[Cryptography] open questions in secure protocol design?

Phillip Hallam-Baker phill at hallambaker.com
Sun May 31 10:00:19 EDT 2015

On Fri, May 29, 2015 at 10:23 AM, ianG <iang at iang.org> wrote:

> On 28/05/2015 00:58 am, Ray Dillinger wrote:
>> Yup.  On the one hand, 1TCS forces you to have a way of upgrading.

> The only difference then is that Algorithm Agility allows you to assume it
> away, whereas 1TCS forces you to consider it, by removing the crutch.

I think the original question was baddly worded. The choices offered were
one child and 19 and counting. There are obvious problems with both. Which
is why most people look for an heir and a spare.

One of the problems with algorithm agility is that the mere ability to have
a hundred algorithms does not provide any agility in practice because the
tendency has always been to implement the current algorithm and a half
dozen legacy algorithms.

Microsoft .NET gives you lovely algorithm choices, If SHA-2-256 doesn't
meed your needs you can use MD5, SHA-1 or RIMPEMD.

The reason it took so long to deprecate SHA-1 is the long tail of machines
from the era when regular O/S upgrades were expected. Even now there are
all those companies whose IT departments show their uncompromising
commitment to security by continuing to run Windows XP.

Which is why I think that for future protocols we have to have TWO
mandatory to implement algorithms, at least for not severely constrained
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150531/6bf4daad/attachment.html>

More information about the cryptography mailing list