| > Think about the flip side of your question... what were the alternatives 12 years ago, or 5 years ago? SHA-2 and RIPEMD. > And why would someone write code for alternatives that aren't expected to be used and maybe don't exist? That's the problem: the software industry is still suffering from MD5 getting cracked [0]! Cryptographic agility is a baseline requirement for security primitives. > In my experience, generalizing ahead of need more often than not causes problems I agree and Linus has valid complaints about security recommendations during the 25-year history of Linux: most of the security recommendations kill performance and are only partial fixes, so why bother? But Linus is also engaging in premature optimization: computers are ~30 billion times faster than when he first starting programming Linux. Yes, SHA-2 is relatively slow, they could have at least not hardcoded SHA-1 into the codebase and protocol. > I've watched over-engineering result in far more effort to fix when the need it was anticipating does arrive than just waiting until the need is there. You clearly haven't done any safety related engineering. That's the thing about cryptography: millions of dollars and human lives are at stake. Despite the smartest people in the world working on these problems, cryptographic primitives/protocols are regularly broken. Due to Quantum computing, every common cryptographic primitive we use today will need to be replaced or upgraded at some point. Thankfully, you don't need to worry about the engineering of a given cryptographic primitive as long as you can swap it out with a new one. But when you hardcode a specific hash function and length into your protocol/codebase you are now assuming the role of a cryptographer. [0]: https://en.wikipedia.org/wiki/Flame_%28malware%29 |