Is this crypto paper real or fake?
Peter Fairbrother
peter at m-o-o-t.org
Wed Sep 23 02:51:02 PDT 2015
On 23/09/15 06:26, Georgi Guninski wrote:
> On Tue, Sep 22, 2015 at 09:27:43AM -0500, Brent Cook wrote:
>> Sounds like the next step is to remove curves <= 193 bits, and learn
>> from what breaks as a result.
>
> I believe this will break some CA certs trusted by major
> browsers and in particular will break some browsing.
>
>
Yes, that is a big problem with SSL and TLS.
The desire for backwards compatibility and cipher agility means that the
little padlock in the browser doesn't actually mean very much - the
suite in use might be so weak as to be no better than unauthenticated
plaintext.
More, the average user doesn't usually have a clue what's going on - How
secure is the suite in use? Does the suite in use have forward security?
Is there any authentication? Is the authentication reliable? Is there
any encryption? Is it actually secure in any way? - these are questions
the average user cannot answer.
Heck, I can't answer them most of the time without digging into the
innards of the session.
Backwards compatibility and cipher agility also permit cipher suite
choice degradation attacks like FREAK and logjam, where weak suites are
forced on the user.
To be secure, cipher agility absolutely requires that weak or broken
ciphers can be effectively and definitively eliminated from use - but
there is no real mechanism in SSL/TLS for doing that.
One solution is - in TLS3 abolish cipher agility, and have only one
suite: call it Jim's suite.
The little padlock in the browser now says "protected by Jim". Everybody
now knows what that means, or can find out. The meaning doesn't change
according to things going on in the computer which the ordinary guy has
no clue about.
After a few years, when Jim's suite is getting a little iffy, introduce
Tom's suite in TLS4. Depreciate Jim's suite, then remove it.
People shouldn't really be rewriting libreSSL - they should be writing
libreTLS3 instead, with no cipher suite agility.
Apart from anything else, with only one suite and one protocol, that
should be a lot easier to do.
ps is there an archive of libreSSL at openbsd anywhere?
-- Peter Fairbrother
More information about the cypherpunks
mailing list