undefined | Better HN

0 pointstptacek3y ago0 comments

Yes, and every one of those major cryptosystems has been a debacle, in large part because of the negotiations imposed by ciphersuites. It is not a must-have feature; it's a feature cryptography engineering best practice is rapidly beginning to recognize as an anti-feature. See WireGuard for an example of the alternative: you version the whole protocol, and if some primitive you depend on has a break, you roll out a new version --- which, historically, you've effectively had to do anyways in legacy protocols.

0 comments

est313y ago

If you have multiple WireGuard versions, in a migration setting, you also need to do some negotiation at the start, no? Wouldn't that be potentially vulnerable to downgrade attacks as well?

tptacekOP3y ago

No: you simply don't speak the old versions.

est313y ago

So the migration looks like "upgrade the client or you won't be able to connect to the server any more"? What if you use the client to talk to multiple servers, some that use the old version, some that use the new version? Maybe via a config variable adjustable per server? Then you do out of band version negotiation, and you might get away with this in the VPN setting, where entering arcane config vars is commonplace, but not in e.g. the TLS setting.

2 more replies

Zamicol3y ago

Cryptographic agility means to support multiple cryptographic primitives and to not be overly coupled to a single primitive.

WireGuard is a great example of a product with cryptographic agility. https://www.wireguard.com/protocol

Cryptographic agility says nothing about "version the whole protocol".

tptacekOP3y ago

No, it's pretty widely recognized that WireGuard is in a sense a repudiation of "agility". You can look at, for instance, the INRIA analysis/proof paper to see how a bunch of disinterested cryptographers describe it: "many new secure channel protocols eschew standardisation in favour of a lean design that uses only modern cryptography and supports minimal cryptographic agility."

If you want to say "minimalist agility is good and you're just saying maximalist agility is bad", that's fine, we're just bickering about terms. But that's pretty obviously not what Schneier is talking about.

Zamicol3y ago

All the works I've read of Schneier have given me the impression of the above definition, "support multiple cryptographic primitives and do not be overly coupled to a single primitive."

Serendipitously, I just tweeted about this 11 days ago: https://twitter.com/CyphrMe/status/1556660870901403648

"The moral is the need for cryptographic agility. It’s not enough to implement a single standard; it’s vital that our systems be able to easily swap in new algorithms when required."

Do you have a link to something that in your mind represents what Schneier is talking about?

1 more reply

j / k navigate · click thread line to collapse

0 comments

est313y ago

If you have multiple WireGuard versions, in a migration setting, you also need to do some negotiation at the start, no? Wouldn't that be potentially vulnerable to downgrade attacks as well?

tptacekOP3y ago

No: you simply don't speak the old versions.

est313y ago

2 more replies

Zamicol3y ago

Cryptographic agility means to support multiple cryptographic primitives and to not be overly coupled to a single primitive.

WireGuard is a great example of a product with cryptographic agility. https://www.wireguard.com/protocol

Cryptographic agility says nothing about "version the whole protocol".

tptacekOP3y ago

Zamicol3y ago

All the works I've read of Schneier have given me the impression of the above definition, "support multiple cryptographic primitives and do not be overly coupled to a single primitive."

Serendipitously, I just tweeted about this 11 days ago: https://twitter.com/CyphrMe/status/1556660870901403648

"The moral is the need for cryptographic agility. It’s not enough to implement a single standard; it’s vital that our systems be able to easily swap in new algorithms when required."

Do you have a link to something that in your mind represents what Schneier is talking about?

1 more reply

j / k navigate · click thread line to collapse