[147463] in cryptography@c2.net mail archive
Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was:
daemon@ATHENA.MIT.EDU (John Kelsey)
Wed Oct 2 11:06:23 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <0283CE1D-3D06-4F79-9759-1E76FD9149EB@lrw.com>
From: John Kelsey <crypto.jmk@gmail.com>
Date: Wed, 2 Oct 2013 10:46:22 -0400
To: Jerry Leichter <leichter@lrw.com>
Cc: Dirk-Willem van Gulik <dirkx@webweaving.org>,
Christoph Anton Mitterer <calestyo@scientia.net>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Has anyone tried to systematically look at what has led to previous crypto failures? That would inform us about where we need to be adding armor plate. My impression (this may be the availability heuristic at work) is that:
a. Most attacks come from protocol or mode failures, not so much crypto primitive failures. That is, there's a reaction attack on the way CBC encryption and message padding play with your application, and it doesn't matter whether you're using AES or FEAL-8 for your block cipher.
b. Overemphasis on performance (because it's measurable and security usually isn't) plays really badly with having stuff be impossible to get out of the field when it's in use. Think of RC4 and DES and MD5 as examples.
c. The ways I can see to avoid problems with crypto primitives are:
(1) Overdesign against cryptanalysis (have lots of rounds)
(2) Overdesign in security parameters (support only high security levels, use bigger than required RSA keys, etc.)
(3) Don't accept anything without a proof reducing the security of the whole thing down to something overdesigned in the sense of (1) or (2).
--John
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
