[Cryptography] Cipher death notes

[Phillip Hallam-Baker]

On Wed, Apr 1, 2015 at 5:57 PM, Ben Laurie <ben at links.org> wrote:
>
>
> On 1 April 2015 at 15:40, Lodewijk andré de la porte <l at odewijk.nl> wrote:
>>
>> 2015-04-01 20:22 GMT+09:00 ianG <iang at iang.org>:
>>>
>>> We can imagine the WGs worrying about the security effects of that.  Can
>>> someone craft a virus that turns off *all* ciphers?  If the IoT thing is 20
>>> years old and switches the cooling water on a NY nuclear powerstation, is it
>>> clearly more secure by eliminating its 20 year old cipher?  Does the
>>> fallback to cleartext make the effect of the last cipher dropping off worse?
>>> Is letting someone hack the cipher worse or better than disabling access?
>>
>>
>> It would probably decline all communication (fail to negotiate a
>> protocol), which seems fine to me.
>
>
> So, you think declining to control a nuclear power plant because some minor
> device had a security issue is fine?

When I proposed the same scheme (based on Rivest/Shamir suicide notes)
in the wake of the SHA-1 breach, I got two responses:

1) A cipher becomes unfit for use long before a it is possible to
perform the hardest attacks. SHA-1 has not been broken, even MD5 is
not completely broken. It will never be possible to extract a DES key
used to encrypt a random plaintext. etc.

2) What do you do if the note is activated?


The second question is one that the folk who think DNSSEC is a
mechanism for securing the DNS have never really had an answer for.
What do I do if the DNSSEC chain does not validate?

It is also a problem in a lot of spam control schemes. It is easy to
write a procedure that does the right thing in situation A, It is easy
to write a procedure that does the right thing in situation B. But
when you don't know ahead of time whether you are in situation A or
situation B, the trivial solution which builds the decision into the
process no longer works.