So says NIST...
10 years ago I annoyed the entire crypto-supply industry:
Hypothesis #1 -- The One True Cipher Suite In cryptoplumbing, the gravest choices are apparently on the nature of the cipher suite. To include latest fad algo or not? Instead, I offer you a simple solution. Don't.
There is one cipher suite, and it is numbered Number 1.
Cypersuite #1 is always negotiated as Number 1 in the very first message. It is your choice, your ultimate choice, and your destiny. Pick well.
The One True Cipher Suite was born of watching projects and groups wallow in the mire of complexity, as doubt caused teams to add multiple algorithms- a complexity that easily doubled the cost of the protocol with consequent knock-on effects & costs & divorces & breaches & wars.
It - The One True Cipher Suite as an aphorism - was widely ridiculed in crypto and standards circles. Developers and standards groups like the IETF just could not let go of crypto agility, the term that was born to champion the alternate. This sacred cow led the TLS group to field something like 200 standard suites in SSL and radically reduce them to 30 or 40 over time.
Now, NIST has announced that AES as a single standard algorithm is worth $250 billion economic benefit over 20 years of its project lifetime - from 1998 to now.
h/t to Bruce Schneier, who also said:
"I have no idea how to even begin to assess the quality of the study and its conclusions -- it's all in the 150-page report, though -- but I do like the pretty block diagram of AES on the report's cover."
One good suite based on AES allows agility within the protocol to be dropped. Entirely. Instead, upgrade the entire protocol to an entirely new suite, every 7 years. I said, if anyone was asking. No good algorithm lasts less than 7 years.
Crypto-agility was a sacred cow that should have been slaughtered years ago, but maybe it took this report from NIST to lay it down: $250 billion of benefit.
In another footnote, we of the Cryptix team supported the AES project because we knew it was the way forward. Raif built the Java test suite and others in our team wrote and deployed contender algorithms.
AES, like SHA-x, has been designed as a backdoor - and that's what this report acknowledges: the value of a long-lasting backdoor.
It lasted long, not much because it's so solid but rather because the "trusted" crypto community, like academia, is controlled via DoD contracts and grants.
Yet, these good times are over because many State-nations have realized how much their blind trust in the US has been costing them.
In 2015, Admiral Rogers explained that "shady backdoors" should be replaced by a (necessarily unbreakable*) "frontdoor" to restore trust in an international framework.
(*) something well-documented by decade-old public-sources that Bruce nevertheless persists to call "Snake Oil" in a conference where the Head of NSA and US CyberCommand feels the need to say that "we lie when we claim it's impossible to make a frontdoor".
As the US "free and open markets" decided otherwise, the window of opportunity has been lost by the US NIST and its private-sector partners.
It was not meant to be that bad. The involved people are entirely responsible for this "Cyber market failure" (an expression coined by The Economist) and their lack of the most basic honesty towards their own Nation is the only thing to blame.
Posted by: Peter Pan at December 1, 2018 04:13 AMThe "one true cipher suite" fait accompli was in a a certain sense a suspect goal of the AES challenge, and while I am a firm believer in choices and alternatives rather than one and only one "my way or the highway," a lot of good alternative ciphers did come out of the AES process, which were not otherwise forthcoming to the public domain.
The other four finalists in the AES competition, Twofish, MARS, Serpent, and RC6, (other than the winner, Rijndael,) are all excellent choices, well documented and publicly peer reviewed.
There are settings on, say, web browser or server software (or other SSL or TLS enabled applications) to enable or prefer certain ciphers other than AES, or even refuse service to AES-only clients depending on the situation. If you don't "like" AES.
Posted by: La Abeja at December 15, 2018 01:08 PM