Steven M. Bellovin
smb at research.att.com
Tue Jul 8 21:24:27 EDT 2003
[Moderator's note: I've been choking back the LibTomNet argument but I
thought Steve's specific references here are interesting, even if the
point has already been made. --Perry]
In message <20030707230743.64482.qmail at web41109.mail.yahoo.com>, tom st denis w
>The RFC looks like it was written by a member of the ACLU and done at
>an hourly rate of some sort. It contains no test vectors, no sample
>source code and generally is not enough information to code a compliant
What does the ACLU have to do with it? "Be liberal in what you accept?"
>Not only is my code way smaller than a compliant SSL library but it is
>also simpler. There are only eight functions in LibTomNet and of
>LibTomCrypt you only need a half dozen at most [setup the prng, RSA key
>gen, export/import]. In otherwards my code is [should be] very easy to
>work with since there is a minimum of clutter to get in the way.
Tom, I don't know you, and I don't know what your background in crypto
protocol design is. It's an *exceedingly* subtle art.
A few months ago, I went back and reread the original Needham-Schroeder
paper, from December 1978. It is, as far as I know, the first paper in
the open literature on cryptographic protocols. In it, the authors
warn that they think that this is a very difficult area, and that
subtle flaws will occurs. That's one of the more amazing instances of
prescience I've seen.
Let me briefly review the history of that protocol. As I said, it was
published in December, 1978. It had symmetric and asymmetric versions
of the protocol. The latter -- taking into account certificates, which
had not yet been invented -- was only three lines long. In August 1981,
Denning and Sacco published a paper describing a comparatively subtle
flaw in the protocol; they also proposed a fix. In 1994, Abadi and
Needham described a flaw in the Denning/Sacco replacement. (That flaw
might have been described in 1987, but I'm traveling and don't have my
library with me...) In 1996, a new flaw was found in the original
Needham-Schroeder asymmetric variant -- a flaw that was blindingly
obvious once pointed out.
Tell me -- why should anyone trust your new protocol, given the history
of one of the most-studied protocols in the field? SSLv3 has had a lot
of scrutiny. Has yours?
>At anyrate LibTomNet is not an SSL replacement. It's a library for
>developers who need simple to work with secure sockets.
That's what SSL is.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography