Two more links on this topic, that I should add to my article: - Ian Grigg's "The One True Cipher Suite" https://iang.org/ssl/h1_the_one_true_cipher_suite.html circa ~2008: KEYQUOTE: "In cryptoplumbing, the gravest choices are apparently on the nature of the cipher suite. To include latest fad algo or not? Instead, I offer you a simple solution. Don't. *There is one cipher suite, and it is numbered Number 1.*" - Ian Grigg's "Pareto Secure" https://iang.org/papers/pareto-secure.html circa 2005 KEYQUOTES: "terms Pareto-secure and Pareto-secure improvement to refer to security metrics resulting from allocations of competing choices in an overall design. A change is a Pareto-secure improvement if a measurable and useful improvement in security results, at no commensurate loss of security elsewhere." "we cannot suggest that either of TLS+TTP, or SSH+user-confirm are Pareto-secure. Substitution of either key exchange regime results in benefits but more importantly, costs." My frustration last month was that Wikipedia still offers no qualifiers or criticism of cryptographical agile architectures, but as you can see from Ian Grigg's quotes above, criticism goes back quite a while. My frustration this week was that someone knowledgeable and influential in IETF asked us to add crypto-agility to a protocol that has exactly one cryptographic choice — SHA256 for a hash algorithm. 🤷🏻♂️ -- Christopher Allen
Received on Friday, 10 March 2023 23:32:37 UTC