[Cryptography] On the Impending Crypto Monoculture

[Florian Weimer]

* Peter Gutmann:

> Then there's CCM, which is two-pass and therefore an instant fail
> for streaming implementations, which is all of the protocols
> mentioned earlier (since CCM was designed for use in 802.11 which
> has fixed maximum-size packets this isn't a failure of the mode
> itself, but does severely limit its applicability).

Authenticated encryption is always two-pass in the recipient because
you cannot start processing the data before you have authenticated it,
which requires the entire (sub)message.  Not everyone bothers to wait
with data processing until the authentication happens, of course.
(And the problem isn't specific to encrypting modes.)

I don't think it's a huge burden to have buffering on the sending side
as well.

(Regardingo OCB, doesn't need periodic rekeying at intervals that are
practically relevant?)

> current misguided attempts by politicians to limit mostly
> non-existent use of crypto by terrorists

I think you mean “strong crypto” or “algorithmic crypto”.  They use
codewords, which are form of cryptography.

> What implementers are looking for is what Bernstein has termed
> boring crypto, "crypto that simply works, solidly resists attacks,
> never needs any upgrades" ("Boring crypto", Dan Bernstein).
> Bernstein and colleagues offer a silver bullet, something that
> appears better than anything else that's out there at the moment.

One problem to keep in mind that it is still difficult to build actual
protocols from those primitives.  For example, if you ditch TLS in
favor of one of those minimal cryptographic libraries, it is likely
that your code which attempts to implement an encrypted byte stream on
top of them will be subject to replay attacks.