Re: Crypto agility in SCRAM + draft-josefsson-password-auth?

[Nicolas Williams <Nicolas.Williams@xxxxxxx>]

On Tue, Mar 18, 2008 at 06:38:45PM +0100, Simon Josefsson wrote:
> One argument in favor of SHA-1 could be that SHA-1's total life-time in
> service (1995-2010?) appears likely be longer than what SHA-256's total
> life-time in service will be (2002-?).  I assume that once the SHA-3
> competition is finished, that SHA-2 will be deprecated.
> 
> The total life-time in service corresponds to the amount of security
> critical purposes the hash is used for.  Which consequently corresponds
> to the amount of time researchers spend on trying to attack it.  That is
> the best measure on a cryptographic algorithm's quality that we can use
> in the IETF, I think.

Whereas I think that consensus is the best "measure of a cryptographic
algorithm's quality that we can use in the IETF."

Look, if a paper comes out tomorrow that shows a reduction in strength
of SHA-1 to the point that it's worthless, then all those "years in
service" will no longer be a useful measure of SHA-1's strength.

IETF consensus on these issues will have to be informed by cryptographer
consensus, and by what non-cryptographers can understand the state of
the art and the trends to be.  That's much too subjective, yes, but
"years in service" is only deceptively objective.

> On the other hand, this assumes that one year of cryptographic research
> time in 1995 is worth as much as one year of cryptographic research time
> in 2008, which isn't true.

Exactly!

> I don't think we should specify both, it will cause interop problems.

None that we didn't already know we'd have as a result of having hash
agility in the first place.

> I would be fine with HMAC-SHA-256.  It will take at least one year until
> this RFC is published (if we are optimistic) and then it is even more
> likely that all relevant platforms will have SHA-256.

I can agree with that.  I don't think Chriss will like that answer
though.