-------- Original message --------
From: Jerry Leichter <leich...@lrw.com>
Date: 10/06/2013 15:35 (GMT-08:00)
To: John Kelsey <crypto....@gmail.com>
Cc: "cryptography@metzdowd.com List" <cryptography@metzdowd.com>,Christoph
Anton Mitterer <cales...@scientia.net>,james hughes
<hugh...@mac.com>,Dirk-Willem van Gulik <di...@webweaving.org>
Subject: Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was:
NIST about to weaken SHA3?
On Oct 5, 2013, at 9:29 PM, John Kelsey wrote:
Really, you are talking more about the ability to *remove* algorithms. We
still have stuff using MD5 and RC4 (and we'll probably have stuff using dual ec
drbg years from now) because while our standards have lots of options and it's
usually easy to add new ones, it's very hard to take any away.
Can we do anything about that? If the protocol allows correction (particularly
remote or automated correction) of an entity using a weak crypto primitive,
that opens up a whole new set of attacks on strong primitives.
We'd like the answer to be that people will decline to communicate with you if
you use a weak system, but honestly when was the last time you had that degree
of choice in from whom you get exactly the content and services you need?
Can we even make renegotiating the cipher suite inconveniently long or heavy so
defaulting weak becomes progressively more costly as more people default
strong? That opens up denial of service attacks, and besides it makes it
painful to be the first to default strong.
Can a check for a revoked signature for the cipher's security help? That makes
the CA into a point of control.
Anybody got a practical idea?
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
