Re: updated transport & userauth drafts

[Wei Dai <weidai%eskimo.com@localhost>]

On Fri, Mar 01, 2002 at 05:28:08PM -0500, Bill Sommerfeld wrote:
> I think it's too soon to make a document change because of this --
> most importantly, I don't think that enough Real Cryptographers(tm)
> have looked at either the problem or the proposed fix to conclude that
> a change along the lines of your suggested fix is better than leaving
> the document alone.

I agree, there needs to be more review of the problem and the proposed
solution. Cryptography researchers may think the problem is too trivial
and uninteresting to look on their own initiative, so I suggest that
everyone who has a stake in this ask their favorite cryptographers to to
take a look. 

> The use of ciphers in counter mode is also very new, and, as with all
> stream ciphers, there are some definite subtleties to their use; who's
> to say that crypto researchers won't find a problem with counter modes
> which are just as bad as the CBC problem (i.e., a purely theoretical
> vulnerability except in a few corner cases).

I think the cryptographic research community now understand cipher modes
and their security properties much better than they used to. The CBC mode
problem has been known for quite a while in the research community (but
apparently the knowledge has not been passed widely outside of it). CTR
mode is perhaps the best understood mode because of its simplicity, and I
believe it does not have any known problems when used in the way I
suggest.

I would say that a vulnerability is theoretical if there is no possibility
that it can be exploited in the real world. That is clearly not the case
here.

> new ciphers can follow later once there's clear consensus on a
> solution.

I don't understand why we would want to standardize on a weak protocol. If
there is no consensus on a solution, wouldn't it be better to wait until
there is one?