[cryptography] Commiittee disease
James A. Donald
jamesd at echeque.com
Sat Sep 11 06:20:05 EDT 2010
On 2010-09-10 12:39 PM, Ian G wrote:
> Also, algorithm agility can in theory replace the algorithms when
> broken. However this is a double-edged sword. It involves a lot of
> complexity (hence work and insecurity), and often doesn't work nearly as
> well as you'd hope. An example of this is the re-negotiation break in
> SSL. We are now in the presence of a roll-over of a broken protocol, and
> we're at 1 year and counting. SSL renegotiation is instructive because
> people really care. We can see the same game going on with "get rid of
> SSL v2" which is around 5 years and counting .. but there most people
> don't care.
> In contrast, non-committee-based systems like Skype can probably roll
> over in weeks or months.
A committee is required to establish consensus. You need consensus so
that clients and servers agree on what the bits mean - but with
sufficiently flexible protocol negotiation, you should need less agreement.
If a standard is successful, more and more people want to be in the
committee, many of whom represent business profit centers and government
special interests, and who really do not understand much about the
technology, except that any change might be adverse to the very
important people who sent them there.
As the committee gets larger, it gets more unworkable, and as it
represents more and more special interests, it gets more unworkable.
When an old protocol is broken, clients and servers that have not
upgraded to a new improved protocol will remain forever, so the old
defective protocol has to be supported forever - without, however,
allowing an attacker a downgrade attack.
Often, it is impossible to support the old clients, because protocol
negotiation was never adequately designed in, or because it was designed
in but was designed vulnerable to a downgrade attack.
But let us suppose the protocol negotiation was well designed: The
committee has to assign a code. And of course, they will only assign
this code to a protocol that they agree is right - and nothing gets done.
One solution is to have quite large protocol identifiers, or arbitrarily
large variable length protocol identifiers, so that anyone can whip up a
protocol and assign it an identifier, and hack a client and server to
use it, without having to walk it past three dozen members of the committee.
But then, of course, we would probably wind up with a lot of protocols.
This could potentially lead to a lot of protocol negotiation round trips
Do you speak protocol A
Do you speak protocol B
Do you speak protocol C
One solution to this problem is to have complete lists of protocols,
call it a protocol dictionary, which dictionary maps the long
probabilistically globally unique protocol names to short local protocol
names, and gives an order of preference. If the client names a
dictionary that it supports, and/or the server names a dictionary that
it supports, then the can usually come to immediate agreement.
More information about the cryptography