[cryptography] the spell is broken
jeffrey at goldmark.org
Thu Oct 3 15:35:55 EDT 2013
On 2013-10-03, at 1:28 PM, James A. Donald <jamesd at echeque.com> wrote:
> On 2013-10-04 00:13, Jeffrey Goldberg wrote:
>> So unless you and Silent Circle have information that the rest of us don’t about AES and SHA-2, I’m actually pissed off at this action. It puts more pressure on us to follow suit, even though such a move would be pure security theater.
> You have to get off the NIST curves. If getting of the NIST curves, might as well get off AES and SHA-2 as well.
Fair point. As we aren’t doing any public key stuff, we don’t need to hunt down new curves or go back to DH or anything like that. And as you say, if you are changing something, it isn’t too hard to chance other things at the same time.
But (and given that my previous message got MIME-mangled, I’ll repeat some points) the thought that Jon and Silent Circle are putting into curve replacement looks much more serious than the thought going into AES and SHA-2 replacement, which reek of security theater.
I’ll grant that a priori any SHA-3 finalist will be an improvement on SHA-2, so really it’s the just AES move that reeks of security theater. If you are going to drop in a replacement for AES (same blocksize, same key sizes) then you should look at this as an opportunity to find the best replacement possible. Maybe AES with increased rounds and improved key schedule. That would have the advantage of taking advantage of a lot of existing hardware. Or maybe there are better alternatives. But picking Twofish out of a hat just seems like security isn’t the issue, but perception.
> If you are not using the NIST curves, the need to change is less urgent.
Agreed, but for me the “less urgent” is “next to nil”. (Beyond the existing reasons for moving away from SHA-2.). But fine, I acknowledge your point, and perhaps I’m just whining because I’m lazy and this would be a difficult change to implement.
More information about the cryptography