[cryptography] preventing protocol failings

Ian G iang at iang.org
Mon Jul 4 20:01:20 EDT 2011


On 5/07/11 9:28 AM, Sampo Syreeni wrote:
> (I'm not sure whether I should write anything anytime soon, because of
> Len Sassaman's untimely demise. He was an idol of sorts to me, as a guy
> who Got Things Done, while being of comparable age to me. But perhaps
> it's equally valid to carry on the ideas, as a sort of a nerd eulogy?)

I don't think I ever met Len, but his words were wise.

> Personally I've slowly come to believe that options within crypto
> protocols are a *very* bad idea.


I think this is an idea who's time may be coming.  You might enjoy my 
thoughts here:

http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html

Especially H1 and H3.

> Overall. I mean, it seems that pretty
> much all of the effective, real-life security breaches over the past
> decade have come from protocol failings, if not trivial password ones.
> Not from anything that has to do with hard crypto per se.
>
> So why don't we make our crypto protocols and encodings *very* simple,
> so as to resist protocol attacks? X.509 is a total mess already, as
> Peter Gutmann has already elaborated in the far past. Yet OpenPGP's
> packet format fares not much better; it might not have many cracks as of
> yet, but it still has a very convoluted packet structure, which makes it
> amenable to protocol attacks. Why not fix it into the simplest,
> upgradeable structure: a tag and a binary blob following it?

Yeah.  Plus compatibility issues.

> Not to mention those interactive protocols, which are even more
> difficult to model, analyze, attack, and then formally verify. In Len's
> and his spouse's formalistic vein, I'd very much like to simplify them
> into a level which is amenable to formal verification. Could we perhaps
> do it? I mean, that would not only lead to more easily attacked
> protocols, it would also lead to more security...and a eulogy to one of
> the new cypherpunks I most revered.

(I for one am not thrilled about formal verification, but if our goals 
meet, we can be be flexible on the motives.)



iang



More information about the cryptography mailing list