[Cryptography] The paranoid approach to crypto-plumbing

ianG iang at iang.org
Tue Sep 17 05:48:03 EDT 2013 

Hi Bill,



On 17/09/13 01:20 AM, Bill Frantz wrote:

> The idea is that when serious problems are discovered with one
> algorithm, you don't have to scramble to replace the entire crypto
> suite. The other algorithm will cover your tail while you make an
> orderly upgrade to your system.
>
> Obviously you want to chose algorithms which are likely to have
> different failure modes -- which I why I suggest that RC4 (or an
> extension thereof) might still be useful. The added safety also allows
> you to experiment with less examined algorithms.



The problem with adding multiple algorithms is that you are also adding 
complexity.  While you are perhaps ensuring against the failure of one 
algorithm, you are also adding a cost of failure in the complexity of 
melding.

E.g., as an example, look at the current SSL search for a secure 
ciphersuite (and try explaining it to the sysadms).  As soon as you add 
an extra algorithm, others are tempted to add their vanity suites, the 
result is not better but worse.

And, as we know, the algorithms rarely fail.  The NSA specifically 
targets the cryptosystem, not the algorithms.  It also doesn't like 
well-constructed and well-implemented systems.  (So before getting too 
exotic with the internals, perhaps we should get the basics right.)

In contrast to the component duplication approach, I personally prefer 
the layering duplication approach (so does the NSA apparently).  That 
is, have a low-level cryptosystem that provides the base encryption and 
authentication properties, and over that, layer an authorisation layer 
that adds any additional properties if desired (such as superencryption).

One could then choose complementary algorithms at each layer.  Having 
said all that, any duplication is expensive.  Do you really have the 
evidence that such extra effort is required?  Remember, while you're 
building this extra capability, customers aren't being protected at all, 
and are less likely to be so in the future.



iang

More information about the cryptography mailing list