[cryptography] cryptographic agility (was: Re: the spell is broken)

Nico Williams nico at cryptonector.com
Sat Oct 5 04:08:42 EDT 2013

On Fri, Oct 4, 2013 at 11:48 PM, Jeffrey Goldberg <jeffrey at goldmark.org> wrote:
> On 2013-10-04, at 10:46 PM, Patrick Pelletier <code at funwithsoftware.org> wrote:
>> On 10/4/13 3:19 PM, Nico Williams wrote:
>>> b) algorithm agility is useless if you don't have algorithms to choose
>>> from, or if the ones you have are all in the same "family".
>> Yes, I think that's where TLS failed.  TLS supports four block ciphers with a 128-bit block size (AES, Camellia, SEED, and ARIA) without (as far as I'm aware) any clear tradeoff between them.

Well, maybe I was too emphatic.  I didn't mean that a protocol like,
say, TLS, should be born with a large number of ciphersuites.  It
needs to be born with *two* (of each negotiable cryptographic
primitive): to prove algorithm agility works.  Also, none of this
one-integer-to-name-combinations-of-all-algorithms -- key exchange,
authentication, and KDF, should all be negotiated separately from
session ciphers (but cipher modes, OTOH, should not be negotiated
separately from ciphers).  The rationale is that a cartesian product
of algorithms in a manual registry -and with small integers!- is not
really manageable.  Some cipher modes can be separated from ciphers,
but there's relatively few combinations of ciphers and cipher modes,
so no need to separate them.

> The AES “failure” in TLS is a CBC padding failure. Any block cipher would have “failed” in exactly the same way.

Indeed.  3DES and AES both "failed" because of CBC IV chaining without
randomization in SSHv2.  Any block cipher would have failed in the
same situation because the failure was the *mode*'s.


More information about the cryptography mailing list