Hasty Briefsbeta

All tags

#cryptography

130 stories total

Bilingual

GNU: A Heuristic for Bad Cryptography
4 months ago
- GNU projects intersecting with cryptography are often poorly designed.
- GNU Name System (GNS) uses unconventional ECDSA over Curve25519 instead of Ed25519, raising security concerns.
- GNS employs AES and TwoFish in a cipher cascade with CFB mode, ignoring IND-CCA2 security.
- GnuPG and GnuTLS have a history of vulnerabilities and poor design choices.
- Recommended alternatives include age and minisign for GPG, and s2n, OpenSSL, or Libsodium for TLS/crypto needs.
A Vulnerability in Libsodium
4 months ago
- Libsodium is now 13 years old, created to simplify cryptography for users.
- The project focuses on high-level APIs, avoiding breaking changes, and maintaining stability.
- Originally based on NaCl API, libsodium has evolved but maintains backward compatibility.
- Despite documentation warnings, users started utilizing low-level functions directly.
- A bug was found in `crypto_core_ed25519_is_valid_point()`, allowing invalid points in certain subgroups.
- The bug was fixed by adding a missing check for Y = Z in point validation.
- Most users are unaffected as high-level APIs like `crypto_sign_*` don't use the flawed function.
- Recommendation: Use Ristretto255 for custom cryptographic schemes to avoid cofactor-related issues.
- Fixed packages are available, and the maintainer encourages sponsorships to support the project.
WebAssembly as a Python Extension Platform
4 months ago
- Software above a certain complexity level often includes an extension language, with Lua and JavaScript being common examples.
- WebAssembly (Wasm) allows any programming language targeting it to extend a Wasm-hosting application, offering more development tools than typical extension languages.
- Python can now be extended with Wasm, enabling architecture-independent Wasm blobs within Python libraries without requiring a native toolchain.
- Wasm is useful for speeding up Python functions, offering around a 10x speed-up for computational hotspots when re-implemented in C and run as Wasm.
- The wasmtime-py package is recommended for embedding Wasm in Python, as it includes pre-built binaries and doesn't require a native toolchain, though it has a large size and frequent API changes.
- Common pitfalls when working with Wasm in Python include handling pointers correctly to avoid negative indices and ensuring proper memory management.
- Monocypher, a cryptography library, can be compiled to Wasm and used within Python to provide secure cryptographic operations like AEAD encryption and decryption.
- Using Wasm for embedded capabilities in Python, such as cryptography, allows for secure and efficient operations without direct external access.
The PGP Problem (2019)
4 months ago
- PGP is outdated and has numerous deficiencies, making it unsuitable for modern cryptographic needs.
- PGP's design is overly complex, with a packet-based structure and multiple encoding methods that complicate implementation and use.
- PGP lacks modern cryptographic features like forward secrecy and uses outdated primitives, making it vulnerable to attacks.
- The user experience with PGP is poor, with difficult setup processes and cumbersome key management.
- PGP's key distribution mechanisms, such as the web of trust and key signing parties, are ineffective and impractical.
- PGP leaks metadata and lacks forward secrecy, compromising privacy and security.
- Alternatives to PGP are recommended for different use cases, such as Signal for messaging, Magic Wormhole for file transfers, and Signify/Minisign for package signing.
- Modern cryptographic tools like libsodium and age offer better security and usability than PGP.
Ed25519-CLI – command-line interface for the Ed25519 signature system
4 months ago
- ed25519-cli is a command-line interface for the lib25519 implementation of the Ed25519 signature system.
- Key generation is done via `ed25519-keypair`, which outputs public and secret keys to specified file descriptors.
- Signature generation is performed by `ed25519-sign`, which uses a secret key to sign a message read from standard input.
- Signature verification and message recovery are handled by `ed25519-open`, which checks a signed message against a public key.
- Each tool exits with a nonzero status on failure and 0 on success, facilitating use in shell scripts.
- Exit code 100 from `ed25519-open` specifically indicates an invalid signature.
The PGP Problem (2019)
4 months ago
- PGP is outdated and has numerous security flaws, making it unsuitable for modern cryptographic needs.
- PGP's design is overly complex, with a packet-based structure and multiple encoding methods that complicate implementation and use.
- PGP lacks modern cryptographic features like forward secrecy and authenticated encryption, relying instead on outdated and insecure primitives.
- The user experience with PGP is notoriously poor, making it difficult for even technical users to set up and use correctly.
- PGP encourages the use of long-term keys, which increases the risk of key compromise and reduces security.
- PGP's key distribution mechanisms, such as the web of trust and keyservers, are ineffective and often leak metadata.
- Alternatives to PGP exist for various use cases, such as Signal for secure messaging, Magic Wormhole for file transfers, and Signify/Minisign for package signing.
- Encrypting email with PGP is discouraged due to inherent insecurities in email itself and the additional risks posed by PGP's flaws.
- Modern cryptographic tools like libsodium and age provide better security and usability than PGP for application data and file encryption.
- The GnuPG implementation of PGP has a history of vulnerabilities and is not considered a secure or reliable codebase.
Decorative Cryptography
4 months ago
- The article discusses the TCG_TPM2_HMAC feature in the Linux kernel, which aims to prevent or detect bus snooping and interposer attacks on TPM communications.
- It highlights the threat model involving adversaries who can access the TPM bus, either passively (snooping) or actively (modifying data).
- The feature uses HMAC and encrypted transactions to secure TPM communications, but it has limitations, such as not protecting against tampering with firmware or bootloader measurements.
- The article points out the high overhead of using asymmetric crypto for common operations like PCR extensions and randomness generation.
- A critical flaw is identified: the kernel trusts the Null Primary Key without proper verification, inverting the chain of trust and making it vulnerable to attacks.
- The author emphasizes that applied cryptography alone cannot solve security problems without proper key management and warns against 'decorative cryptography' that provides a false sense of security.
- Lessons include the importance of directional chains of trust, the need for explainable security features, and the necessity of integrated roots of trust like Caliptra for defending against physical interposer adversaries.
PassSeeds – hijacking Passkeys to unlock new cryptographic use cases
4 months ago
- Passkeys provide secure, cryptographic authentication for website/app logins, but their use is restricted to this purpose.
- PassSeeds is a novel approach that repurposes passkeys' properties for broader cryptographic use cases by treating the passkey’s public key as seed material.
- PassSeeds enable deterministic key generation for various cryptographic applications, including Bitcoin transactions, decentralized social media, and zero-knowledge proofs.
- The PassSeed mechanism involves generating a passkey, recovering its public key via ECDSA key recovery from two signatures, and converting it into a BIP-39 mnemonic phrase for backup.
- PassSeeds offer a user-friendly alternative to traditional cryptographic key management, leveraging the security and sync capabilities of passkeys.
- The implementation includes TypeScript methods for creating, retrieving, and converting PassSeeds, with a focus on security and usability.
- PassSeeds can serve as a polyfill for WebAuthn's PRF feature, enabling deterministic cryptographic operations across all browsers.
- A demo and NPM package are available for integrating PassSeeds into web applications.
Practical Collision Attack Against Long Key IDs in PGP
4 months ago
- A Hacker News user claimed that 64-bit PGP key fingerprints do not include collisions, based on empirical evidence.
- A proof of concept demonstrated a collision attack on 64-bit 'Long Key IDs' used by OpenPGP and GnuPG.
- The attack exploited the Birthday Bound principle, requiring about 2^32 attempts for a 50% collision probability.
- The full attack took approximately 3 days on a laptop, with key steps including generating keypairs, computing Key IDs, and sorting results.
- Colliding Key IDs could allow an attacker to substitute malicious keys, leading to potential security breaches and plausible deniability.
- The article emphasizes the importance of not making empirical claims about cryptographic security without proper understanding.
Verifiable Brute Force Strength
4 months ago
- The text provides a detailed comparison of brute force search capabilities across various projects, measuring their speed in bits per second and estimating the time to exhaust a 128-bit keyspace.
- Projects like Bitcoin Mining, RC5-72, and various GPU configurations (e.g., 448x 2080 GPUs, RTX 4090) are benchmarked, with Bitcoin Mining leading at 69.850 bits/sec.
- The time to exhaust a 128-bit keyspace varies dramatically, from 10.131 billion years for Bitcoin Mining to 3.280 sextillion years for a ThinkPad T480s.
- Performance benchmarks include hardware AES encryption, distributed.net's RC5-72 challenge, and password cracking with Hashcat on different GPU setups.
- The text also explores the evolution of Bitcoin mining hash rates from 2009 to 2026, showing exponential growth in computational power.
- Specialized hardware like macOS M3 Pro with SHA acceleration and AES-NI on Intel CPUs are also benchmarked, highlighting their efficiency in cryptographic operations.
The State of OpenSSL for pyca/cryptography
4 months ago
- The Python cryptography library (pyca/cryptography) has relied on OpenSSL for core cryptographic algorithms for 12 years.
- OpenSSL's development trajectory is described in three acts: under-maintained pre-2014, post-Heartbleed improvements, and post-2021 regressions in OpenSSL 3.
- OpenSSL 3 introduced performance regressions, complexity, and API issues, leading to frustration among maintainers.
- Performance issues include significant slowdowns in parsing and key loading, with some operations being 3x slower than OpenSSL 1.1.1.
- The pyca/cryptography library achieved better performance by migrating some functionalities to Rust, showing that improvements are possible.
- OpenSSL 3's new APIs, like OSSL_PARAM, are criticized for reducing performance, increasing complexity, and making code less readable.
- OpenSSL's testing and verification practices are insufficient, with flaky CI and gaps in test coverage leading to undetected bugs.
- Memory safety is a concern, as OpenSSL has not committed to migrating to memory-safe languages like Rust, unlike other projects.
- The pyca/cryptography team is considering reducing reliance on OpenSSL, potentially switching to forks like LibreSSL, BoringSSL, or AWS-LC.
- Future steps may include dropping OpenSSL support entirely and exploring alternatives like Graviola for cryptographic implementations.
Claude Shannon's randomness-guessing machine
4 months ago
- Game involves Man and Machine predicting 'Zero' or 'One'.
- Man aims to be random; Machine predicts or passes.
- Correct Machine predictions earn points; incorrect ones benefit Man.
- Machine often outperforms Man after several moves.
- Reset game with 'Reset' button or 'Space' key.
- Origin attributed to John von Neumann or Stanislaw Ulam.
- Game educates on the folly of generating random numbers manually for cryptography.
TPM on Embedded Systems: Pitfalls and Caveats to Watch Out For
4 months ago
- Trusted Platform Module (TPM) chips have been in use for over 20 years, with TPM 2.0 released in 2014.
- TPMs are standard in PCs and are now being adopted in embedded Linux sectors due to legal requirements like EU’s CRA.
- TPMs can be dedicated chips or firmware-based (fTPM), emulated in secure environments like UEFI or Arm TrustZone.
- Common TPM use cases include cryptographic algorithms for network protocols (TLS) and storage security (LUKS/dm-crypt, BitLocker).
- TPM keys can be sealed to PCR values, ensuring keys are only usable under specific integrity conditions.
- Embedded devices differ from PCs in boot processes, threat models, and longer lifecycles (10+ years).
- Physical attacks on embedded devices include bus snooping, MitM attacks, and TPM resets to bypass PCR checks.
- Linux Kernel 6.10 introduces mechanisms to detect TPM interposer attacks using NULL seed volatility.
- fTPMs eliminate physical bus vulnerabilities but are prone to side-channel attacks and TEE flaws.
- TPMs cannot mitigate all threats; additional measures like SELinux, AppArmor, and secure boot chains are essential.
- TPM firmware updates are critical, especially for vulnerabilities like TPM-FAIL (CVE-2019-16863).
- Cold boot attacks can leak secrets from main memory after TPM unsealing, requiring mitigations.
- TPMs are slow; offloading heavy cryptography to them is impractical, but they can secure long-term keys.
Lennart Poettering, Christian Brauner founded a new company
3 months ago
- Mission to deliver verifiable integrity to Linux workloads globally.
- Building cryptographic verification into Linux systems for trust from start to ongoing operation.
- Commitment to uncompromising integrity in system states.
Compromise of Polish codes and ciphers WWII
3 months ago
- Poland fought on the side of the Allies in WWII and was the first country occupied by Nazi Germany.
- Polish Government in Exile and military forces contributed significantly to the Allied war effort, including Polish pilots in the Battle of Britain and troops in North Africa, Italy, and Western Europe.
- Polish intelligence service operated extensively in occupied Europe, even infiltrating the German High Command, and collaborated with British, American, and Japanese intelligence agencies.
- Polish intelligence provided around 80,000 reports to the British, including critical information on German V-weapons and high command activities.
- Polish diplomatic and military ciphers were compromised by German, British, and American codebreakers during the war.
- German codebreakers solved Polish diplomatic ciphers, including 'Code 45', and military intelligence ciphers, gaining valuable intelligence.
- British and American codebreakers also decrypted Polish military intelligence communications but did not warn the Poles, risking Allied security.
- Polish resistance and intelligence networks in Switzerland (Ekspozytura S) and France (Ekspozytura F2) were compromised by German codebreakers.
- Polish cipher machines like the Lacida were found insecure, and attempts to secure communications with British Typex machines were hindered by production issues.
- The compromise of Polish communications was a significant intelligence failure, with lessons for future cryptographic security.
We have broken SHA-1 in practice
3 months ago
- SHA-1 has been practically broken, allowing for the creation of two colliding PDF files with the same digital signature.
- This vulnerability affects digital signatures, file integrity verification, and file identification across various applications, including GIT and SVN.
- Many applications still use SHA-1 despite known theoretical attacks since 2005 and its deprecation by NIST in 2011.
- Google and Mozilla have taken steps to protect users, with Chrome marking SHA-1 certificates as insecure and Firefox deprecating SHA-1.
- GIT repositories can be manipulated to have the same commit hash but different contents, posing a security risk.
- SVN has been patched against SHA-1 collisions in versions 1.9.6 and up, and 1.8.18.
- The SHAttered attack is significantly faster than brute force, requiring extensive computational resources but is now practical.
- A collaboration between CWI and Google Research led to this breakthrough, leveraging Google's infrastructure and expertise.
- An online tool is available to check files for SHA-1 collision attacks, developed by Marc Stevens and Dan Shumow.
- Counter-cryptanalysis can detect and mitigate SHA-1 collision attacks by producing different hashes for colliding files.
Don't pass on small block ciphers
3 months ago
- Small block ciphers (32-bit, 64-bit) are often perceived as antiquated and insecure, but they remain useful in specific applications.
- Larger block ciphers (e.g., Rijndael-256, Vistrutah) are more versatile and secure, but small block ciphers still have niche uses.
- Small block ciphers are problematic because their limited block size makes them vulnerable to enumeration and distinguishing attacks.
- Block ciphers are symmetric cryptographic functions that apply a key-dependent permutation to input data.
- Small block ciphers can securely encrypt counters (e.g., account IDs, packet indices) to hide sensitive information.
- UUIDs (v1, v4, v6, v7) have trade-offs: v1/v7 leak timestamps, v4 is random but larger, and v6 is legacy-optimized.
- Small block ciphers can encrypt portions of UUIDs (e.g., timestamps in UUIDv7) to prevent leakage while retaining UUID properties.
- SIMON and SPECK (NSA-designed) are well-analyzed, efficient small block ciphers with no known practical attacks.
- Small block ciphers are not universally secure but can be useful in passive-adversary scenarios or when hiding specific data.
- Key whitening (FX/Even-Mansour) can enhance small block cipher security.
Fast sorting networks, branchless by design
3 months ago
- Sorting is a critical problem in computer science, with performance being a key consideration for most applications.
- Traditional sorting algorithms like Quicksort, Mergesort, and pdqsort are vulnerable to timing side-channel attacks, which can leak sensitive data.
- Sorting networks offer a solution by providing a fixed sequence of operations, making them data-oblivious and resistant to timing attacks.
- Bubble sort is an example of a simple sorting network but is inefficient for large datasets.
- Odd-even transposition sort improves upon bubble sort by introducing parallelism, though it still has O(n²) complexity.
- Bitonic sequences and Batcher's bitonic sort provide a more efficient approach with O(n log²n) complexity, making them practical for cryptographic applications.
- djbsort, developed by Daniel J. Bernstein, implements Batcher's sorting network with optimizations for speed, constant-time execution, and formal verification.
- A Zig implementation of djbsort demonstrates significant performance improvements over traditional sorts, especially for native numeric types and SIMD optimization.
- Float sorting in djbsort uses a clever bit manipulation technique to impose a total order, maintaining performance close to integer sorting.
- Sorting networks, despite their higher theoretical complexity, can outperform traditional sorts in practice, especially for security-sensitive applications.
Cryptographic Issues in Matrix's Rust Library Vodozemac
3 months ago
- Matrix's Olm library had multiple side-channel vulnerabilities, which were not fixed despite disclosure.
- Matrix.org's security team failed to notify alternative clients about vulnerabilities and mishandled the disclosure process.
- Vodozemac, Matrix's Rust library, contains cryptographic vulnerabilities, including accepting the identity element in Diffie-Hellman, leading to zero security.
- Downgrade attacks from V2 to V1 in Vodozemac reduce security by truncating HMAC outputs to 64 bits.
- Miscellaneous issues in Vodozemac include weak ECIES CheckCode, silent dropping of message keys, deterministic IV in pickle format, and disabled security checks under fuzzing.
- Matrix's cryptography lacks expertise, with repeated vulnerabilities found in both libolm and Vodozemac.
- Matrix's leadership has not shown humility or willingness to learn from past security issues.
- Audits of Matrix's cryptography have not led to sufficient improvements, with known issues remaining unaddressed.
- Matrix's security flaws make it a risky choice for secure communication, comparable to other poorly secured platforms like Twitter's X Chat.
Carelessness versus Craftsmanship in Cryptography
3 months ago
- Two AES libraries, aes-js and pyaes, provide a default IV in their AES-CTR API, leading to key/IV reuse bugs affecting thousands of projects.
- Reusing key/IV pairs in AES-CTR or GCM mode can lead to serious security issues, including plaintext recovery and brittle encryption.
- aes-js and pyaes lack modern cipher modes like AES-GCM and AES-GCM-SIV, making them vulnerable to attacks.
- Both libraries are vulnerable to side-channel attacks and have not been updated since 2017-2018.
- The maintainer of aes-js dismissed a serious security concern with a casual response, highlighting carelessness.
- strongSwan's strongMan VPN Manager was found to be vulnerable due to pyaes's default IV, but the maintainer responded with a model security fix.
- The fix for strongMan included replacing pyaes with a modern library, using GCM-SIV, and adding per-entry key derivation.
- The difference between carelessness and craftsmanship lies in how developers respond to mistakes, with strongMan exemplifying the latter.

first prev5next

About|Login

#cryptography

GNU: A Heuristic for Bad Cryptography

A Vulnerability in Libsodium

WebAssembly as a Python Extension Platform

The PGP Problem (2019)

Ed25519-CLI – command-line interface for the Ed25519 signature system

The PGP Problem (2019)

Decorative Cryptography

PassSeeds – hijacking Passkeys to unlock new cryptographic use cases

Practical Collision Attack Against Long Key IDs in PGP

Verifiable Brute Force Strength

The State of OpenSSL for pyca/cryptography

Claude Shannon's randomness-guessing machine

TPM on Embedded Systems: Pitfalls and Caveats to Watch Out For

Lennart Poettering, Christian Brauner founded a new company

Compromise of Polish codes and ciphers WWII

We have broken SHA-1 in practice

Don't pass on small block ciphers

Fast sorting networks, branchless by design

Cryptographic Issues in Matrix's Rust Library Vodozemac

Carelessness versus Craftsmanship in Cryptography