps-1075i-24584083555946D9ACA9D4E53D76EC9A@Williams-MacBook-Pro.local>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Hi Bill,
On 17/09/13 01:20 AM, Bill Frantz wrote:
> The idea is that when serious problems are discovered with one
> algorithm, you don't have to scramble to replace the entire crypto
> suite. The other algorithm will cover your tail while you make an
> orderly upgrade to your system.
>
> Obviously you want to chose algorithms which are likely to have
> different failure modes -- which I why I suggest that RC4 (or an
> extension thereof) might still be useful. The added safety also allows
> you to experiment with less examined algorithms.
The problem with adding multiple algorithms is that you are also adding
complexity. While you are perhaps ensuring against the failure of one
algorithm, you are also adding a cost of failure in the complexity of
melding.
E.g., as an example, look at the current SSL search for a secure
ciphersuite (and try explaining it to the sysadms). As soon as you add
an extra algorithm, others are tempted to add their vanity suites, the
result is not better but worse.
And, as we know, the algorithms rarely fail. The NSA specifically
targets the cryptosystem, not the algorithms. It also doesn't like
well-constructed and well-implemented systems. (So before getting too
exotic with the internals, perhaps we should get the basics right.)
In contrast to the component duplication approach, I personally prefer
the layering duplication approach (so does the NSA apparently). That
is, have a low-level cryptosystem that provides the base encryption and
authentication properties, and over that, layer an authorisation layer
that adds any additional properties if desired (such as superencryption).
One could then choose complementary algorithms at each layer. Having
said all that, any duplication is expensive. Do you really have the
evidence that such extra effort is required? Remember, while you're
building this extra capability, customers aren't being protected at all,
and are less likely to be so in the future.
iang
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography