

Problems with Proposed IP Cryptography [1995] - tptacek
http://www.cs.ucdavis.edu/~rogaway/papers/draft-rogaway-ipsec-comments-00.txt

======
tptacek
It doesn't seem like there's a chance in hell this will get voted up (what? no
arguments about software piracy? no social bookmarking angle?), but since a
couple people follow my posts:

I found this while researching one of the recent OpenBSD crypto fixes, and it
is fan-freaking-tastic. This is Phil Rogaway, a world-famous cryptographer,
addressing weaknesses in early proposals for IPSEC. There is no better way to
learn about this stuff than to watch an expert beat the crap out of an early,
flawed system.

More importantly, it's incredibly readable! It could just as well be titled
"Nine Lessons For Designing Cryptographic Protocols". And it's written for
IETF-types, protocol designers, not cryptographers.

I think this is a gem, I'm glad I stumbled across it, and I hope you get some
value out of it.

~~~
dwc
I don't follow anyone's posts, but I've seen your name on lucid comments.
Thanks for the find!

------
dfranke
I haven't studied IPSec closely. How much of this advice actually got
implemented?

------
tedunangst
High point: Recommending encrypt then mac. Still an issue today.

Low point: Saying MD5 is too slow. We have the opposite problem today.

~~~
tptacek
In what sense do you mean that? That MD5 is breakable or that hash functions
are generally too fast?

~~~
tedunangst
That it runs too fast now. I've not heard many complaints about hash functions
being too slow recently. It stood out as a not particularly sage comment (to
somebody with the benefit of hindsight).

~~~
tptacek
That's not a problem we have with hash functions; it's a problem we have with
naive password storage schemes.

