In an earlier post on SSH I described my experiences of deploying Elliptic Curve Cryptography (ECC) in OpenSSH 5.7. Over on the LOPSA tech mailing-list, Tom Perrine asked for peoples' opinions on ECC. I wrote a reply, which I then realised belongs here, since it clarifies why I would do something, whereas my previous post merely covered the mechanics of how I did it.
I believe in algorithm agility and not being critically dependent upon any one system. Crypto
strength is mostly about what we don't know how to do, not what we can prove. As Bruce Schneier is fond of saying, attacks against a crypto-system only ever get better.
Thus I deploy both RSA and DSA keys, both host and client, so that in the event of a calamity I can turn one off and still have the other to use. A calamity might be a crypto break-through, or it might be the discovery of a bug like the one which bit Debian systems a few years back, having seriously weakened keys.
It's not that I have any reason to fear that RSA or DSA might be weak, but that I have no reason to believe that either is too weak, so running both in parallel does not hurt security and does improve my ability to respond to a changing environment, which at some point in time will critically improve my security.
Likewise, ECC and the ECDSA support: it's a different system, built on different primitives. I'm not a cryptanalyst to judge the security of ECC, I trust what the experts say. I am a sysadmin opposed to single points of failure and ECC is good enough that I like being able to deploy it in parallel, so that I'm not just dependent upon prime number factorisation.
It might be that the next breakthrough will take down ECC, not RSA, and I'll end up having to disable it and those who didn't deploy it will laugh. But it could be that the next breakthrough hurts RSA instead. *shrug* I prepare for the worst and cover my bases.
In closing, I'll note that when the NSA tinkered with DES there was a lot of paranoia, but when public cryptography finally caught up it turned out that the NSA had made DES stronger. The evidence, rather than loud-mouthing, to date suggests that the NSA does its job honestly, making real crypto stronger and protecting the US government and public in this manner. With the NSA pushing NIST to push to migrate federal systems to ECC, I'm not going to go out screaming that "we must move to ECC", but I am going to heed the advice and buy myself the flexibility by deploying a third hostkey and client pubkey algorithm.
-The Grumpy Troll