[Cryptography] open questions in secure protocol design?

[Jerry Leichter]

>> But what if the current algorithm fails suddenly? 
> 
> Oh not this old saw again.  How many times has this happened with any
> properly-designed algorithm (DES, RC2, RC4, IDEA, RC5, AES, MD5, SHA-1,
> RIPEMD, SHA-2, RSA, DH, DSA, Elgamal, ECDSA, and so on)?
> 
> Actually, it's never happened.  Ever.
Well-studied modern *encryption algorithms* have never failed.  But they are tiny pieces of cryptographic *systems*, which have failed fairly suddenly.

With respect to the inner core encryption algorithms, any mechanism to provide on-the-fly substitution will almost certainly *increase* the overall vulnerability of the system in which the encryption algorithm is embedded.

(BTW, I'm not sure MD5 really belongs comfortably on your list.  Yes, people were worrying about it - but Wang and Yu's paper was still considered a significant breakthrough.  And their techniques broke a number of other systems that weren't in use but that "the day before" might have looked like possible alternatives to MD5.)

> OTOH any mechanism deployed to deal with this is going to be something that
> can't easily be tested beforehand but that has to work perfectly, and
> perfectly securely, the first time it's used.  Sort of like SDI, but not as
> simple and straightforward.
Indeed.  This is another aspect of the problem - and, again, something that needs to be considered in an analysis of the *overall system*, including its fail-over modes.  (One advantage of the "flip a coin to determine which cipher to use" is that it guarantees that both paths are regularly exercised.  Not a reason to choose that approach, but something to consider in analyzing the entire design.)
                                                        -- Jerry