[Cryptography] open questions in secure protocol design?
iang at iang.org
Fri May 29 21:24:04 EDT 2015
On 30/05/2015 01:08 am, Tony Arcieri wrote:
> On Fri, May 29, 2015 at 7:30 AM, ianG <iang at iang.org
> <mailto:iang at iang.org>> wrote:
> PGP to 2.6.
> Oh god... no, strongly disagree.
> $ gpg --gen-key
> gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
Out by 18 years - that's gpg, not pgp. 2.6 was marked for demise in
1997 when pgp5 was released to the world 1997. Those crazy Dutch.
Which latter pgp5 had the new shiny algorithmic agility upgrade, dammit.
> Please select what kind of key you want:
> (1) RSA and RSA (default)
> (2) DSA and Elgamal
> (3) DSA (sign only)
> (4) RSA (sign only)
> Your selection?
> ^^^ this is an unusable mess
A+ agree. It should be RSA only. They should have dropped the rest
after the patent expired. Those crazy Germans. I see you agree in
follow-on post. But this:
> The idea of "One True Ciphersuite" complicates the elimination of
> outmoded ciphers that should no longer be supported.
Huh? What is this? Blame the victim? I am pretty sure the author of
gpg isn't blaming me because he can't get rid of DSA/Elgamal ;)
> Proprietary protocol. No comment. (I dislike proprietary protocols and
> they're harder to have opinions on since their internals are obscured)
Well. That isn't to deny that it worked, and it worked well, and it
walloped the competition, and and and. In some part, Skype's success
was due to the fact that the engineering of the protocol was not weighed
down by costly practices.
> My understanding is they abandoned end-to-end encryption, FWIW.
post 2009, possibly. I'm assuming that the audit report from about 2006
is indicative until about 2009. Those crazy Americans. It wasn't the
engineers that decided to do that, for the beautification of the protocol.
> Strongly disagree. I have a long-form comment on this as part of this
> blog post (see "A Bitcoin Crypto Meltdown")
Except, you changed the topic. Coming back to the topic ... do you
disagree that Bitcoin uses one alg for each function? Oh wait, your
post is about how you agree that it's only using one alg.
You're real disagreement is that you don't like that it is using one
alg, and predict it will therefore melt-down :)
So, we're now dividing along the lines of FUD. If what you fear comes
true, you're right, but there's always a version change. If what you
fear doesn't come true, I'm right, but there's always tomorrow.
"How can Bitcoin avoid these sorts of attacks in perpetuity?"
Actually, I suspect regardless of our views, Bitcoin is locked into the
1TCS for now. Because if they add another algorithm, it is totally
worthless until every client has got it. Which to paraphrase Peter
"will make them think." And we will benefit from the experience.
> Silent Circle 
> Proprietary protocol. No comment.
So, just on that proprietary "no comment" it may be that we end up
deciding that where algorithm agility has to be used, and 1TCS can't be
used is ... protocols written jointly in WGs.
But that's not the same as protocols approved in WGs, protocols written
by a leader in a WG, protocols written by a corp then published, and etc
More information about the cryptography