[Cryptography] upgrade mechanisms and policies
Arnold Reinhold
agr at me.com
Tue Apr 14 12:29:17 EDT 2015
>
> On Sun, 12 Apr 2015 16:44 Ian G wrote:
> ...
>
> The question we are trying to answer is whether there is *any general
> case where any user choice in security* is better than no choice at all.
My approach to providing alternative cypher suites would be to use superencryption for the alternates. (Here superencryption is meant broadly for each primitive, eg dual sigs & hashes.)
So if one has a primary ciphersuite A and backup suite B, the protocol would offer a choice of A or A*B, where * denotes superencryption.
If A is ever compromised we kill A, switch to A*B as an interim, select a new backup, C, perhaps based on lessons learned from the break in A. We then upgrade as many systems as possible to a new protocol version that supports B, B*C and, for backwards compatibility, A*B.
If B is compromised but not A, we pick C and upgrade to A and A*C.
In the unlikely event both A and B are compromised simultaneously there is still a good chance A*B will remain strong.
The switch from primary to backup is always safe for end users and of little use to attackers. It imposes a performance hit, but mainly on servers which can be beefed up temporarily until most clients upgrade. Switching ciphersuites then becomes more of an "in case of emergency break glass" situation.
Arnold Reinhold
More information about the cryptography
mailing list