[cryptography] the spell is broken
feralchimp at gmail.com
Thu Oct 3 12:03:08 EDT 2013
On Oct 2, 2013, at 6:23 PM, Jon Callas <jon at callas.org> wrote:
[snipped quoted text]
> I'm not implying at all that AES or SHA-2 are broken. If P-384 is broken, I believe the root cause is more that it's old than it was backdoored.
> But it doesn't matter what I think. This is a trust issue.
First, thanks for providing more insight into the decision here.
I guess my point was that it's a confluence of trust issues: user trust, business stakeholder trust, and technical/cryptographic trust. And in part because it does matter what you think, relatively informed people have drawn strong and variable conclusions from the news that "Silent Circle ditched AES and SHA-2 in favor of Twofish and Skein."
[snipped interesting doctor analogy; Jeffrey's response to it was solid.]
> I see this as a way out of the madness. Yes, it's "marketing" if by marketing you mean non-technical. By pushing this out, we're letting people who believe there's a problem have a reasonable alternative.
> If we, the crypto community, decide that the P-384+AES+SHA2 cipher suite is just fine, we can walk the decision back. It's just a software change.
I didn't mean marketing as a pejorative or as 'non-technical', but as a blend of brand signaling and (highly technical, in this case) product management in response to user demand.
To that, and on positioning Twofish/Skein as an "alternative":
- Did users of Silent Circle threaten to leave if you stuck with AES and SHA-2?
- Can users of Silent Circle choose to continue using AES and SHA-2?
While it may be easy to roll back this software change in the future, wouldn't switching back be even more problematic (signaling-wise) than switching away?
One of the biggest issues we're wrestling with, I think, is that the crypto community already decided that AES and SHA-2 are just fine. From where implementors are sitting, it decided good and hard. So what now?
a) Maybe some new process will re-validate AES and SHA-2. The peer review will somehow get peer-ier or review-ier, and the "NSA has magic math" meme will suffer.
- AND/OR -
b) Celebrity cryptographers will make pronouncements that will enjoy uptake among implementors and their trusted advisors.
The Silent Circle decision encourages "NSA has magic" thinking, and unintentionally promotes [b].
And maybe NSA does have anti-AES magic. But if they do, we've seen zero evidence that they're using it. Are they just rooting boxes, forcing people to give up private keys, and sabotaging RNGs as a smoke screen or performance optimization?
> Let me also add that I wouldn't fault anyone for deciding differently. We, the crypto community, need to work together with security and respecting each other's decisions even if we make different decisions and do different things. I respect the alternate decision, to stay the course.
Interesting times. Thanks again-
More information about the cryptography