[Cryptography] a question on consensus over algorithmic agility

[Tony Arcieri]

On Wed, Jun 25, 2014 at 8:01 AM, ianG <iang at iang.org> wrote:

>      1.  Do you believe that in general case for the security for the
> net, (a) security protocols MUST be agile w.r.t cryptography ciphers ?
> OR, in the negative, no, protocols may set one cipher and stick with it.


I think it makes sense to provide a "backup" cipher in the event that it
can be used to work around things like protocol bugs. This happened when
BEAST was discovered. We can try to hope that next generation protocols
won't suffer BEAST-style design flaws since they're built on authenticated
encryption, but having a backup cipher makes sense.

That said, I think the assemble-your-own-ciphersuite approach has totally
failed. We wind up with ciphersuites that look like:

*ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK*

Taken from:
https://wiki.mozilla.org/Security/Server_Side_TLS#Non-Backward_Compatible_Ciphersuite

...and this isn't even the even more complex "backwards compatible"
ciphersuite!

A much simpler approach might be to create "one ciphersuite to rule them
all" that's versioned with a major number. We could choose something like
this for ciphersuite 0:

0.0: chacha20poly1305
0.1: aes-256-gcm
0.2: aes-128-gcm

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140625/e425b60c/attachment.html>