[Cryptography] On the Impending Crypto Monoculture

Bill Frantz frantz at pwpconsult.com
Sun Mar 27 13:59:01 EDT 2016 

On 3/27/16 at 3:23 AM, leichter at lrw.com (Jerry Leichter) wrote:

>If there's an AES monoculture, and AES is broken, every message 
>ever encrypted is broken, and until an alternative can be 
>established and fielded, every new message is also broken.  
>Extremely low probability event, immensely high cost.

The result depends on the break, but let's assume worst case. 
New messages are broken until a new protocol can be deployed.


>If there's an AES monoculture and a fallback, and AES is 
>broken, every existing message is broken, but future messages 
>are safe once you can get everything switched to the 
>alternative (which we'll assume is fairly quickly).

I think this assumption is quite weak. We need to get new code 
(even if it is just a configuration file) deployed. Our history 
of actually achieving this goal isn't particularly good, 
although with powerful devices (phones, laptops etc.) and 
Internet based operations, automatic update is improving the situation.

We still have a slow process in older devices which are no 
longer receiving first class support from their distributors. 
Android phones are a good example, but the older Macintosh which 
runs our livingroom projector hasn't seen a update from Apple in 
quite a few months. There's no compelling reason to replace it. 
It still works fine, and newer devices don't offer any 
compelling advantages. (Support for Bluray might be compelling.)

Until we can speed up switching to new standards or algorithms 
in old standards, we have a problem.


>If we choose k equally standard algorithms, and use different 
>algorithms in different situations, and any one of them is 
>broken, 1/k of previous messages ever encrypted is broken.  
>Once you can effectively blacklist the broken algorithm, future 
>messages are secure.  Since attacker now have k algorithms to 
>attack, perhaps their chances of breaking one are better - but 
>it's still an extremely low probability event, thought costs 
>are now considerably lower.

I this case we also have the problem of bugs in the algorithm 
selection protocol and its implementations. We have a long 
history of these kinds of bugs in widely deployed protocols.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | Privacy is dead, get over    | Periwinkle
(408)356-8506      | it.                          | 16345 
Englewood Ave
www.pwpconsult.com |              - Scott McNealy | Los Gatos, 
CA 95032

More information about the cryptography mailing list