Rene, thanks for clarifying my thoughts on this. You're right, in one sense, piling on on the bandwagon is often counterproductive. I'm reminded of Dijkstra's article "goto statement considered harmful", in 1968, which was cogent and important, but inspired any number of "XXX considered harmful" statements that weren't ...
But, if you're writing in C (which I think we mostly shouldn't be any more, but that's a different question), there's no practical alternative to using goto! Check this, then check that, then check the other thing... You can't maintain code that has this as one big "if" statement, and you won't get it right if there are 18 layers of nested "if" statements either. But back to the original question: In my job I had to continually face the objection that "security [any form] was too expensive to implement". My personal breakthrough was understanding the legal concept of "burden of proof". Was it my job to prove that the security wasn't too expensive? Or was it the (non-security) people's job, in the face of the requirement for security (agreed by management), to prove that it WAS too expensive? I could at least argue that measuring the answer was cheaper than either (a) continuing to argue, or (b) implementing it. Guess what the answer was? I believe that there's a place for 64-bit block ciphers, still. But I believe that there's a corresponding requirement that the analysis be done, and that provision for re-keying must be engineered in, before they can be used. The alternative, just go to 128-bit blocks, is sometimes cheaper, and sometimes easier, and sometimes both. But no handwaving is required... do the analysis! Greg. > On Aug 29, 2016, at 18:31 , Rene Struik <rstruik....@gmail.com> wrote: > > My argument was aimed at focusing on the real topic at hand, not at mixing > this with "religious" beliefs as ditching ciphers without clear justification > (no matter how ancient 3-DES may be [I was in elementary school then]). > > I think it is unwise thinking too lightly about writing IETF drafts with > "die-die-die" in the title, just because one feels like it, in an almost > context-free manner. Or, is the idea to launch an entire series of > die-die-die drafts, because one finds some excuse to do so? I cannot deny I > also like shiny new things and we may all suffer from not-invented-here > syndromes, but acknowledging this playing in the background of our > perceptions should also give us some reason to pause and have some restraint > here. > > Rene > > On 8/29/2016 5:48 PM, Jon Callas wrote: >>> On Aug 29, 2016, at 6:26 AM, Rene Struik <rstruik....@gmail.com> wrote: >>> >>> I think it is a mistake to think that simply using block ciphers with a >>> larger block size is enough to counter attacks, as the literature on >>> successful side channel attacks on such block cipher demonstrates. The real >>> message is that one should not reuse keys ad infinitum, which unfortunately >>> seems hard to sink in. >>> >>> Singling out 3-DES in this respect does not seem to tackle the real issue >>> (which is a system security issue often only paid lip service to in >>> practice). >> Yes, we should just stop using 64-bit block ciphers and deal with the issues >> you mention within the context of larger blocks. >> >> Jon >> > > > -- > email: rstruik....@gmail.com | Skype: rstruik > cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 > > _______________________________________________ > Cfrg mailing list > c...@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg Phone: +1 619 890 8236 GPG/PGP: 1081A37C 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls