[Cryptography] USB 3.0 authentication
Ray Dillinger
bear at sonic.net
Sun Apr 17 13:50:19 EDT 2016
On 04/14/2016 03:06 AM, Jerry Leichter wrote:
> But then you get to the use of
> "128-bit security for all cryptography", which is already sounding
> like a bit of overkill...
Y'know, I don't think I believe in the idea of cryptographic overkill as
such. Not, at any rate, where there is a real need for that level of
crypto *in any application.* For two reasons.
The first thing that makes me doubtful about "overkill" arguments is
that experience shows that the number of security flaws is proportional
to the number of choices among different moving parts in crypto
implementations. And implementations of different security levels means
different moving parts.
Somebody who needs 128-bit security, if they build it in an environment
that has a lot of these "wrong" parts lying around for the supposed need
to build lower-security products, is likely to end up with the classic
"vault door on a straw hut" situation. 128-bit encryption algorithm with
keys protected by passwords stored with 40-bit salt. Or 128-bit
encryption in a protocol that relies on 64-bit hash collision
resistance. Or, even worse, 128-bit encryption with a choice for one end
of the protocol to unilaterally opt down to 64-bit encryption. Or
whatever. Why should all those wrong choices be available in the first
place given that even an ARM microcontroller is fast enough to do
full-strength real encryption at full USB3.0 speeds?
Second, the crypto somebody thought was overkill for a mere USB device
takes on a whole new set of requirements when someone uses a USB device
to secure high-grade secrets. The people who really do need to rely on
this stuff sometimes don't have the practical ability to switch to
something that's not universally available or compatible with everything
else out there. Overkill isn't overkill when we don't know the most
sensitive thing it will ever be used for.
And taking the recent noise about Quantum attacks seriously (jury's
still out, but security means being a pessimist) means 128-bit
encryption isn't such horrifying overkill as we used to think. In fact
if we really take the Quantum stuff seriously I'd be gritting my teeth
and setting 160-bit as the lowest acceptable bar.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160417/d9094285/attachment.sig>
More information about the cryptography
mailing list