[Cryptography] open questions in secure protocol design?
Jerry Leichter
leichter at lrw.com
Sun May 31 10:50:25 EDT 2015
>> But what if the current algorithm fails suddenly?
>
> Oh not this old saw again. How many times has this happened with any
> properly-designed algorithm (DES, RC2, RC4, IDEA, RC5, AES, MD5, SHA-1,
> RIPEMD, SHA-2, RSA, DH, DSA, Elgamal, ECDSA, and so on)?
>
> Actually, it's never happened. Ever.
Well-studied modern *encryption algorithms* have never failed. But they are tiny pieces of cryptographic *systems*, which have failed fairly suddenly.
With respect to the inner core encryption algorithms, any mechanism to provide on-the-fly substitution will almost certainly *increase* the overall vulnerability of the system in which the encryption algorithm is embedded.
(BTW, I'm not sure MD5 really belongs comfortably on your list. Yes, people were worrying about it - but Wang and Yu's paper was still considered a significant breakthrough. And their techniques broke a number of other systems that weren't in use but that "the day before" might have looked like possible alternatives to MD5.)
> OTOH any mechanism deployed to deal with this is going to be something that
> can't easily be tested beforehand but that has to work perfectly, and
> perfectly securely, the first time it's used. Sort of like SDI, but not as
> simple and straightforward.
Indeed. This is another aspect of the problem - and, again, something that needs to be considered in an analysis of the *overall system*, including its fail-over modes. (One advantage of the "flip a coin to determine which cipher to use" is that it guarantees that both paths are regularly exercised. Not a reason to choose that approach, but something to consider in analyzing the entire design.)
-- Jerry
More information about the cryptography
mailing list