[Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Oct 10 10:11:07 EDT 2013


Watson Ladd <watsonbladd at gmail.com> writes:

>The obvious solution: Do it right the first time.

And how do you know that you're doing it right?  PGP in 1992 adopted a
bleeding-edge cipher (IDEA) and was incredibly lucky that it's stayed secure
since then.  What new cipher introduced up until 1992 has had that
distinction?  "Doing it right the first time" is a bit like the concept of
stopping rules in heuristic decision-making, if they were that easy then
people wouldn't be reading this list but would be in Las Vegas applying the
stopping rule "stop playing just before you start losing".

This is particularly hard in standards-based work because any decision about
security design tends to rapidly degenerate into an argument about whose
fashion statement takes priority.  To get back to an earlier example that I
gave on the list, the trivial and obvious fix to TLS of switching from MAC-
then-encrypt to encrypt-then-MAC is still being blocked by the WG chairs after
nearly a year, despite the fact that a straw poll on the list indicated
general support for it (rough consensus) and implementations supporting it are
already deployed (running code).  So "do it right the first time" is a lot
easier said than done.

Peter.


More information about the cryptography mailing list