[Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

John Kelsey crypto.jmk at gmail.com
Wed Oct 9 22:18:43 EDT 2013 

On Oct 8, 2013, at 4:46 PM, Bill Frantz <frantz at pwpconsult.com> wrote:

> I think the situation is much more serious than this comment makes it appear. As professionals, we have an obligation to share our knowledge of the limits of our technology with the people who are depending on it. We know that all crypto standards which are 15 years old or older are obsolete, not recommended for current use, or outright dangerous. We don't know of any way to avoid this problem in the future.

We know how to address one part of this problem--choose only algorithms whose design strength is large enough that there's not some relatively close by time when the algorithms will need to be swapped out.  That's not all that big a problem now--if you use, say, AES256 and SHA512 and ECC over P521, then even in the far future, your users need only fear cryptanalysis, not Moore's Law.  Really, even with 128-bit security level primitives, it will be a very long time until the brute-force attacks are a concern.  

This is actually one thing we're kind-of on the road to doing right in standards now--we're moving away from barely-strong-enough crypto and toward crypto that's going to be strong for a long time to come. 

Protocol attacks are harder, because while we can choose a key length, modulus size, or sponge capacity to support a known security level, it's not so easy to make sure that a protocol doesn't have some kind of attack in it.  

I think we've learned a lot about what can go wrong with protocols, and we can design them to be more ironclad than in the past, but we still can't guarantee we won't need to upgrade.  But I think this is an area that would be interesting to explore--what would need to happen in order to get more ironclad protocols?  A couple random thoughts:

a.  Layering secure protocols on top of one another might provide some redundancy, so that a flaw in one didn't undermine the security of the whole system.  

b.  There are some principles we can apply that will make protocols harder to attack, like encrypt-then-MAC (to eliminate reaction attacks), nothing is allowed to need change its execution path or timing based on the key or plaintext, every message includes a sequence number and the hash of the previous message, etc.  This won't eliminate protocol attacks, but will make them less common.

c.  We could try to treat at least some kinds of protocols more like crypto algorithms, and expect to have them widely vetted before use.  

What else?  

 ...
> Perhaps the shortest limit on the lifetime of an embedded system is the security protocol, and not the hardware. If so, how do we as society deal with this limit.

What we really need is some way to enforce protocol upgrades over time.  Ideally, there would be some notion that if you support version X of the protocol, this meant that you would not support any version lower than, say, X-2.  But I'm not sure how practical that is.  

> Cheers -- Bill

--John

More information about the cryptography mailing list