Is this crypto paper real or fake?

Peter Fairbrother peter at m-o-o-t.org
Wed Sep 23 02:51:02 PDT 2015 

On 23/09/15 06:26, Georgi Guninski wrote:
> On Tue, Sep 22, 2015 at 09:27:43AM -0500, Brent Cook wrote:
>> Sounds like the next step is to remove curves <= 193 bits, and learn
>> from what breaks as a result.
>
> I believe this will break some CA certs trusted by major
> browsers and in particular will break some browsing.
>
>

Yes, that is a big problem with SSL and TLS.

The desire for backwards compatibility and cipher agility means that the 
little padlock in the browser doesn't actually mean very much - the 
suite in use might be so weak as to be no better than unauthenticated 
plaintext.

More, the average user doesn't usually have a clue what's going on - How 
secure is the suite in use? Does the suite in use have forward security? 
Is there any authentication? Is the authentication reliable?  Is there 
any encryption? Is it actually secure in any way?  - these are questions 
the average user cannot answer.

Heck, I can't answer them most of the time without digging into the 
innards of the session.


Backwards compatibility and cipher agility also permit cipher suite 
choice degradation attacks like FREAK and logjam, where weak suites are 
forced on the user.


To be secure, cipher agility absolutely requires that weak or broken 
ciphers can be effectively and definitively eliminated from use - but 
there is no real mechanism in SSL/TLS for doing that.




One solution is - in TLS3 abolish cipher agility, and have only one 
suite: call it Jim's suite.

The little padlock in the browser now says "protected by Jim". Everybody 
now knows what that means, or can find out. The meaning doesn't change 
according to things going on in the computer which the ordinary guy has 
no clue about.

After a few years, when Jim's suite is getting a little iffy, introduce 
Tom's suite in TLS4. Depreciate Jim's suite, then remove it.



People shouldn't really be rewriting libreSSL - they should be writing 
libreTLS3 instead, with no cipher suite agility.

Apart from anything else, with only one suite and one protocol, that 
should be a lot easier to do.


ps is there an archive of libreSSL at openbsd anywhere?

-- Peter Fairbrother

More information about the cypherpunks mailing list