Re: [Cfrg] Re: [saag] Algorithm upgrades

["David A. McGrew" <mcgrew at cisco.com>]

Alex,

On Oct 29, 2004, at 6:23 AM, Alex Alten wrote:

> All,
>
> Let me point out as an example that the automated teller machines 
> (ATMs) security
> protocol has been using the same algorithm with DES since about 1982.  
> Making
> protocols algorithm independent (with extra handshakes and upgrade 
> mechanisms)
> has the side effect of making them very complex and thus harder to 
> certify for
> interoperability, optimize for performance, etc.

I respectfully disagree.  Modern systems and protocols need to have the 
ability to utilize different crypto algorithms.  Otherwise, how can a 
deficient algorithm be replaced?  Consider the complexity of taking a 
legacy system in which the algorithms have been hard-wired and then 
trying to remove a deficient algorithm and replace it with a better 
one.

OTOH, I do think that we could do a better job of making the crypto 
easy to upgrade.  If there were a well defined, clean and simple 
interface to the crypto functions, and crypto functions were defined to 
match that interface, adoption would be easier.  One research paper 
that goes in this direction (but does not formally define an interface) 
is: Mihir Bellare and Tadayoshi Kohno and Chanathip Namprempre, 
Breaking and Provably Repairing the SSH Authenticated Encryption 
Scheme: A Case Study of the Encode-then-Encrypt-and-MAC Paradigm, To 
appear in ACM Transactions on Information and System Security, ACM, 
2004. An extended abstract of this paper appeared in Ninth ACM 
Conference on Computer and Communications Security, ACM, 2002. 
http://eprint.iacr.org/2002/078/

David

> - Alex
>
> At 02:22 PM 10/28/2004 -0700, Jeff Williams wrote:
> > Steve and all,
> >
> >   Again we disagree in your conclusion here Steve.  Of course we
> > have been over this ground before.  Changing or introducing new
> > crypto algorithm's in no way should impede or prevent interoerability
> > and interface facilities now available can and do address this issue.
> >
> > Steve Crocker wrote:
> >
> > > No matter what algorithms we choose today, it's likely that changes 
> > will
> > > be required in the future.  Let me strengthen Ran's suggestion.  In
> > > addition to building algorithm-independent protocols, the protocols
> > > should also include an upgrade mechanism for changing algorithms in 
> > an
> > > orderly way.  It's not good enough to say protocol FOO is 
> > independent of
> > > algorithm if all of the initial deployment depends on crypto 
> > algorithm
> > > SNARF and there's no way to introduce new crypto algorithm FARNS 
> > without
> > > breaking interoperability.
> > >
> > > Steve
> > >
> > > > -----Original Message-----
> > > > From: saag-bounces at mit.edu [mailto:saag-bounces at mit.edu] On
> > > > Behalf Of RJ Atkinson
> > > > Sent: Thursday, October 28, 2004 8:49 AM
> > > > To: David A. McGrew
> > > > Cc: cfrg at ietf.org; saag at mit.edu
> > > > Subject: [saag] Re: universal MACs
> > > >
> > > >
> > > > David,
> > > >
> > > > My protocol preference in an IETF context is for
> > > > algorithm-independent
> > > > protocols,
> > > > so that one does not need to change the protocol to add support 
> > for
> > > > additional
> > > > algorithms in future.  This property holds for at least OSPFv2
> > > > authentication and
> > > > RIPv2 authentication (and yes, I am working on documentation
> > > > updates to
> > > > each
> > > > of those specifications to document how SHA-1 and its relatives 
> > are
> > > > implemented).
> > > >
> > > > My algorithm preference in an IETF context is for algorithms that 
> > are
> > > > acceptable
> > > > to the largest number of end users.  Right now, many
> > > > governments (from
> > > > multiple
> > > > governments, including several in Europe and several in Asia,
> > > > NOT just
> > > > the US)
> > > > and many non-governmental customers are insisting upon the same
> > > > algorithm set,
> > > > which is the set of currently NIST-approved algorithms and
> > > > modes.  This
> > > > set of
> > > > algorithms appears to be the preferred set of algorithms and modes
> > > > right now --
> > > > by a VERY wide margin.
> > > >
> > > > In practice, that means there is a strong buyer preference from 
> > many
> > > > countries
> > > > for SHA-1 (and its NIST-documented relatives) and for AES (in
> > > > NIST-acceptable
> > > > modes).  Several countries, including several in Europe and
> > > > several in
> > > > Asia, are
> > > > also insisting that cryptographic products they buy have NIST FIPS
> > > > 140-2 approvals.
> > > > This also tends to reinforce the selection of algorithms and modes
> > > > since only the
> > > > NIST-approved algorithms and modes can get a FIPS 140-2 approval.
> > > >
> > > > I would even suggest that for the moment, any new security 
> > protocols
> > > > developed
> > > > in an IETF context ought to include documentation on how
> > > > NIST-approved
> > > > algorithms
> > > > and modes are used with those protocols -- even if the IETF were 
> > to
> > > > decide that
> > > > it preferred some non-NIST algorithm or mode for a particular
> > > > security
> > > > protocol
> > > > as the "default" algorithm/mode choice.
> > > >
> > > > Yours,
> > > >
> > > > Ran Atkinson
> > > > rja at extremenetworks.com
> > > >
> > > > PS:  Nitpickers should please note well that all of my comments 
> > above
> > > > are about
> > > > the end-user/marketplace desires, and there is no comment above 
> > about
> > > > the quality
> > > > of any particular algorithm or mode.
> > > >
> > > >
> > > > On Oct 28, 2004, at 07:51, David A. McGrew wrote:
> > > > >     I suspect that the group preference would be towards hash
> > > > > functions that are portable (e.g. fast on a wide variety of
> > > > CPUs) and
> > > > > that require minimal per-key state.  There may be other points 
> > of
> > > > > view; others please chime in if you have other priorities.
> > > > >
> > > > > David
> > > >
> > > > _______________________________________________
> > > > saag mailing list
> > > > saag at mit.edu
> > > > https://jis.mit.edu/mailman/listinfo/saag
> > > >
> > >
> > > _______________________________________________
> > > saag mailing list
> > > saag at mit.edu
> > > https://jis.mit.edu/mailman/listinfo/saag
> >
> > Regards,
> >
> > --
> > Jeffrey A. Williams
> > Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
> > "Be precise in the use of words and expect precision from others" -
> >     Pierre Abelard
> >
> > "If the probability be called P; the injury, L; and the burden, B;
> > liability depends upon whether B is less than L multiplied by
> > P: i.e., whether B is less than PL."
> > United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
> > ===============================================================
> > Updated 1/26/04
> > CSO/DIR. Internet Network Eng. SR. Eng. Network data security
> > IDNS. div. of Information Network Eng.  INEG. INC.
> > E-Mail jwkckid1 at ix.netcom.com
> >  Registered Email addr with the USPS
> > Contact Number: 214-244-4827
> >
> >
> >
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg at ietf.org
> > https://www1.ietf.org/mailman/listinfo/cfrg
>
> --
>
> Alex Alten
> alten at EscalonNetworks.com
> (925) 425-9600
>
> _______________________________________________
> saag mailing list
> saag at mit.edu
> https://jis.mit.edu/mailman/listinfo/saag


_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg