[Cryptography] [FORGED] The Energy Budget for Wireless Security shows cryptography is cheap

[dj at deadhat.com]

> Ryan Carboni <ryacko at gmail.com> writes:
>
>>This is a recurrent problem. Focusing on individual cipher costs while
>>ignoring protocol costs wastes time towards pointless optimizations which
>>could prove insecure and vulnerable (needless reductions in security
>>margins). ChaCha's speed likely does not add any true benefit when
>> asymmetric
>>cryptography is factored in.
>
> That's something that really needs saying.  The number of times I've had
> people come to me agonising about which algorithm(s) they can pare down to
> in
> embedded devices to save code space and CPU, when what they're using them
> with
> is massively complex and heavyweight security stacks like TLS or SSH (and
> then
> loading XML config files over their embedded web server).  For some reason
> everyone seems to focus on the crypto algorithm and forget about the fact
> that
> the crypto can run entirely in the RAM that their XML parser leaks every
> time
> it loads a file.
>
> Peter.
>

When we are designing protocols people actually use in products, we are
very much aware of the cost of the individual parts in compute time,
memory, storage, silicon area and user experience. It's good to have the
implementers involved.

A good goal is to minimize the number of underlaying algorithms, so the
pain of implementing them in hardware is reduced. E.G. Try and use AES for
ciphers, MACs, KDFs etc. Try and use one curve for the signing and key
agreement. Try and align the cryptographic strength so you are
implementing O(2^512) strength key agreement against an O(2^128) link
cipher.

If XML, ASN.1 or X.509 is involved, then that's outside any spec I'm
willing to write these days.