DiscoverSecurity Cryptography Whatever
Security Cryptography Whatever
Claim Ownership

Security Cryptography Whatever

Author: Deirdre Connolly, Thomas Ptacek, David Adrian

Subscribed: 106Played: 1,717
Share

Description

Some cryptography & security people talk about security, cryptography, and whatever else is happening.
40 Episodes
Reverse
Apple iMessage is getting a big upgrade! Not only are they rolling out ratcheting, but they’re going post-quantum, AND they’re doing post-quantum ratcheting! Douglas Stebila joined us to talk about his security analysis of the new PQ3 protocol update and not indulge our wild Apple speculations:Transcript: https://securitycryptographywhatever.com/2024/03/03/post-quantum-imessage-with-douglas-stebila/Links:- https://security.apple.com/blog/imessage-pq3/- Security analysis of the iMessage PQ3 protocolhttps://security.apple.com/assets/files/A_Formal_Analysis_of_the_iMessage_PQ3_Messaging_Protocol_Basin_et_al.pdf- Ratcheting design: https://eprint.iacr.org/2024/220.pdf- When Messages are Keys: Is HMAC a dual-PRF?: https://eprint.iacr.org/2023/861.pdf- Real World Deniability in Messaging: https://eprint.iacr.org/2023/403.pdf- Padmé: https://www.petsymposium.org/2019/files/papers/issue4/popets-2019-0056.pdf- Max Headroom: https://www.youtube.com/watch?v=cYdpOjletnc- Extended Canetti-Krawczyk model: https://iacr.org/archive/eurocrypt2001/20450451.pdf- Douglas Stebila: https://www.douglas.stebila.ca/"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
We welcome Franziskus and Karthik from Cryspen to discuss their new high-assurance implementation of ML-KEM (the final form of Kyber), discussing how formal methods can both help provide correctness guarantees, security assurances, and performance wins for your crypto code!Transcript: https://securitycryptographywhatever.com/2024/01/29/high-assurance-kyber/Links:- https://cryspen.com/post/ml-kem-implementation/- https://github.com/cryspen/libcrux/- https://github.com/formosa-crypto/libjade- https://cryspen.com/post/pqxdh/- https://eprint.iacr.org/2023/1933.pdf- Franziskus Kiefer: https://franziskuskiefer.de/- Karthik Bhargavan: https://bhargavan.info/"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Facebook Messenger has finally been end-to-end encrypted, a couple of years after Mark Zuckerberg announced it! Plus Instagram DMs are trialing ephemeral E2EE DMs too! We invited on Jon Millican and Timothy Buck from Meta to discuss this major cross-platform endeavor, and how David Bowie fits into their personal Labyrinth.Transcript: https://securitycryptographywhatever.com/2023/12/28/e2ee-fb-messenger/Links:- https://www.facebook.com/notes/2420600258234172- https://eprint.iacr.org/2022/1044.pdf- https://engineering.fb.com/2023/12/06/security/building-end-to-end-security-for-messenger/- https://www.theverge.com/2023/12/6/23991501/facebook-messenger-default-end-to-end-encryption-meta- https://www.threads.net/@jonmillican/post/C0kQPAyoFpr- https://engineering.fb.com/wp-content/uploads/2023/12/MessengerEnd-to-EndEncryptionOverview_12-6-2023.pdf- https://engineering.fb.com/wp-content/uploads/2023/12/TheLabyrinthEncryptedMessageStorageProtocol_12-6-2023.pdf- https://engineering.fb.com/2022/03/10/security/code-verify/- https://chrome.google.com/webstore/detail/code-verify/llohflklppcaghdpehpbklhlfebooeog"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Returning champion Martin Albrecht joins us to help explain how we measure the security of lattice-based cryptosystems like Kyber and Dilithium against attackers. QRAM, BKZ, LLL, oh my!Transcript: https://securitycryptographywhatever.com/2023/11/13/lattice-attacks/Links:- https://pq-crystals.org/kyber/index.shtml- https://pq-crystals.org/dilithium/index.shtml- https://eprint.iacr.org/2019/930.pdf- https://en.wikipedia.org/wiki/Short_integer_solution_problem- Frodo: https://eprint.iacr.org/2016/659- https://csrc.nist.gov/CSRC/media/Events/third-pqc-standardization-conference/documents/accepted-papers/ribeiro-saber-pq-key-pqc2021.pdf- https://en.wikipedia.org/wiki/Hermite_normal_form- https://en.wikipedia.org/wiki/Wagner%E2%80%93Fischer_algorithm- https://www.math.auckland.ac.nz/~sgal018/crypto-book/ch18.pdf- https://eprint.iacr.org/2019/1161- QRAM: https://arxiv.org/abs/2305.10310- https://en.wikipedia.org/wiki/Lenstra%E2%80%93Lenstra%E2%80%93Lov%C3%A1sz_lattice_basis_reduction_algorithm- MATZOV improved dual lattice attack: https://zenodo.org/records/6412487- https://eprint.iacr.org/2008/504.pdf- https://eprint.iacr.org/2023/302.pdf"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
We're back! Signal rolled out a protocol change to be post-quantum resilient! Someone was caught intercepting Jabber TLS via certificate transparency! Was the same-origin policy in web browers just a dirty hack all along? Plus secure message format formalisms, and even more beating of the dead horse that is E2EE in the browser.Transcript: https://securitycryptographywhatever.com/2023/11/07/PQXDH-etcLinks:- https://zfnd.org/so-you-want-to-build-an-end-to-end-encrypted-web-app/- https://github.com/superfly/macaroon- https://cryspen.com/post/pqxdh/- https://eprint.iacr.org/2023/1390.pdf"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
We explore how the NIST curve parameter seeds were generated, as best we can, with returning champion Steve Weis!“At the point where we find an intelligible English string that generates theNIST P-curve seeds, nobody serious is going to take the seed provenance concerns seriously anymore.”Transcript: https://securitycryptographywhatever.com/2023/10/12/the-nist-curvesLinks:- Steve’s post: https://saweis.net/posts/nist-curve-seed-origins.html- ANSI X9.62 ECDSA: https://safecurves.cr.yp.to/grouper.ieee.org/groups/1363/private/x9-62-09-20-98.pdf / FIPS 186-2 https://csrc.nist.gov/files/pubs/fips/186-2/final/docs/fips186-2.pdf- “A RIDDLE WRAPPED IN AN ENIGMA”: https://eprint.iacr.org/2015/1018.pdf- https://arstechnica.com/information-technology/2015/01/nsa-official-support-of-backdoored-dual_ec_drbg-was-regrettable/- https://www.muckrock.com/foi/united-states-of-america-10/origin-of-fips-186-4-elliptic-curves-over-prime-field-seed-parameters-national-institute-of-standards-and-technology-78756/- https://www.muckrock.com/foi/united-states-of-america-10/origin-of-fips-186-4-elliptic-curves-over-prime-field-seed-parameters-national-security-agency-78755/- Filippo’s bounty: https://words.filippo.io/dispatches/seeds-bounty/- Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters - NIST 800-186 with Curve25519 and friends- RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier- https://www.rfc-editor.org/rfc/rfc4492#section-6- https://blog.cryptographyengineering.com/2017/12/19/the-strange-story-of-extended-random/- https://en.wikipedia.org/wiki/Bullrun_(decryption_program)- https://en.wikipedia.org/wiki/BSAFE- https://sockpuppet.org/blog/2015/08/04/is-extended-random-malicious/"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
We're back from our summer vacation! We're covering a bunch of stuff we saw and did:Transcript: https://securitycryptographywhatever.com/2023/09/13/cruel-summer/Links:- Zenbleed: https://lock.cmpxchg8b.com/zenbleed.html- Downfall: https://downfall.page- Post-quantum Yubikeys: https://security.googleblog.com/2023/08/toward-quantum-resilient-security-keys.html"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
What does P vs NP have to do with cryptography? Why do people love and laugh about the random oracle model? What's an oracle? What do you mean factoring and discrete log don't have proofs of hardness? How does any of this cryptography stuff work, anyway? We trapped Steve Weis into answering our many questions.Transcript: https://securitycryptographywhatever.com/2023/06/29/why-do-we-think-anything-is-secure-with-steve-weis/Links:- The Random Oracle Methodology, Revisited: https://eprint.iacr.org/1998/011.pdf- Factoring integers with CADO-NFS: https://www.ens-lyon.fr/LIP/AriC/wp-content/uploads/2015/03/JDetrey-tutorial.pdf- On One-way Functions from NP-Complete Problems: https://eprint.iacr.org/2021/513.pdf- Seny Kamara's lecture notes on provable security: https://cs.brown.edu/~seny/2950-v/2-provablesecurity.pdf- How To Simulate It – A Tutorial on the Simulation Proof Technique: https://eprint.iacr.org/2016/046.pdf- A Survey of Leakage-Resilient Cryptography: https://eprint.iacr.org/2019/302- A Decade of Lattice Cryptography: https://eprint.iacr.org/2015/939.pdf"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Are Twitter’s new encrypted DMs unreadable even if you put a gun to Elon’s head? We invited Matthew Garrett on to do a deep decompiled dive into what kind of cryptography actually shipped.Transcript: https://securitycryptographywhatever.com/2023/05/29/elons-encrypted-dms-with-matthew-garrett/Links:https://mjg59.dreamwidth.org/66791.htmlhttps://help.twitter.com/en/using-twitter/encrypted-direct-messageshttps://www.techdirt.com/2023/05/11/twitter-launches-not-actually-encrypted-encrypted-dms/BrokenKDF2BytesGenerator: https://github.com/bcgit/bc-java/blob/master/prov/src/main/java/org/bouncycastle/jce/provider/BrokenKDF2BytesGenerator.java#L70Analysis from sweis: https://twitter.com/sweis/status/1657082478727933954?s=20https://signal.org/docs/specifications/x3dh/https://signal.org/docs/specifications/doubleratchet/https://support.signal.org/hc/en-us/articles/360007059752-Backup-and-Restore-MessagesTrail of Bits has not audited nor signed a contract yet, per Platformer: https://www.platformer.news/p/why-you-cant-trust-twitters-encrypted"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
WhatsApp has announced they’re rolling out key transparency! Doing this at WhatsApp-scale (aka billions and biiillions of keys) is a significant task, so we talked to Jasleen Malvai and Kevin Lewi about how it works.Transcript: https://securitycryptographywhatever.com/2023/05/06/whatsapp-key-transparencyLinks: https://engineering.fb.com/2023/04/13/security/whatsapp-key-transparency/https://github.com/facebook/akdParkeet: https://eprint.iacr.org/2023/081.pdfCONIKS: https://eprint.iacr.org/2014/1004.pdfSEEMless: https://eprint.iacr.org/2018/607.pdfWhatsApp Security Whitepaper: https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdfKeybase key transparency: https://book.keybase.io/docs/server"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Messaging Layer Security (MLS) 1.0 is (basically) here! We invited RaphaelRobert, coauthor of the MLS specification to explain it to us and answer our annoying questions (read: why does this exist?)Transcript:https://securitycryptographywhatever.com/2023/04/22/mls/Links:- https://messaginglayersecurity.rocks/- https://messaginglayersecurity.rocks/mls-protocol/draft-ietf-mls-protocol.html- https://messaginglayersecurity.rocks/mls-architecture/draft-ietf-mls-architecture.html- https://github.com/openmls/openmls- https://eprint.iacr.org/2022/1533.pdf- https://eprint.iacr.org/2020/1327.pdf- https://eprint.iacr.org/2022/559.pdf- https://signal.org/docs/- https://en.wikipedia.org/wiki/Key_encapsulation_mechanism- https://twitter.com/beurdouche/status/1220617962182389760- https://messaginglayersecurity.rocks/mls-protocol/draft-ietf-mls-protocol.html#mls-ciphersuites- https://www.ietf.org/archive/id/draft-ietf-mls-federation-02.html- https://datatracker.ietf.org/wg/mimi/documents/- https://competition-policy.ec.europa.eu/dma/dma-workshops/interoperability-workshop_en- Yes in the protocol document this is 1.0: https://messaginglayersecurity.rocks/mls-protocol/draft-ietf-mls-protocol.html#section-6"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Real World Cryptography 2023 is happening any moment now in Tokyo. Also, some phone basebands are broken.Linkshttps://rwc.iacr.org/2023/https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.htmlTranscript: https://securitycryptographywhatever.com/2023/03/24/rwc-2023/"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Another day, another ostensibly secure messenger that quails under the gaze of some intrepid cryptographers. This time, it's Threema, and the gaze belongs to Kenny Paterson, Matteo Scarlata, and Kien Tuong Truong from ETH Zurich. Get ready for some stunt cryptography, like 2 Fast 2 Furious stunts.Transcript: https://securitycryptographywhatever.com/2023/01/27/threema/Links:https://breakingthe3ma.app/https://threema.ch/press-files/2_documentation/cryptography_whitepaper.pdfhttps://threema.ch/en/blog/posts/ibex"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
There's a paper that claims one can factor a RSA-2048 modulus with the help of a 372-qubit quantum computer. Are we all gonna die?Also some musings about Bruce Schneier.Errata:Schneier's honorary PhD is from the University of Westminster, not UW.Transcript:https://securitycryptographywhatever.com/2023/01/06/has-rsa-been-destroyed-by-a-quantum-computer/Links:https://arxiv.org/pdf/2212.12372.pdfhttps://eprint.iacr.org/2021/232.pdfhttps://github.com/lducas/SchnorrGatehttps://sweis.medium.com/did-schnorr-destroy-rsa-show-me-the-factors-dcb1bb980ab0https://www.schneier.com/blog/archives/2023/01/breaking-rsa-with-a-quantum-computer.htmlhttps://scottaaronson.blog/?p=6957"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
End of Year Wrap Up

End of Year Wrap Up

2023-01-0559:27

David and Deirdre gab about some stuff we didn't get to or just recently happened, like Tailscale's new Tailnet Lock, the Okta breach, what the fuck CISOs are for anyway, Rust in Android and Chrome, passkeys support, and of course, SBF.Transcript:https://securitycryptographywhatever.com/2023/01/04/end-of-year-wrap-up/Links:https://tailscale.com/blog/tailnet-lock/https://security.googleblog.com/2022/12/memory-safe-languages-in-android-13.htmlhttps://groups.google.com/a/chromium.org/g/chromium-dev/c/0z-6VJ9ZpVU"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
We talk to Kevin Riggle (@kevinriggle) about complexity and safety. We also talk about the Twitter acquisition. While recording, we discovered a new failure mode where Kevin couldn't hear Thomas, but David and Deirdre could, so there's not much Thomas this episode. If you ever need to get Thomas to voluntarily stop talking, simply mute him to half the audience!https://twitter.com/kevinriggleTranscript: https://securitycryptographywhatever.com/2022/11/24/software-safety-and-twitter-with-kevin-riggle/ErrataIt was the Mars Climate Orbiter that crashed due to a units mismatchDavid confused the Dreamliner with the 737 MaxLinkshttps://free-dissociation.com/blog/posts/2018/08/why-is-it-so-hard-to-build-safe-software/https://complexsystems.group/https://how.complexsystems.fail/https://noncombatant.org/2016/06/20/get-into-security-engineering/https://blog.nelhage.com/2010/03/security-doesnt-respect-abstraction/http://sunnyday.mit.edu/safer-world.pdfhttps://www.adaptivecapacitylabs.com/john-allspaw/https://www.etsy.com/codeascraft/blameless-postmortemshttps://increment.com/security/approachable-threat-modeling/https://www.nytimes.com/2022/11/17/arts/music/taylor-swift-tickets-ticketmaster.htmlhttps://www.hillelwayne.com/post/are-we-really-engineers/https://www.hillelwayne.com/post/we-are-not-special/https://www.hillelwayne.com/post/what-we-can-learn/https://lotr.fandom.com/wiki/Denethor_IIhttps://twitter.com/sarahjeong/status/1587597972136546304"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
No not the movie: the secure group messaging protocol! Or rather all the bugs and vulns that a team of researchers found when trying to formalize said protocol. Martin Albrecht and Dan Jones joined us to walk us through "Practically-exploitable CryptographicVulnerabilities in Matrix".Transcript:https://securitycryptographywhatever.com/2022/11/02/Matrix-with-Martin-Albrecht-Dan-Jones/Links: https://nebuchadnezzar-megolm.github.io/static/paper.pdfhttps://nebuchadnezzar-megolm.github.ioSignal Private Group system: https://eprint.iacr.org/2019/1416.pdfhttps://signal.org/blog/signal-private-group-system/https://spec.matrix.org/latest/WhatsApp Security Whitepaper: https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdfhttps://www.usenix.org/conference/usenixsecurity21/presentation/albrecht FS, PCS etcOther clients: https://nvd.nist.gov/vuln/detail/CVE-2022-39252 https://nvd.nist.gov/vuln/detail/CVE-2022-39254 https://nvd.nist.gov/vuln/detail/CVE-2022-39264 https://dadrian.io/blog/posts/roll-your-own-crypto/https://podcasts.apple.com/us/podcast/the-great-roll-your-own-crypto-debate-feat-filippo-valsorda/id1578405214?i=1000530617719 WhatsApp End-to-End Encrypted Backups: https://blog.whatsapp.com/end-to-end-encrypted-backups-on-whatsappRoll your own and Telegram: https://mtpsym.github.io/ "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
SOC2 with Sarah Harvey

SOC2 with Sarah Harvey

2022-10-1601:01:37

We have Sarah Harvey (@worldwise001 on Twitter) to talk about SOC2, what it means, how to get it, and if it's important or not. The discussion centers around two blog posts written by Thomas:SOC2 Starting Seven: https://latacora.micro.blog/2020/03/12/the-soc-starting.htmlSOC2 at Fly: https://fly.io/blog/soc2-the-screenshots-will-continue-until-security-improves/Transcript:https://securitycryptographywhatever.com/2022/10/16/SOC2-with-Sarah-Harvey/Links:Tailscale recent post on getting SOC2’d: https://tailscale.com/blog/soc2-type2/SSO Tax: https://sso.taxDavid’s previous job: https://getnametag.comDavid's other startup: https://censys.ioThomas works at https://fly.io"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Nate Lawson II

Nate Lawson II

2022-09-2901:23:19

This episode got delayed because David got COVID. Anyway, here's Nate Lawson: The Two Towers.Steven Chu: https://en.wikipedia.org/wiki/Steven_ChuCFB: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_feedback_(CFB)CCFB: https://link.springer.com/chapter/10.1007/11502760_19XXTEA: https://en.wikipedia.org/wiki/XXTEACHERI: https://cseweb.ucsd.edu/~dstefan/cse227-spring20/papers/watson:cheri.pdfTranscript:https://securitycryptographywhatever.com/2022/09/29/nate-lawson-ii/Errata:Pedram Amini did in fact do Pai Mei"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Nate Lawson: Part 1

Nate Lawson: Part 1

2022-09-0901:20:11

We bring on Nate Lawson of Root Labs to talk about a little bit of everything, starting with cryptography in the 1990s.Transcript:https://securitycryptographywhatever.com/2022/09/09/nate-lawson-part-1/ReferencesIBM S/390: https://ieeexplore.ieee.org/document/5389176SSLv2 Spec: https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.htmlXbox 360 HMAC: https://beta.ivc.no/wiki/index.php/Xbox_360_Timing_AttackGoogle Keyczar HMAC bug (reported by Nate): https://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/ErrataHMAC actually published in 1996, not 1997"That was one of the first, I think hardware applications of DPA was, was, um, satellite TV cards." Not true, they first were able to break Mondex, a MasterCard smart card"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
loading
Comments (1)

Luiz Puodzius

I liked it.🤙🥇

Jan 2nd
Reply
Download from Google Play
Download from App Store