undefined | Better HN

0 pointsemn133y ago0 comments

Why do you think he's wrong? He's essentially saying IT systems need to be designed with the expectation that cryptographic algorithms will be attacked and may need to be replaced, as I understand it.

0 comments

tptacek3y ago

If by "crypto agility" one means "we should research diverse cryptographic primitives and constructions so that we can be ready if something we rely upon breaks", nobody disagrees with that. But that's not what Schneier means.

What he says instead is that "it’s vital that our systems be able to easily swap in new algorithms when required". That approach has a virtually unbroken track record of failure. It demands negotiation, which introduces bugs, and even after you get past that, it doesn't work: you literally always end up with downgrade attacks (see, for instance, the DNSSEC work at Black Hat this year). Sometimes those downgrade attacks introduce vulnerabilities for parties that would never have even attempted to use the legacy crypto.

michaelt3y ago

Doesn't every major cryptosystem have multiple ciphersuites, though?

There's things like SSL, SSH and GPG, truecrypt, bitlocker, /etc/passwd, ntpsec - even git is trying to upgrade their hashes from SHA1 to something longer. There are only a handful of exceptions, like TOTP.

Isn't it a must-have feature? Or has the feature become less important than it was 25 years ago when those protocols were being designed?

tptacek3y ago

Yes, and every one of those major cryptosystems has been a debacle, in large part because of the negotiations imposed by ciphersuites. It is not a must-have feature; it's a feature cryptography engineering best practice is rapidly beginning to recognize as an anti-feature. See WireGuard for an example of the alternative: you version the whole protocol, and if some primitive you depend on has a break, you roll out a new version --- which, historically, you've effectively had to do anyways in legacy protocols.

2 more replies

Spooky233y ago

Look at TLS/SSL. TLS 1.2 was out for years until public vulnerabilities forced deprecation of SSL 3 and TLS 1.0.

emn13OP3y ago

I see what you mean. I'm not seeing that in this particular article, but without getting sidetracked by whether he's said that before - I think there are two flavors of agility here.

You're arguing against runtime agility. That makes sense; in fact, the more runtime agility you have, the less design-time agility you have, because all that dynamic negotiation is quite the constraint - and as you point out, a source of flaws.

Even negotiation has flavors. Classic TLS tried to make supporting old ciphers "secure", but even negotiation in which you assume the attacker _can_ control the cipher can be useful - the point then being not to do so long-term, but merely as a technique to allow non-instantaneous roll-out world wide. There's a difference between trying to support but never use legacy stuff and also refusing to specify the current gold standard, and merely having a protocol that supports multiple ciphers only to the extent necessary to occasionally replace a single old configuration with a single new one.

I'm not sure whether there's a huge difference between merely supporting research diversity, and having non-runtime but design-time agility. Perhaps those are the same thing. I guess it gets interesting where encryption primitives aren't just ephemeral communication tools, but a more intrinsic part of the software (such as in signing, and especially in stuff like blockchains) - is there a way to have at least the option of swapping primitives without weakening the guarantees today?

In any case; thanks for the clarification!

layer83y ago

To me, it just means that the formats shouldn’t be hardcoded to a single algorithm (e.g. like Git is to SHA-1), but should allow for different (including future) algorithms, like e.g. X.509 certificates do. I do work in the electronic signature space, where this is important, and there are no negotiation scenarios there.

hnhuhn3y ago

I don't think that being able to easily swap to new algorithms means negotiation. Signal e.g. can easily switch to other encryption schemes, just as Whatsapp shipped e2ee in a few weeks. After some time, you are forced to upgrade the app in order to be able to use it.

bawolff3y ago

Well i agree generally, if we are talking about these new, basically experimental, post quantum algorithms, i feel like the balance shifts a bit since they are still so new (on the other hand maybe using them is just premature at this point)

tptacek3y ago

The universal answer to this concern is to run a conventional key exchange alongside the PQC key exchange.

fortenforge3y ago

Further reading on this subject: https://www.imperialviolet.org/2016/05/16/agility.html

j / k navigate · click thread line to collapse

0 comments

tptacek3y ago

michaelt3y ago

Doesn't every major cryptosystem have multiple ciphersuites, though?

Isn't it a must-have feature? Or has the feature become less important than it was 25 years ago when those protocols were being designed?

tptacek3y ago

2 more replies

Spooky233y ago

Look at TLS/SSL. TLS 1.2 was out for years until public vulnerabilities forced deprecation of SSL 3 and TLS 1.0.

emn13OP3y ago

I see what you mean. I'm not seeing that in this particular article, but without getting sidetracked by whether he's said that before - I think there are two flavors of agility here.

In any case; thanks for the clarification!

layer83y ago

hnhuhn3y ago

bawolff3y ago

tptacek3y ago

The universal answer to this concern is to run a conventional key exchange alongside the PQC key exchange.

fortenforge3y ago

Further reading on this subject: https://www.imperialviolet.org/2016/05/16/agility.html

j / k navigate · click thread line to collapse