Cryptography thread

Anybody interested in learning modern cryptography, I slapped this together for you functionalcs.github.io/curriculum/#org1aa358c check out the PQ crypto summer school talks from this year

GnuPG (libgcrypt) has both a side-channel attack, and random number generator problem for 20 years eprint.iacr.org/2017/627.pdf
You can use LibreSSL for performing symmetric encryption w/ChaCha20 and could sign the msg with Signify if you personally knew the other end and exchanged keys (or use GnuPG signatures)

Anybody else interested, djb once reinvented tcp curvecp.org/index.html to protect against this bug that happened a few months ago ringroadbug.com/ in HTTP/2

Apply for a job at NCC group as a junior security consultant, they will train you if you can figure out at least a few of the crypto challenges, and shit like microcorruption CTF. There's nothing genius about crypto engineering. It's very, very hard to get correct but it's not genius level programming by any means.

>Friendly reminder that AES128 (the cipher that most sites use) is broken
can I change what I use then?

>GnuPG (libgcrypt) has both a side-channel attack
This was for RSA though, and to my knowledge it would not be applicable to RSA-4kib. GPG however has had tons of really mindblowing bugs, such as the one where when receiving keys from a keyserver it did not check if their fingerprint was valid.

>You can use LibreSSL for performing symmetric encryption w/ChaCha20
Sadly LibreSSL nor OpenSSL support ChaCha20 encryption from the command line to my knowledge. You would have to use the library, but in that case you would probably be better off with using NaCL.

>Anybody else interested, djb once reinvented tcp curvecp.org/index.html
There is always IPSec. That being said, IKE sucks dicks and nobody seems to care about alternative key exchange protocols.

>to protect against this bug that happened a few months ago ringroadbug.com/ in HTTP/2
Wasn't aware that they dropped TLS from HTTP/2, or am I misunderstanding anything?

How did they do this?

You can disable it manually, but then you would be a better target for tracking. It would be better to beg mozilla to do it instead.
Or at least beg webservers not to override your preferred cipher and select one that is lower in the list that your browser offers. In fact, telling the server what ciphers you support was a stupid choice from the start.

so I can force a different one? how do I do this in firefox?

On about:config and play with security.ssl3.*

?

Yes, this.

it's not broken it's weak and hence should be avoided, use AES256

Just turn off the 128 ones?

Yes, and des.

hey it worked, why isn't this done by default?

Because Mozilla does not give a shit about security - the same reason why they do not kill the NIST curves and replace them with x25519. Same probably goes for Google however.

>AES
>Recommending something developed by the NSA
Spotted the CIA nigger.

I keep reading it, and it looks like he's recommending NOT using AES.

Read my post again please, I talked against using AES128.

>developed by the NSA
Actually this part is false, Rijndael was developed by two Belgian cryptographers and it was one of the many NIST candidates for the AES title.

-enc chacha works w/LibreSSL on OpenBSD, not sure of portable version.

Wireguard is taking a run at IPSec with their formally verified protocol and lack of complexity VS insane amount of IPSec complexity.

>dropped TLS
That was the clowns at Google's QUIC protocol team who replaced TLS with their own UDP encryption quietly in Chrome and apps like Gmail without telling their users. djb did this the correct way years ago, they cut+paste some of the implementation and fucked up the rest.

They (google) also got in trouble for cut+pasting old grsecurity patches for the new Kernel Self-Protection Project introducing a whole new fleet of bugs.

FTP over TLS or SFTP?

I would suggest SFTP because:
1: it is more popular
2: chances are that you are already running an ssh server
3: ssh in general is better than tls
4: uses a single port

It seems that you are correct, with just "help" it won't print chacha but with enc -help it will include it. That being said it does not say anything about including poly1305.

>Wireguard is taking a run at IPSec with their formally verified protocol
I have heard about it but I haven't taken a look at their paper yet. I will check it one of these days.

>complexity VS insane amount of IPSec complexity.
Most of the IPSec complexity comes from IKE, the separation of AH/ESP and dumb implementations. IPSec by itself is literally just a packet on top of IP.

>That was the clowns at Google's QUIC protocol team who replaced TLS with their own UDP encryption quietly in Chrome and apps like Gmail without telling their users
I would expect them to wait a bit more before shoving such an immature protocol into production.

>djb did this the correct way years ago
To be frank I was aware of DNSCurve but I hadn't heard of CurveCP. I guess I will also be taking a look at this.
Based on what I have read so far it seems that is also based on UDP, just like the google one (and thus it seems that djb avoided creating his own packet type on top of IP, unlike IPSec)

what's keeping you from scp?

Whenever I look into crypto it always looks like people just using bruteforce cyphers and guesswork to crack stuff. Seems more like gambling then actual science to me.

Could you explain crypo to a laymen?

Nobody can teach you how one symmetric cipher is safe. The only proof they got is nobody could find mathematical vulnerability to reduce the work factor.

Same goes for public key encryption algorithms we have. Nobody knows how to efficiently factor an integer or solve elliptic curve discrete logarithm.

Software/hardware implementation is where most of fuckfest begins. Most of conventional wisdom you learned must be discarded as premature optimizations are doomed to leak metadata about your encryption process. Just go search for CVEs of openssl and gpg.

Thats an interesting way of looking at it.
Most tutorials iv seen explain a few ciphers, then give you some random string and tell you to decode it.

Suggesting that crypo is all about memorization and randomly applying ciphers until something works.

>Just go search for CVEs of openssl and gpg.
I have no idea what im looking at.

But generally, if you want to crack something, what is the mindset you have going in?
We have the 7 layer osi model for troubleshooting computer problems do you have something similar is what im trying to ask.

Anime website

Breaking crypto these days is all about attacking implementations of it, which is generally shitty. There's also a whole fleet of new bugs in in VMS/containers because now we have emulated hardware, yet many of those old ciphers were designed for actual hardware. So once you escape the confines of disk geometry or CPU cache you can do all sorts of timing and power analysis you couldn't do before. Even if the VM is just passing via a pipe to the main OS kernel/CPU that's still yet another thing outside of actual hardware that can be analyzed for problems.

For example a classic attack on XTS happens when it's uploaded to online storage somewhere. Often people will take snapshots, encrypt them, and then store them somewhere for use later. Well you can flip bits and shit to create a blind shell, then later when the target downloads their snapshot and uses it you have a backdoor.

As computer become more abstracted from hardware and more emulated piles of abstractions we have more opportunity to break things, well, not really us but research universities and shady gov agencies.

What's a good book to learn how to implement cryptography into projects? I want to make a secure chat system for when shit like whatsapp is finally ruined everywhere.

Wow I never even thought about emulation being a factor in this but you are absolutely right. This is really interesting.

How hard is it to get into crypto? (job wise)
Iv been following the security scene ever since Java had all those massive 0 days years ago but I don't have any degrees or anything. (can't do certs to save my life)
Im working tech support right now and it's ass.

>How hard is it to get into crypto? (job wise)
By getting a phd.
Being a security "expert" is a lot easier.

>AES128 is broken
No it's not

Read the link. It was broken by design.

The link does not show that AES128 is broken. You don't know what you're talking about

It seems that you haven't bothered to read the link. Again, please read the link.

Dam.

I read the link already. It doesn't show that AES128 is broken. Again, you don't know what you're talking about

You can trivially recover a few keys given enough ciphertexts (2^40 or so) with a generic brute-force attack. If a cipher can't withstand this much then it is broken by design.

>given enough ciphertexts (2^40 or so)
You realize that's over a quadrillion right?

>quadrillion
*trillion

>You realize that's over a quadrillion right?
And? I am pretty sure that a state actor can trivially gather 2^40 ciphertexts encrypted with different keys just by saving some of the internet communication for a few days.

generally involves getting a PhD . Moxie Marlinspike went to CMU for a BSc and taught himself crypto engineering after, Jacob Appelbaum dropped out of college and taught himself, somehow convinced professors to let him into grad school where he is now, there's a few researchers at Matasano (now NCC group) that had no formal degrees but test/break engineering and implementations though for things like say, SHA-3 competition that was all PhDs auditing each other's ciphers with specially made crypto test benches.

This is an excellent, up to date book on modern applied crypto crypto.stanford.edu/~dabo/cryptobook/ or Bruce Schneier's and Ferguson's book but you need a math background of at least typical undergrad which means linear algebra, calculus, writing proofs ect. This isn't hard to do, prob take a year or so of work.

Wait I should clarify, the bulk of Signal's (used to be called Redphone/Textsecure) crypto engineering was written by a PhD student Stuart Anderson who is a grad student at CMU. So Moxie was essentially mentored by that guy but also taught himself too.

the only way to get rid of anime is to nuke japan again, but this time to wipe them out, good news is that everyone else sucks at making anime.

>gather
And what? Do you think they just gather the ciphertexts and then wave their hands and break every secret key? They still have to actually use those stored ciphertexts to perform the attack itself, which is tens of orders of magnitude harder

AES128 is still quite strong, the weak link is always implementation.

math is precise and often 'perfect', you can design the best structure but your 'implementation' = the actual building may not be as precise, same thing with software.

Thankyou very much user.

How many of you are hiding CP?

Should I buy bitcoin?

Wait until the prices fall for bitcoin.org/en/alert/2017-07-12-potential-split and buy after it has been merged again.

AES-128 is used for connecting to Sup Forums and many other HTTPS websites.

I thought you guys would get a laugh out of this, the brainlets on /biz/ are trying to hack bitcoin wallets by bruteforcing ECDSA private keys

Quality thread, kekked.

>tfw i share a website with these people

hilarious

Which cipher is more secure elliptic curve meme chacha20-ietf-poly1305 or good old nsa approved aes-256-gcm (aes256-cbc + gmac)?

Neither of them are elliptic curves. They are not even asymmetric encryption algorithms.

Anyone here encrypt their shit to RSA 4096?

Also a reminder to web devs: Storing your database passwords in MD5 or SHA1 without a strong and random salt is asking for trouble.

And Trevor Perrin.

What you said didn't make any sense: correct.

If you mean, which cipher should you use in TLS, then ideally:
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 {CCA9}
or
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 {C02C}

The first is more robust.

The curve that you should use for key exchange is X25519 (RFC7748), and also Ed25519 ideally for signatures but that is not rolled out yet.

If you meant which AEAD should you use, then right now ChaCha20-Poly1305 is your best choice (IETF version preferred as it is equally secure but more efficient).

I wouldn't really recommend GCM in new things as a composition at this stage: quantum period finding could fuck it (and maybe OCB) up.

I wonder what will come first, the end of hte CAESAR competition, Dan Boneh's Crypto II, practical cryptanalytically-useful quantum computers or the heat death of the universe.

Eh, they *might* strike paydirt if they encounter some shitty software that uses insufficiently-seeded RNGs, but probably not even that without finding that software and identifying the issue first. They're just salty they didn't find the Ethereum scope issue.

So what's the best choice for a mobile messaging app? Conversations with OpenKeychain? Are there any particular XMPP servers I should use or does it not matter?

Using passwords for authentication in general is asking for trouble.

>Anyone here encrypt their shit to RSA 4096?
You usually use it only for key exchange, not for encrypting all your data.
But not me, I prefer curve25519.

>If you mean, which cipher should you use in TLS, then ideally:
>TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 {CCA9}
>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 {C02C}
Also the RSA variants, most sites do not have an ECDSA cert.

>and also Ed25519 ideally for signatures but that is not rolled out yet.
Ed25519 for tls certs? Because it is popular out of tls.

>IETF version preferred as it is equally secure but more efficient
Isn't the only difference that the IETF version has a retarded nonce and counter size?

>I wonder what will come first, the end of hte CAESAR competition
Won't it finish in like 6 months or so?
W-Which is your favourite CAESAR cipher senpai? I am cheering for NORX and Keyak.

github.com/pyllyukko/user.js