[Top] [All Lists]

Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CA certificate

2008-12-30 18:10:30

On Tue, Dec 30, 2008 at 05:01:12PM -0500, Jeffrey Hutzelman wrote:
Incidentally, the recently reported problems with CBC mode ciphers in SSH 
have gotten me to thinking that in some situations, a single REQUIRED 
algorithm isn't enough, because if something goes wrong and you have to 
abandon that algorithm in a hurry, operators may be in a position of having 
to choose between seriously compromising either security or 


But note that in the case of the SSH CBC mode ciphers the vulnerable
ciphers had only the cipher mode in common.  The SSH vulnerability, in
any case, doesn't stem from the use of CBC, but is more general, and
well could have been worse, but let's ignore that for this argument.

So in the SSH case one would have liked to have seen two or more
REQUIRED to implement ciphers with very distinct properties.  Say
3DES in CBC mode, AES in counter mode, and arcfour.

Applying a principle of redundancy in RTI algorithms to symmetric key
protocols is fairly simple.  Applying such a principle to PKI seems
rather more difficult -- it's not just hash algorithms, but pk
algorithms too.  Your example was to require not just the implementation
of multiple hash (but not pk) algorithms, but to require the *use* of
those.  That makes sense to me, but it's not quite the same principle
being applied to PKI as to SSH.