[Cryptography] open questions in secure protocol design?

dj at deadhat.com dj at deadhat.com
Thu May 28 14:31:29 EDT 2015

> On 5/26/15 at 1:21 PM, stephen.farrell at cs.tcd.ie (Stephen
> Farrell) wrote:
>>For me the term "one true cipher suite" carries with it an
>>obvious implication that it's proponents consider every other
>>approach is wrong.
> I would say that "one true cipher suite" means that the
> designers have picked a suite they consider adequate and chose
> to avoid the complexity of negotiation, not that the other
> choices are wrong.

That's a bit close to home right now. I'm working on defining just such a
protocol in a standrd. I'm pushing for (It's a multi company thing)
'algorithm migration' in place of algorithm agility or 1TCS.

Yes it is because algorithm agility is a black hole into which complexity
goes in and from which Hawking-bugs comes back out. I don't want that in
the spec. I don't want the complexities and cost of TLS and X.509 and all
that goes with it.

1TCS is a problem for reasons that have already been discussed.

The context is hardware devices, usually low-cost, with an undefined but
certainly finite lifetime.

Algorithm migration in this context means:

1) We start with algorithm version 1. It is a suite of algorithms chosen
wisely to be considered good for several years. Where 'several' is long
compared with the typical lifespan of the devices.

2) New algorithms are adopted by the standards body in sequence (1,2,3..)
when there is a reason to (example sha1 looked shaky years before it
failed). The algorithm list is in time order. There's no branching or a
menu to choose from or negotiate.

3) New devices implement the current algorithm version and the next
algorithm version if it exists.

4) When the new algorithm version is widely deployed, policy is updated to
deprecate the old algorithm version.

So algorithm migration is a slow migration from one cipher-suite to the
next, when supported by deployed hardware. No a run time negotiation
between many cipher-suites. The cadence may be 1 decade.

If this turns out to be bad idea, people will know who to blame. But I'm
pretty sure algorithm agility and 1TCS is a bad idea.

More information about the cryptography mailing list