[Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?

John Kelsey crypto.jmk at gmail.com
Sun Oct 13 01:28:03 EDT 2013 

On Oct 12, 2013, at 6:51 AM, Ben Laurie <ben at links.org> wrote:
...
> AIUI, you're trying to make it so that only active attacks work on the
> combined protocol, whereas passive attacks might work on the outer
> protocol. In order to achieve this, you assume that your proposed
> inner protocol is not vulnerable to passive attacks (I assume the
> outer protocol also thinks this is true). Why should we believe the
> inner protocol is any better than the outer one in this respect?

The point is, we don't know how to make protocols that really are reliably secure against future attacks.  If we did, we'd just do that. 


My hope is that if we layer two of our best attempts at secure protocols on top of one another, then we will get security because the attacks will be hard to get through the composed protocols.  So maybe my protocol (or whatever inner protocol ends up being selected) isn't secure against everything, but as long as its weaknesses are covered up by the outer protocol, we still get a secure final result.  

One requirement for this is that the inner protocol must not introduce new weaknesses.  I think that means it must not:

a.  Leak information about its plaintexts in its timing, error messages, or ciphertext sizes.  

b.  Introduce ambiguities about how the plaintext is to be decrypted that could mess up the outer protocol's authentication.  

I think we can accomplish (a) by not compressing the plaintext before processing it, by using crypto primitives that don't leak plaintext data in their timing, and by having the only error message that can ever be generated from the inner protocol be essentially a MAC failure or an out-of-sequence error.  

I think (b) is pretty easy to accomplish with standard crypto, but maybe I'm missing something.  

...
> Particularly since you're using tainted algorithms ;-).

If using AES or P256 are the weak points in the protocol, that is a big win.  Right now, we aren't getting anywhere close to that.  And there's no reason either AES or P256 have to be used--I'm just looking for a simple, lightweight way to get as much security as possible inside some other protocol.  

--John

More information about the cryptography mailing list