Add table indicating quality of Ciphers and Cipher suites

[Thorsten-Sick]

A simple table indicating broken/weak/good ciphers/cipher suites/hash functions/... would help a lot to prevent the most common mistakes (trusting weak crypto). Maybe even add some comments as footnote (like "keys with < Foo bits are considered weak), but keep it as simple as possible.

[lvh]

I've gone back and forth on this.

This information is in the book, but spread out. I'm not sure that's a bad thing. I don't want to say that AES, SHA-256... are unambiguously good without the context that the book already provides, because it is trivially easy to implement totally broken systems with them; alas, usually easier than implementing correct systems with them.

If there's a takeaway, it should be "don't select ciphers, hash functions..." not "these ciphers, hash functions... are good/bad" -- the latter means you're probably asking the wrong question.

[Thorsten-Sick]

Coders can write bad code using good hash functions/ciphers. Agreed. But they can not write good things using broken hash/ciphers. So the takeaway of a table like this would be not to use the broken algorithms at all and if already using weak ones. move to good ones. Still needs proper implementation.

I agree, all those informations are already in the book. I just read it :-) (good book already, by the way). But mistakes of the type "did choose wrong algorithm" would be reduced by the table. Especially if the table ist not used for programming but for administration (TLS in browser/http server, SSH, ...)

[lvh]

I think we might have different audiences in mind.

I am amenable to giving advice along the lines of "use TLS for protection data in motion", but not "use AES, not Bass-O-Matic". Even TLS configuration advice is a good idea, but that's another ticket, and probably shouldn't really live in Crypto 101 (although a reference to a well-maintained source, like Qualys' SSL Labs, should).

To rephrase it in terms of your original ask: while trusting weak crypto is a problem, but only if you mean "cryptosystems". And, once you mean cryptosystems, the problem is typically not "used DES", but all-zero IVs, IV=key, nonce reuse, oh lord the many ways you can screw up RSA signatures, et cetera. Even the rare cases where it does end up being the primitive, you're typically not as screwed as you are with a broken composition (consider, for example, the gradual RC4 breaks).

Anyone starting with a bad primitive shouldn't be anywhere near protocol design; giving them a better primitive will not lead to better cryptosystems. Crypto 101 is about satisfying curiosities, not about minting cryptographers.

The reason I'm so opposed to such a table is that it gives the impression that maybe, just maybe, picking AES (or whatever) is a reasonable thing for someone who learned crypto through Crypto 101 to do, and that just is patently not true.

[Thorsten-Sick]

I think you are right. Maybe a better project to drop that idea is bettercrypto.org. It is more admin oriented. Thanks again for the effort writing the book !