[Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?
John Kelsey
crypto.jmk at gmail.com
Fri Oct 11 10:41:38 EDT 2013
On Oct 11, 2013, at 1:48 AM, ianG <iang at iang.org> wrote:
...
> What's your goal? I would say you could do this if the goal was ultimate security. But for most purposes this is overkill (and I'd include online banking, etc, in that).
We were talking about how hard it is to solve crypto protocol problems by getting the protocol right the first time, so we don't end up with fielded stuff that's weak but can't practically be fixed. One approach I can see to this is to have multiple layers of crypto protocols that are as independent as possible in security terms. The hope is that flaws in one protocol will usually not get through the other layer, and so they won't lead to practical security flaws.
Actually getting the outer protocol right the first time would be better, but we haven't had great success with that so far.
> Right now we've got a TCP startup, and a TLS startup. It's pretty messy. Adding another startup inside isn't likely to gain popularity.
Maybe not, though I think a very lightweight version of the inner protocol adds only a few bits to the traffic used and a few AES encryptions to the workload. I suspect most applications would never notice the difference. (Even the version with the ECDH key agreement step would probably not add noticable overhead for most applications.) On the other hand, I have no idea if anyone would use this. I'm still at the level of thinking "what could be done to address this problem," not "how would you sell this?"
> iang
--John
More information about the cryptography
mailing list