[Cryptography] FREAK attack

Jerry Leichter leichter at lrw.com
Thu Mar 5 14:14:48 EST 2015

On Mar 5, 2015, at 8:10 AM, Salz, Rich <rsalz at akamai.com> wrote:
> I know you hate cryptographic agility.  So, riddle me this.
> Make a timeline for the past 15 years.  Which ONE cipher suite should SSL/TLS have used?
There's an elephant in the room that we don't like to talk about:

*Security is fundamentally incompatible with backwards-compatibility.*

Once RSA-512 becomes readily factorable, an implementation built when it was not can never be be secure again.  If a new implementation supports a backwards-compatibility mode, it's an *insecure* backwards-compatibility mode.

As software and hardware guys, we generally hold backwards compatibility as one of our highest goals.  We know all the tricks for making the new stuff work with the old.  We insist that our old stuff work with our new stuff.  We bitch and moan that Apple - and increasingly other vendors - makes it impossible to revert from release N back to release N-1.  "They broke feature X in release N!  I insist on my right to move back!"

But the fact is that security is *different*.  Security will never move forward if devices can be forced back to old modes of operation, or if software can be reverted - perhaps by an attacker - to a previous, insecure state.

So I'd pose things differently:

In a world where backwards-compatibility is sacrosanct, algorithm-agility has a *potential* to work - but as we've seen, in practice, it's a continuing source of effective downgrade attacks of different sorts.  "If the software were better implemented..." is just wishful thinking.  There's no evidence anyone can get this right.

In a world liberated from backwards-compatibility, your question can be seen to be based on a bad assumption:  That 15 years ago, you had to pick one good suite once and for all.  No, 15 years ago, you would have picked one suite that provided adequate security at acceptable cost, given the knowledge and technology of the time.  And then 5 or 10 years later, if the tradeoffs had shifted, you would have chosen a *different* single good suite.

The new suite *supplants* the *old*; it doesn't *supplement* it.  When the engine goes on your old car and it's not longer repairable, you supplant it with a new one; if you "supplement" it, you're soon in possession of a yard full of junkers on blocks.

BTW, some of the most successful companies in the tech world have, to a large degree, rejected the cult of "backwards compatibility".  Apple's an obvious one, but Google and every other web app-based company downloads the latest version of the software into your browser.  No, you can't go back to last week's version.

                                                        -- Jerry

More information about the cryptography mailing list