SecureD Futures (v2.0)

Adam Wilson flyboynw at gmail.com
Wed May 30 03:37:28 UTC 2018 

On 05/29/2018 11:29 AM, Brad Roberts wrote:
> 
> On 5/29/2018 1:57 AM, Adam Wilson via Digitalmars-d wrote:
>> One of the pillars of SecureD is that ONLY safe, well-known, 
>> algorithms are presented. If reasonable we will only present one 
>> algorithm for a specific purpose. If there is a good reason to add 
>> more than one algorithm, we will.
> 
> One of the pillars of crypto is that eventually a problem will be found 
> with every algorithm, it's just a matter of time.  So, having just one 
> available means that eventually the library will be horribly broken. The 
> corollary here is that having a fallback is pretty essential.

Sure. For example, TLS 1.3 supports AES, Camellia, ARIA, and 
ChaCha20-Poly1305 for symmetric ciphers. However, when you look at the 
best-practice recommendations, AES is the clear winner. And when you 
look at what actually gets used, it's AES. AES is the Gold Standard and 
it would take a fundamental breakthrough in cryptanalysis for that to 
change.

But what happens to TLS1.3 if there is a fundamental breakthrough?
- ARIA uses an AES derived substitution-permutation network.
- Camellia uses the same S-box that AES does. (It was an AES contender)
- Poly1305 for ChaCha20 directly uses AES in it's PRF.
Which algorithm do you switch to? Anything that breaks AES can also be 
used against these other algorithms. In this case, ChaCha20 is probably 
the best answer, but only if you apply a different MAC to it.

It's a good thing that a fundamental breakthrough in cryptanalysis is 
unlikely in the foreseeable future. Of course, that's what we told 
ourselves before 3DES and Differential Cryptanalysis.

I don't disagree with you. But the overwhelming cacophony of choice 
presents it's own issues. (See: The Paradox of Choice) SecureD v2 could 
easily support these ciphers, and I don't really have a problem adding 
them for the purposes of compatibility. But the default is going to be 
AES for the forseeable future. The design premise of SecureD is to make 
the the safe defaults easy and everything else hard.

In cases where there are known weaknesses SecureD does intend to support 
multiple algorithms, but usually only two, for example SHA2 potentially 
suffers from the same weaknesses as SHA1, and as a result SecureD v2 
will be getting SHA3 support whenever OpenSSL 1.1.1 drops. But it's not 
going to add things like Whirlpool or Skein.

Or RSA versus ECC. I am considering adding Curve25519 support to v2, but 
with NSA/NIST deprecating ECC altogether (as it is less resistant to 
quantum computing than RSA, see: 
https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Quantum_computing_attacks) 
it may be better to wait-and-see what comes of the work being done on 
quantum-resistant public-key cryptography. The new Supersingular Isogeny 
Diffie-Hellman (SIDH) looks like a strong contender, but nothing 
implements it, and it's way too new to put any trust in it yet.

-- 
Adam Wilson
IRC: LightBender
import quiet.dlang.dev;

More information about the Digitalmars-d mailing list