[cryptography] cryptographic agility

Patrick Pelletier code at funwithsoftware.org
Sat Oct 5 03:22:04 EDT 2013


On 10/4/13 9:48 PM, Jeffrey Goldberg wrote:

> The AES “failure” in TLS is a CBC padding failure. Any block cipher would have “failed” in exactly the same way.

Yes, I know.  My second point, about needing a stream cipher other than 
RC4, is what's applicable to the current "BEAST vs RC4" dilemma.  My 
point with block ciphers was more hypothetical.  As far as we know, AES 
is good, but some day it might turn out not to be, and even now, there 
is the concern that the AES-256 key schedule is not as good as it could 
be.  My point was just that if you are going to have multiple block 
ciphers, you should have some diversity, and be able to explain the 
rationale for why you picked each one.  (i. e. "This one was for speed, 
that one was for security margin.")  But TLS seems to have opted for the 
logic that "if one 128-bit block cipher is good, four 128-bit block 
ciphers are better."  Perhaps Camellia is a good back-up to AES; I don't 
know.  But I'm not aware of it having been presented as "has a higher 
security margin" or something like that, the way Serpent could have been 
presented.  It was just "here's another one."  And then we got SEED and 
ARIA piling on after that.  (Or maybe SEED was before Camellia; I don't 
remember, and it doesn't really matter.)

Yes, CBC mode has been an issue in a lot of the recent attacks against 
TLS.  So, block cipher modes are another axis for diversity.  A lot of 
folks seem to be putting a lot of eggs in the GCM basket lately.  Maybe 
that's okay, but I know some concerns have been raised about the 
complexity of implementing GCM, and the potential for side-channel 
attacks.  Maybe we need EAX as a backup in case GCM doesn't turn out to 
be as great as it was supposed to be.  Again, I'm not *specifically* 
saying we need a Serpent-EAX cipher suite or something like that.  I'm 
just saying that, in general, this is the kind of thinking that should 
be going on: how can we add cipher suites that add diversity, rather 
than just "me too?"

--Patrick



More information about the cryptography mailing list