[cryptography] Google's QUIC
iang at iang.org
Wed Jul 3 06:24:54 EDT 2013
On 3/07/13 12:37 PM, Eugen Leitl wrote:
> ----- Forwarded message from Saku Ytti <saku at ytti.fi> -----
> Date: Tue, 2 Jul 2013 21:35:58 +0300
> From: Saku Ytti <saku at ytti.fi>
> To: nanog at nanog.org
> Subject: Re: Google's QUIC
> User-Agent: Mutt/1.5.21 (2010-09-15)
> On (2013-06-29 23:36 +0100), Tony Finch wrote:
>> Reminds me of MinimaLT: http://cr.yp.to/tcpip/minimalt-20130522.pdf
> Now that I read separate 'QUIC Crypto' page. It sounds bit of a deja vu.
> QUIC also uses Curve25519 pubkey and Salsa20 cipher, which is hard to
> attribute as chance, considering both are DJB's work, both are used by his
> NaCl library and by extension by MinimaLT. Neither is particularly common
It's not the choice of algorithm that is "by chance" it is the choice of
suite as a design decision that matters.
I also would like to use the same ciphersuite, but the reason is that
DJB has already done the work to define the entire suite, saving me from
doing it. This is quite a saving for me, and hasn't hitherto existed as
an external service. Last time it took over a month of hard research
and learning to settle on RSA/AES128/CBC/SHA1/HMAC/Encrypt-then-mac.
As an added bonus, DJB came up with a shorter, catchier name:
In the past, things like TLS, PGP, IPSec and others encouraged you to
slice and dice the various algorithms as a sort of alphabet soup mix.
Disaster. What we got for that favour was code bloat, insecurity at the
edges, continual arguments as to what is good & bad, focus on numbers &
acronyms, distraction from user security, entire projects that rate your
skills in cryptoscrabble, committeeitus, upgrade nightmares,
Cryptoplumbing shouldn't be like eating spagetti soup with a toothpick.
There should be One Cipher Suite and that should do for everyone,
everytime. There should be no way for users to stuff things up by
tweaking a dial they read about in some slashdot tweakabit article while
on the train to work.
> I'm not implying QUIC plagiarizes MinimaLT, there are differences in the
> protocol, just choice of the algorithm implies QUIC authors are aware of
Picking curve25519xsalsa20poly1305 is good enough for that One True
CipherSuite motive alone, and doesn't imply any other sort of copying
one might have seen. It's an innovation! Adopt it.
More information about the cryptography