nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [cryptography] Google's QUIC

From: Eugen Leitl <eugen () leitl org>
Date: Wed, 3 Jul 2013 12:27:00 +0200
----- Forwarded message from ianG <iang () iang org> -----

Date: Wed, 03 Jul 2013 13:24:54 +0300
From: ianG <iang () iang org>
To: cryptography () randombit net
Subject: Re: [cryptography] Google's QUIC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130509 Thunderbird/17.0.6

On 3/07/13 12:37 PM, Eugen Leitl wrote:

----- Forwarded message from Saku Ytti <saku () ytti fi> -----

Date: Tue, 2 Jul 2013 21:35:58 +0300
From: Saku Ytti <saku () ytti fi>
To: nanog () nanog org
Subject: Re: Google's QUIC
User-Agent: Mutt/1.5.21 (2010-09-15)

On (2013-06-29 23:36 +0100), Tony Finch wrote:


Reminds me of MinimaLT: http://cr.yp.to/tcpip/minimalt-20130522.pdf


Now that I read separate 'QUIC Crypto' page. It sounds bit of a deja vu.

QUIC also uses Curve25519 pubkey and Salsa20 cipher, which is hard to
attribute as chance, considering both are DJB's work, both are used by his
NaCl library and by extension by MinimaLT. Neither is particularly common
algorithm.


It's not the choice of algorithm that is "by chance" it is the choice
of suite as a design decision that matters.

I also would like to use the same ciphersuite, but the reason is that
DJB has already done the work to define the entire suite, saving me
from doing it.  This is quite a saving for me, and hasn't hitherto
existed as an external service.  Last time it took over a month of
hard research and learning to settle on
RSA/AES128/CBC/SHA1/HMAC/Encrypt-then-mac.

As an added bonus, DJB came up with a shorter, catchier name:

curve25519xsalsa20poly1305

In the past, things like TLS, PGP, IPSec and others encouraged you to
slice and dice the various algorithms as a sort of alphabet soup mix.
Disaster.  What we got for that favour was code bloat, insecurity at
the edges, continual arguments as to what is good & bad, focus on
numbers & acronyms, distraction from user security, entire projects
that rate your skills in cryptoscrabble, committeeitus, upgrade
nightmares, pontification ...

Cryptoplumbing shouldn't be like eating spagetti soup with a toothpick.

There should be One Cipher Suite and that should do for everyone,
everytime.  There should be no way for users to stuff things up by
tweaking a dial they read about in some slashdot tweakabit article
while on the train to work.



I'm not implying QUIC plagiarizes MinimaLT, there are differences in the
protocol, just choice of the algorithm implies QUIC authors are aware of
MinimaLT.




Picking curve25519xsalsa20poly1305 is good enough for that One True
CipherSuite motive alone, and doesn't imply any other sort of copying
one might have seen.  It's an innovation!  Adopt it.



iang
_______________________________________________
cryptography mailing list
cryptography () randombit net
http://lists.randombit.net/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5
Previous By Date Next
Previous By Thread Next

Current thread: