[Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

[Jerry Leichter]

On Oct 7, 2013, at 12:45 PM, Ray Dillinger <bear at sonic.net> wrote:
> Can we do anything ...[to make it possible to remove old algorithms]? If the protocol allows correction (particularly remote or automated correction) of an entity using a weak crypto primitive, that opens up a whole new set of attacks on strong primitives.
> 
> We'd like the answer to be that people will decline to communicate with you if you use a weak system,  but honestly when was the last time you had that degree of choice in from whom you get exactly the content and services you need?
> 
> Can we even make renegotiating the cipher suite inconveniently long or heavy so defaulting weak becomes progressively more costly as more people default strong? That opens up denial of service attacks, and besides it makes it painful to be the first to default strong.
> 
> Can a check for a revoked signature for the cipher's security help? That makes the CA into a point of control.
> 
> Anybody got a practical idea?
I don't see how there can be any solution to this.  Slow renegotiation doesn't affect users until it gets to the point where they feel the "something is broken"; at that point, the result to them is indistinguishable from just refusing connections with the old suites.  And of course what's broken is never *their* software, it's the other guy's - and given the alternative, they'll go to someone who isn't as insistent that their potential customers "do it the right way".  So you'll just set off a race to the bottom.

Revoking signatures ... well, just how effect are "bad signature" warnings today?  People learn - in fact, are often *taught* - to click through them.  If software refuses to let them do that, they'll look for other software.

Ultimately, I think you have to look at this as an economic issue.  The only reason to change your software is if the cost of changing is lower than the estimated future cost of *not* changing.  Most users (rightly) estimate that the chance of them losing much is very low.  You can change that estimate by imposing a cost on them, but in a world of competitive suppliers (and consumer protection laws) that's usually not practical.

It's actually interesting to consider the single counter-example out there;  The iOS world (and to a slightly less degree, the OSX world).  Apple doesn't force iOS users to upgrade their existing hardware (and sometimes it's "obsolete" and isn't software-upgradeable) but in fact iOS users upgrade very quickly.  (iOS 7 exceeded 50% of installations within 7 days - a faster ramp than iOS 6.  Based on past patterns, iOS 7 will be in the high 90's in a fairly short time.)  No other software comes anywhere close to that.  Moving from iOS 6 to iOS 7 is immensely more disruptive than moving to a new browser version (say) that drops support for a vulnerable encryption algorithm.  And yet huge numbers of people do it.  Clearly it's because of the new things in iOS 7 - and yet Microsoft still has a huge population of users on XP.

I think the real take-away here is that getting upgrades into the field is a technical problem only at the margins.  It has to do with people's attitudes in subtle ways that Apple has captured and others have not.  (Unanswerable question:  If the handset makers and the Telco vendors didn't make it so hard - often impossible - to upgrade, what would the market penetration numbers for different Android versions look like?)

                                                        -- Jerry