[cryptography] cryptographic agility (was: Re: the spell is broken)

Patrick Pelletier code at funwithsoftware.org
Fri Oct 4 23:46:51 EDT 2013

On 10/4/13 3:19 PM, Nico Williams wrote:

> b) algorithm agility is useless if you don't have algorithms to choose
> from, or if the ones you have are all in the same "family".

Yes, I think that's where TLS failed.  TLS supports four block ciphers 
with a 128-bit block size (AES, Camellia, SEED, and ARIA) without (as 
far as I'm aware) any clear tradeoff between them.  As opposed to, say, 
if Serpent had been provided as the alternative to AES, where there 
would be a fairly clear trade-off.  (Since Serpent was generally 
recognized as being more conservative, albeit slower, than AES, it would 
make a nice back-up cipher.)  Or, today, the 1024-bit block size version 
of ThreeFish would add interesting diversity, since it has a radically 
different blocksize.

And, of course, the big problem was that RC4 was the only stream cipher 
supported by TLS.  There's now work to remedy that with a Salsa20 or 
ChaCha cipher suite, but that should have been done long ago, since 
everyone knew RC4 was getting old and broken-ish.

So, my point is that you should pick certain axes such as stream versus 
block, or security versus speed, and then choose a small number of 
ciphersuites which are radically different on those axes.  There's no 
point in defining many cipher suites that cover areas that are already 
well-covered.  And, conversely, if a particular area is only covered by 
cipher suites that are getting long in the tooth, it's time to 
proactively cover that area with something new.


More information about the cryptography mailing list