[cryptography] preventing protocol failings

Sampo Syreeni decoy at iki.fi
Mon Jul 4 19:28:10 EDT 2011


(I'm not sure whether I should write anything anytime soon, because of 
Len Sassaman's untimely demise. He was an idol of sorts to me, as a guy 
who Got Things Done, while being of comparable age to me. But perhaps 
it's equally valid to carry on the ideas, as a sort of a nerd eulogy?)

Personally I've slowly come to believe that options within crypto 
protocols are a *very* bad idea. Overall. I mean, it seems that pretty 
much all of the effective, real-life security breaches over the past 
decade have come from protocol failings, if not trivial password ones. 
Not from anything that has to do with hard crypto per se.

So why don't we make our crypto protocols and encodings *very* simple, 
so as to resist protocol attacks? X.509 is a total mess already, as 
Peter Gutmann has already elaborated in the far past. Yet OpenPGP's 
packet format fares not much better; it might not have many cracks as of 
yet, but it still has a very convoluted packet structure, which makes it 
amenable to protocol attacks. Why not fix it into the simplest, 
upgradeable structure: a tag and a binary blob following it?

Not to mention those interactive protocols, which are even more 
difficult to model, analyze, attack, and then formally verify. In Len's 
and his spouse's formalistic vein, I'd very much like to simplify them 
into a level which is amenable to formal verification. Could we perhaps 
do it? I mean, that would not only lead to more easily attacked 
protocols, it would also lead to more security...and a eulogy to one of 
the new cypherpunks I most revered.
-- 
Sampo Syreeni, aka decoy - decoy at iki.fi, http://decoy.iki.fi/front
+358-50-5756111, 025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2



More information about the cryptography mailing list