----- Forwarded message from ianG <iang@iang.org> ----- Date: Wed, 03 Jul 2013 13:24:54 +0300 From: ianG <iang@iang.org> To: cryptography@randombit.net Subject: Re: [cryptography] Google's QUIC User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 On 3/07/13 12:37 PM, Eugen Leitl wrote:
----- Forwarded message from Saku Ytti <saku@ytti.fi> -----
Date: Tue, 2 Jul 2013 21:35:58 +0300 From: Saku Ytti <saku@ytti.fi> To: nanog@nanog.org Subject: Re: Google's QUIC User-Agent: Mutt/1.5.21 (2010-09-15)
On (2013-06-29 23:36 +0100), Tony Finch wrote:
Reminds me of MinimaLT: http://cr.yp.to/tcpip/minimalt-20130522.pdf
Now that I read separate 'QUIC Crypto' page. It sounds bit of a deja vu.
QUIC also uses Curve25519 pubkey and Salsa20 cipher, which is hard to attribute as chance, considering both are DJB's work, both are used by his NaCl library and by extension by MinimaLT. Neither is particularly common algorithm.
It's not the choice of algorithm that is "by chance" it is the choice of suite as a design decision that matters. I also would like to use the same ciphersuite, but the reason is that DJB has already done the work to define the entire suite, saving me from doing it. This is quite a saving for me, and hasn't hitherto existed as an external service. Last time it took over a month of hard research and learning to settle on RSA/AES128/CBC/SHA1/HMAC/Encrypt-then-mac. As an added bonus, DJB came up with a shorter, catchier name: curve25519xsalsa20poly1305 In the past, things like TLS, PGP, IPSec and others encouraged you to slice and dice the various algorithms as a sort of alphabet soup mix. Disaster. What we got for that favour was code bloat, insecurity at the edges, continual arguments as to what is good & bad, focus on numbers & acronyms, distraction from user security, entire projects that rate your skills in cryptoscrabble, committeeitus, upgrade nightmares, pontification ... Cryptoplumbing shouldn't be like eating spagetti soup with a toothpick. There should be One Cipher Suite and that should do for everyone, everytime. There should be no way for users to stuff things up by tweaking a dial they read about in some slashdot tweakabit article while on the train to work.
I'm not implying QUIC plagiarizes MinimaLT, there are differences in the protocol, just choice of the algorithm implies QUIC authors are aware of MinimaLT.
Picking curve25519xsalsa20poly1305 is good enough for that One True CipherSuite motive alone, and doesn't imply any other sort of copying one might have seen. It's an innovation! Adopt it. iang _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5