[Cryptography] Is it time for a revolution to replace TLS?
Tony Arcieri
bascule at gmail.com
Wed Apr 23 17:26:36 EDT 2014
On Sat, Apr 19, 2014 at 9:31 AM, Sandy Harris <sandyinchina at gmail.com>wrote:
> One criterion, I think, is that forward secrecy is a MUST.
>
Definitely
> I'd also have MUST support AES
Sure, we have AES-NI, and aside from silly things like Biclique attacks and
related key attacks (which should be mitigated by a good key agreement
protocol) AES is free of dangerous confidentiality-breaking cryptanalysis.
So yes, AES, definitely, and preferably an authenticated mode of AES like
AES-GCM.
SHOULD support the other AES finalists with open licenses (Twofish, MARS
> & Serpent).
>
Why bother? Few people use these ciphers and with AES-NI there's no reason
to. We should look to more modern authenticated ciphers like the CAESAR
finalists and things like ChaCha20/Poly1305.
> > 2) Better key exchange (Tcpcrypt is also tackling this)
>
> Is it perhaps time for another look at Photuris? That was a simpler
> alternative to IPsec, might still have useful ideas to offer. There
> are RFCs.
>
There are also these papers, linked from the OP:
- Modular Security Proofs for Key
Agreement<http://www.isg.rhul.ac.uk/~kp/ModularProofs.pdf>
- Security Analysis of KEA Authenticated Key Exchange
Protocol<https://research.microsoft.com/en-us/um/people/klauter/security_of_kea_ake_protocol.pdf>
- Stronger Security of Authenticated Key
Exchange<https://research.microsoft.com/pubs/81673/strongake-submitted.pdf>
- Anonymity and one-way authentication in key exchange
protocols<http://cacr.uwaterloo.ca/techreports/2011/cacr2011-11.pdf>
Can we get rid of certificates instead?
>
For practical reasons I don't think so, but this deserves more discussion.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140423/04bbcde7/attachment.html>
More information about the cryptography
mailing list