[Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

John Kelsey crypto.jmk at gmail.com
Wed Oct 2 10:46:22 EDT 2013


Has anyone tried to systematically look at what has led to previous crypto failures?  That would inform us about where we need to be adding armor plate.  My impression (this may be the availability heuristic at work) is that:

a.  Most attacks come from protocol or mode failures, not so much crypto primitive failures.  That is, there's a reaction attack on the way CBC encryption and message padding play with your application, and it doesn't matter whether you're using AES or FEAL-8 for your block cipher.  

b.  Overemphasis on performance (because it's measurable and security usually isn't) plays really badly with having stuff be impossible to get out of the field when it's in use.  Think of RC4 and DES and MD5 as examples.  

c.  The ways I can see to avoid problems with crypto primitives are:

(1)  Overdesign against cryptanalysis (have lots of rounds)

(2)  Overdesign in security parameters (support only high security levels, use bigger than required RSA keys, etc.) 

(3)  Don't accept anything without a proof reducing the security of the whole thing down to something overdesigned in the sense of (1) or (2).

--John


More information about the cryptography mailing list