[Cryptography] asymmetric attacks on crypto-protocols - the rough consensus attack

ianG iang at iang.org
Thu Aug 6 11:24:18 EDT 2015 

On 5/08/2015 21:25 pm, John Kelsey wrote:
> I wonder what fraction of the time people invent their own crypto algorithms and protocols, and the result is better than the standard stuff.  I'm guessing the fraction is small enough that it needs quite a few significant digits to be distinguishable from zero.


It's a little bit difficult to tell because often there is substantial 
cross-fertilisation, and sometimes successful protocols go from base 
invention and then into standardisation (some would argue that is the 
meaning of the word standardisation...).

Eg., In terms of successes, SSL, SSH, Skype, PGP, Bitcoin, OTR, were all 
invented outside standards bodies.

Most of those went into standards, but arguably their best work [1] was 
done before hand.

Practically all ciphers are done outside standards bodies, although one 
could argue that AES was done within a "standards" context.

In terms of failures, IPSec, DNSec, Secure Telnet, were invented inside 
the standards process.  Wifi 802.11?

S/MIME was inside, as far as I know, and could be called as much a 
success as PGP at invading the email world, debatable.  GSM was inside a 
standards process, and was a success, notwithstanding the bugs and 
interferences found.

So all in all, for my count, the answer is closer to 100% than 0%.

The difference might be in the way we define 'better'.  I define 'better 
security' as what is delivered and deployed and protected to users, as 
opposed to what they miss out on.  So SSL is a failure in my definition 
because it only covers about 1% of browsing [2], and its authentication 
is too easily bypassed.  Whereas others define 'better security' 
according to some standard model such as CIA in a lab setting.  In which 
case they define SSL as a success because it meets that criteria.  Yet 
others might go further and define 'better' as a loss-rate difference, 
but we don't have the data to support that as yet, IMHO, except in the 
case of phishing.

It's certainly a very good question and it should be widely debated.

I'd even go so far as to say it's a topic that should be researched and 
mined.  Someone needs to do a big table with protocols down the side, 
and metrics of success across the top.... [3]  A masters project?



iang



[1] by "best" I mean the best bang for buck.
[2] may be higher by now, haven't seen any figures on this lately.
[3] like this:
http://iang.org/ssl/security_metrics.html#balance


> On Aug 4, 2015, at 2:06 PM, dj at deadhat.com wrote:
>
>>>> On 2/08/2015 16:56 pm, Dan McDonald wrote:
>>>>> On 1 August 2015 at 21:27, ianG <iang at iang.org> wrote:
>>>
>>>
>>> NIH == not invented here?  Yes, I see that.
>>
>> I'm currently in the process of developing a security protocol spec in a
>> standards group, that will be deployed everywhere.
>>
>> The reverse seems to be true. There is a desire to do some things new
>> (specifically to avoid X.509 and NIST curves and make things as brutally
>> simple as possible), but there is a NISE (Not invented somewhere else)
>> crowd that calls for external specs we can point to for all crypto things.
>> This leads down the slippery path to NIST, DSA and X.509.

More information about the cryptography mailing list