[Cryptography] On the Impending Crypto Monoculture

Andrew Donoho awd at ddg.com
Fri Mar 25 18:56:52 EDT 2016


> On Mar 25, 2016, at 03:51 , Brian Gladman <brg at gladman.plus.com> wrote:
> 
> So the issue is not that the Apple (or any other platform supplier) has
> individually made good or bad choices but rather that they have made
> different choices.  In overall terms this produces an unmanaged
> multi-culture that has little or no chance of producing a good
> information security result.




Brian,



	Thank you for sharing your expertise.

	I poorly made my point. Which was: a monoculture is already largely established — that defined by NIST/NSA and BIS export controls.

Revisiting my table:

Suite B for TS	iOS	Android

AES-256-CBC	X	X
SHA-384		X	X
HMAC-SHA-384	X	X
RSA-3072 sign	X	X
RSA-3072 enc	X	X

ECDH-P-384		X
ECDSA-P-384		X
DH Key exchange		X

Note: I am not an Android developer. Hence, my Google-fu may be weak and the above may be in error.

It looks like the standard Android libraries are more full featured than iOS’s. More importantly though, the common subset interoperates. I believe, because both mobile OS’s must surmount the same export controls, they have a common crypto feature set. This common requirement enforces a monoculture.

This feature set ripples up into my servers. There is little reason to deviate from this mobile device defined norm on my servers. Yes, because my clients exploit their explicitly parallel performance, the servers may be over loaded processing these older but still quite secure algorithms. Our hardware friends are looking to largely mitigate those issues though.



Anon,
Andrew
____________________________________
Andrew W. Donoho
Donoho Design Group, L.L.C.
awd at DDG.com, +1 (512) 750-7596, twitter.com/adonoho

New: Spot marks the taX™ App, <http://SpotMarksTheTaX.com>
Retweever Family: <http://Image.Retweever.com>, <http://Retweever.com>

A ship in port is safe; 
    but that is not what ships are built for.
        — Aphorism popularized by U.S. Rear Admiral Grace M. Hopper



More information about the cryptography mailing list