[Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

james hughes hughejp at mac.com
Sat Oct 5 15:47:10 EDT 2013 

On Oct 2, 2013, at 7:46 AM, John Kelsey <crypto.jmk at gmail.com> wrote:

> Has anyone tried to systematically look at what has led to previous crypto failures?  T

In the case we are now, I don't think that it is actually "crypto failures" (RSA is still secure, but 1024 bit is not. 2048 DHE is still secure, but no one uses it, AES is secure, but not with an insecure key exchange) but standards failures. These protocol and/or implementation failures are either because the standards committee said to the cryptographers "prove it" (the case of WEP) and even when an algorithm is dead, they refuse to deprecate it (MD5 certificate mess) or just use bad RND (too many examples to cite). 

The antibodies in the standards committees need to read this and think about it really hard. 

> (1)  Overdesign against cryptanalysis (have lots of rounds)
> (2)  Overdesign in security parameters (support only high security levels, use bigger than required RSA keys, etc.) 
> (3)  Don't accept anything without a proof reducing the security of the whole thing down to something overdesigned in the sense of (1) or (2).

and "(4) Assume algorithms fall faster than Moore's law and, in the standard, provide a sunset date."

I completely agree. 


<rhetoric>
The insane thing is that it is NOT the cryppies that are complaining about moving to RSA 2048 and 2048 bit DHE, it is the standards wonks that complain that a 3ms key exchange is "excessive". 

Who is the CSO of the Internet? We have Vince Cerf,  Bob Kahn or Sir Tim, but what about security? Who is responsible for the security of eCommerce? Who will VISA turn to? It was NIST (effectively). Thank you NSA, because of you NIST now has lost most of its credibility. (Secrets are necessary, but many come to light over time. Was the probability of throwing NIST under the bus [http://en.wikipedia.org/wiki/Throw_under_the_bus] part of the "challenge in finesse"? Did NSA consider backing down when the Shumow, Ferguson presentation (which Schneier blogged about) came to light in 2007?).  

We have a mess. Who is going to lead? Can the current IETF Security Area step into the void? They have cryptographers on the Directorate list, but history has shown that they are not incredibly effective at implementing a cryptographic vision. One can easily argue that vision is rarely provided by a committee oversight committee. 
</rhetoric>


John: Thank you. These are absolutely the right criteria. 

Now what? 

Jim

More information about the cryptography mailing list