« Lindstrom's Razor | Main | Local Policies »


Rogan Dawes

The thing about complex security protocols is that they can be reused across multiple systems. Which in turn makes it feasible for them to be thoroughly reviewed without the cost of the review overwhelming the benefit of the security protocol in the first place.

Yes, DES/AES/RC4/etc are all complex systems. But nobody writes their own any more, they use well-reviewed (shared) implementations that have already withstood significant scrutiny.

And this applies to many of the security protocols in use today.

I'm not denying that complexity is the enemy of security. But implying that complex systems MUST be insecure is naive.

The comments to this entry are closed.