[Cryptography] recommending ChaCha20 instead of RC4 (RC4 again)

dan at geer.org dan at geer.org
Thu Mar 13 23:46:48 EDT 2014

 | >Let's stipulate that you are entirely correct.  How do we react if
 | >we are to learn the lessons of history, etc.?  Can a lack of
 | >speedups-to-come be itself relied upon enough to factor that into
 | >design decisions yet to be made, such as to put aside any need to
 | >design in resistance to a sped-up future or to demand specialized
 | >chipsets for devices that will have no remote management interface?
 | First, we get no relief from the danger of exhaustive search. It=
 | is trivial to parallelize.
 | If we are interested in security, then we must (a) be willing
 | and financially able to throw away the device, (b) be able to
 | upgrade it, or (c) be willing to lose security. The cynic in me
 | says we will always choose the (c), at least until we have been
 | personally burned.

I agree both with the choice set and the cynicism.

If I ran the zoo, I would leave the decision on whether an embedded
system does or does not have a remote management interface to the
entity that deploys them subject to a 2-tuple of choices, to wit:

 * Embedded systems that have a remote management interface must
 be certified by their maker to be designed such that when said
 remote management interface is operated according to spec, the
 maker shall be found negligent, per se, were the management interface
 found to have been be jimmied by an attacker.

 * Embedded systems that have no remote management interface shall
 be so designed as to die without fail no later than some fixed
 time, which time is stated in advance.

This precludes, and I mean by statute, the possibility of an embedded
system being at once blamelessly immortal, unupdatable, and vulnerable.

Thank you for writing.


More information about the cryptography mailing list