[Cryptography] The One True Cipher Suite

[Bill Stewart]

At 04:42 AM 9/10/2013, Jerry Leichter wrote:
>On Sep 9, 2013, at 12:00 PM, Phillip Hallam-Baker wrote:
> > Steve Bellovin has made the same argument and I agree with it. 
> Proliferation of cipher suites is not helpful.
> > The point I make is that adding a strong cipher does not make you 
> more secure. Only removing the option of using weak ciphers makes 
> you more secure.

The reason you need to be able to support more than one cipher suite 
is so that you've got a mechanism for removing one if it's discovered 
to be weak in the future, and for adding a new one if none of your 
remaining suites are still strong.

>1.  If everyone uses the same cipher, the attacker need only attack 
>that one cipher.
>2.  If there are thousands of ciphers in use, the attacker needs to 
>attack some large fraction of them.

If there are thousands of ciphers in use, it's generally easier for 
the attacker to get people to use one of the weak ones
than to attack a large fraction of the not-currently-known-to-be-weak ones.

The big problem PGP ran into with compatibility wasn't so much 
because of cipher suites (after Bass-O-Matic was replaced),
though avoiding the IDEA patent became important after violating the 
RSA patent wasn't a problem,
but because it did too much bit-twiddling to use variable-length 
fields and was sloppy about boundaries,
which made it easy to exploit.