[cryptography] Google's QUIC

Eugen Leitl eugen at leitl.org
Wed Jul 3 10:27:00 UTC 2013


----- Forwarded message from ianG <iang at iang.org> -----

Date: Wed, 03 Jul 2013 13:24:54 +0300
From: ianG <iang at iang.org>
To: cryptography at randombit.net
Subject: Re: [cryptography] Google's QUIC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130509 Thunderbird/17.0.6

On 3/07/13 12:37 PM, Eugen Leitl wrote:
> ----- Forwarded message from Saku Ytti <saku at ytti.fi> -----
> 
> Date: Tue, 2 Jul 2013 21:35:58 +0300
> From: Saku Ytti <saku at ytti.fi>
> To: nanog at nanog.org
> Subject: Re: Google's QUIC
> User-Agent: Mutt/1.5.21 (2010-09-15)
> 
> On (2013-06-29 23:36 +0100), Tony Finch wrote:
> 
>> Reminds me of MinimaLT: http://cr.yp.to/tcpip/minimalt-20130522.pdf
> 
> Now that I read separate 'QUIC Crypto' page. It sounds bit of a deja vu.
> 
> QUIC also uses Curve25519 pubkey and Salsa20 cipher, which is hard to
> attribute as chance, considering both are DJB's work, both are used by his
> NaCl library and by extension by MinimaLT. Neither is particularly common
> algorithm.

It's not the choice of algorithm that is "by chance" it is the choice
of suite as a design decision that matters.

I also would like to use the same ciphersuite, but the reason is that
DJB has already done the work to define the entire suite, saving me
from doing it.  This is quite a saving for me, and hasn't hitherto
existed as an external service.  Last time it took over a month of
hard research and learning to settle on
RSA/AES128/CBC/SHA1/HMAC/Encrypt-then-mac.

As an added bonus, DJB came up with a shorter, catchier name:

curve25519xsalsa20poly1305

In the past, things like TLS, PGP, IPSec and others encouraged you to
slice and dice the various algorithms as a sort of alphabet soup mix.
Disaster.  What we got for that favour was code bloat, insecurity at
the edges, continual arguments as to what is good & bad, focus on
numbers & acronyms, distraction from user security, entire projects
that rate your skills in cryptoscrabble, committeeitus, upgrade
nightmares, pontification ...

Cryptoplumbing shouldn't be like eating spagetti soup with a toothpick.

There should be One Cipher Suite and that should do for everyone,
everytime.  There should be no way for users to stuff things up by
tweaking a dial they read about in some slashdot tweakabit article
while on the train to work.


> I'm not implying QUIC plagiarizes MinimaLT, there are differences in the
> protocol, just choice of the algorithm implies QUIC authors are aware of
> MinimaLT.



Picking curve25519xsalsa20poly1305 is good enough for that One True
CipherSuite motive alone, and doesn't imply any other sort of copying
one might have seen.  It's an innovation!  Adopt it.



iang
_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5



More information about the NANOG mailing list