LIVE FROM COLUMBIA, IT'S DAY 2 OF #REALWORLDCRYPTO
I'm starting another thread because there were multiple branches in the previous one 🤦♀️
Q: Linkable if not rotating at the same time?
A: They are rotating at the same time.
Reliable time is handy like that.
#realworldcrypto
A: They are rotating at the same time.
Reliable time is handy like that.
#realworldcrypto
Q: Do all Apple devices participate as finders?
A: Not all, there are some requirements
#realworldcrypto
A: Not all, there are some requirements
#realworldcrypto
Q: What about a malicious finder?
A: Those reports are considered outliers and are filtered out (?)
#realworldcrypto
A: Those reports are considered outliers and are filtered out (?)
#realworldcrypto
Next up, "Detecting Money Laundering Activities via Secure Multi-PartyComputation for Structural Similarities in Flow Networks"
#realworldcrypto
#realworldcrypto
This is "One out of billion within one second: ZK-friendly hash functions for Merkle tree proofs"
#realworldcrypto
#realworldcrypto
Traditional hash functions like SHA256 aren't great inside circuits because they are complex and slow over SNARK/STARK-friendly fields
#realworldcrypto
#realworldcrypto
Pedersen hash with curve points has problems including homomorphism, length-extension attacks, and low preimage security 😬
#realworldcrypto
#realworldcrypto
"We are not very good at estimating their complexity." Therefore they lean towards a pessimistic estimate (8 outer rounds have s-boxes everywhere)
#realworldcrypto
#realworldcrypto
Support a large number of modes, impls in various languages, support for Merkle trees, AE
#realworldcrypto
#realworldcrypto
Our hash functions will be ~10x faster than pedersen hashes in merkle trees inside SNARKs
#realworldcrypto
#realworldcrypto
Q: What Pederson hash did you benchmark?
A: Didn't benchmark, got it from the Zcash spec 🦓
#realworldcrypto
A: Didn't benchmark, got it from the Zcash spec 🦓
#realworldcrypto
Coffee break!
You can read negative results in multiple ways (different takeaways), it's about risk assessment.
#realworldcrypto
#realworldcrypto
@alexstamos "Attacks will always get better*"
* maybe not in speed but in cost, space, etc
#realworldcrypto
* maybe not in speed but in cost, space, etc
#realworldcrypto
Want more scientific and rational approach to choosing round numbers, tolerance for corrections.
More consistent security margins across primitives.
Better nomenclature for better understanding.
#realworldcrypto
More consistent security margins across primitives.
Better nomenclature for better understanding.
#realworldcrypto
Q: Limit round parameter input, choose a secure 'fast' version and less fast higher round version.
A: Agreed. Also I'm not responsible for any damage as a result of this talk. 😆
#realworldcrypto
A: Agreed. Also I'm not responsible for any damage as a result of this talk. 😆
#realworldcrypto
SHA-1 is still used in many places in the real world, X.509 certificates, PGP (stop using PGP, use age), TLS, SSH, HMAC-SHA-1, and
GIT GIT GIT
#realworldcrypto
GIT GIT GIT
#realworldcrypto
Why still used? Collision attacks are hard to run in practice, and you might end up with garbage that's not very useful.
#realworldcrypto
#realworldcrypto
Totally within the cost budget of academics, so nation states can definitely afford it
#realworldcrypto
#realworldcrypto
When the Bitcoin price crashed in 2018, there was suddenly a glut of cheap GPUs! Nice for researchers :)
#realworldcrypto
#realworldcrypto
If you achieve a collision, you can snipe an existing signature over that hash and 'verify' the wrong binary/cert/etc
#realworldcrypto
#realworldcrypto
Q: Does not apply to HMAC-SHA-1, right?
A: Correct no known attacks on HMAC, but why keep using SHA-1 there or anywhere else? I wouldn't recommend using HMAC-MD5 either.
// @SchmiegSophie
#realworldcrypto
A: Correct no known attacks on HMAC, but why keep using SHA-1 there or anywhere else? I wouldn't recommend using HMAC-MD5 either.
// @SchmiegSophie
#realworldcrypto
Application: Sunder, multi-ownership of docs so it makes less sense to kill or jail a single journalist that has access to them.
github.com/freedomofpress…
sunder.readthedocs.io/en/latest/
#realworldcrypto
github.com/freedomofpress…
sunder.readthedocs.io/en/latest/
#realworldcrypto
Lots of mismatches between the way we have formalized classical secret sharing and how it gets applied.
#realworldcrypto
#realworldcrypto
Robust computational secret sharing comes with lots of caveats, such as requiring an honest majority.
#realworldcrypto
#realworldcrypto
Underlying syntax needs to understand which shares are bad and which are good (who's player #1 vs #2?)
#realworldcrypto
#realworldcrypto
"For some reason, all the lessons we've learned about authenticated encryption did not get translated to secret sharing."
#realworldcrypto
#realworldcrypto
Tagging a secret share to a specific session so we don't try to combine incompatible shares ("associated data").
#realworldcrypto
#realworldcrypto
Patent on ECC endomorphisms for speedups will expire in the US at the end of this year 🏎️
#realworldcrypto
#realworldcrypto
Microsoft Research on QUIC, has its own encryption protocol that diverged from TLS, it needs analysis pls, workshop at NDSS on the security of QUIC
#realworldcrypto
#realworldcrypto
Facebook RFC for applied cryptography proposals for privacy preserving tech in advertising 😶
#realworldcrypto
#realworldcrypto
@veorq says BLAKE2 is too slow so now BLAKE3! 4.5X faster. 20X faster than SHA?. It's a merkle tree on the inside! One function. ❤️
github.com/BLAKE3-team/BL…
#realworldcrypto
github.com/BLAKE3-team/BL…
#realworldcrypto
@str4d on age/rage to encrypt stuff! No config, small keys, minimal well-oiled joints, boring crypto under the hood.
github.com/str4d/rage
github.com/FiloSottile/age
#realworldcrypto
github.com/str4d/rage
github.com/FiloSottile/age
#realworldcrypto
Lunch!
Next up is the privacy preserving primitives session, starting with "Privacy-preserving telemetry in Firefox" by Henry Corrigan-Gibbs
#realworldcrypto
#realworldcrypto
Say you want to know, how many Firefox users blocked cookies on fb.com? How can we do this privately?
#realworldcrypto
#realworldcrypto
computers are revolting
Goals include protection against malicious clients, correctness, differential privacy, efficiency (scale)
#realworldcrypto
#realworldcrypto
There have been other differential privacy schemes but depending on the application may blow away the signal you are actually looking for.
#realworldcrypto
#realworldcrypto
Unfortunately one malicious client can corrupt the output here, which is not acceptable
#realworldcrypto
#realworldcrypto
MPC is very powerful but sometimes too much, traditional ZKPs also powerful but kinda complex and slow…
#realworldcrypto
#realworldcrypto
"Just run a secure MPC t o check that the validity of the shares hold", with the client helping out, since it knows ~all
#realworldcrypto
#realworldcrypto
Servers check that heir transcripts are valid and consistent; checking a transcript is much easier than generating one.
#realworldcrypto
#realworldcrypto
Also means a much smaller codebase/attack surface (still written in C: you're mozilla people, why not Rust???), Mozilla runs all the servers for now.
#realworldcrypto
#realworldcrypto
Prio requires 2+ non-colluding servers, Mozilla is looking for partner orgs in 2020
#realworldcrypto
#realworldcrypto
Q: How is server identity established so that clients know to trust it?
A: Server keys in the browser on the client.
#realworldcrypto
A: Server keys in the browser on the client.
#realworldcrypto
Q: local differential privacy?
A: The variance grows with the square root of the number or reporters, and the noise will wash out the signal in the data
#realworldcrypto
A: The variance grows with the square root of the number or reporters, and the noise will wash out the signal in the data
#realworldcrypto
Q: Prevent a malicious client sybil attacks?
A: Mozilla already has a system for the regular telemetry reporting to protect against sybil attacks. 👍
#realworldcrypto
A: Mozilla already has a system for the regular telemetry reporting to protect against sybil attacks. 👍
#realworldcrypto
Properties that needed to be maintained: low latency, clone detection, anti-passback, works without battery, anonymous and untraceable, stand-alone.
#realworldcrypto
#realworldcrypto
wait, i'm interpreting "pre-DAA" wrong
Q: Does this work with auth with transit that auths on entry and exit?
A: If we change the timestamp range we can do that, the current scheme has kept it to 15 minutes.
#realworldcrypto
A: If we change the timestamp range we can do that, the current scheme has kept it to 15 minutes.
#realworldcrypto
Next up is the side channels session, starting with "Pseudorandom Black Swans: Cache Attacks on CTR DRBG"
#realworldcrypto
#realworldcrypto
Of the other standardized RBG's, CTR-DRBG is the most popular in FIPS certified impls
#realworldcrypto
#realworldcrypto
Problems: key not rotated enough, lack of entropy. So are these impls vulnerable to side-channel attacks?
#realworldcrypto
#realworldcrypto
These DRBGs use AES under the hood, so, use AES-NI and you're good, right? Except many of these _don't_ use AES-NI.
#realworldcrypto
#realworldcrypto
Where can we find extended output, say in TLS? Maybe PKCS#1 1.5 in RSA key exchange?
#realworldcrypto
#realworldcrypto
There are _so many side channels_. Why even bother trying to mitigate them all? Hard to exploit, there are plenty of others bugs to exploit, and you know, phishing still works.
#realworldcrypto
#realworldcrypto
Well if you use a side-channel attack, you have plausible deniability, no tracks left behind. 😶
#realworldcrypto
#realworldcrypto
Exposing hardware telemetry via apis can expose hardware side channels as _software observable_ side channels. Eek.
#realworldcrypto
#realworldcrypto
"None of the software guarantees that you expected hold. Invisible bugs, that you can't see, everywhere." 😭
#realworldcrypto
#realworldcrypto
"Many forms of Spectre don't directly impact crypto code." You have to fix them at the hardware and OS level so, 'nothing to worry about'. 😅
#realworldcrypto
#realworldcrypto
However, Spectre v1 will not be fixed, for decades. CPU vendors _do not know_ how to fix it. We have to plan on it being around for a long time.
#realworldcrypto
#realworldcrypto
"It's scary how few of the Spectre v1 mitigations are actually applied or applied correctly."
#realworldcrypto
#realworldcrypto
"These gadgets can look like almost anything, and the attacker can read anything from the process address space."
#realworldcrypto
#realworldcrypto
"We know there's a side channel right on the other side of this action, where you will access the private key."
#realworldcrypto
#realworldcrypto
"The side channel is that you branch to a series of instructions that reduces the speed of the processor. " 😓
#realworldcrypto
#realworldcrypto
This is the big case that really needs to care about these attacks: distributed keys for things like TLS termination
#realworldcrypto
#realworldcrypto
These gadgets do exist, but they are rare, and it's currently tricky to find them via static analysis.
#realworldcrypto
#realworldcrypto
So, SLH (speculative load hardening), have caveats, really expensive (40% in latency and QPS), but automatic via a compiler flag
#realworldcrypto
#realworldcrypto
So, what you should you actually do _today_:
- patch everything
- TEST YOUR PATCHES
- did you actually test them???
#realworldcrypto
- patch everything
- TEST YOUR PATCHES
- did you actually test them???
#realworldcrypto
- use agent in separate process for long-lived keys
- isolate your agent to a single _physical_ core on Intel CPUs
- harden your agents with SLH if you can afford it
#realworldcrypto
- isolate your agent to a single _physical_ core on Intel CPUs
- harden your agents with SLH if you can afford it
#realworldcrypto
Short break.
vs OCSP staple, and in TLS, OCSP-muststaple, which fails closed. Not widely deployed yet.
#realworldcrypto
#realworldcrypto
CRLite makes use of CRLs but adds bloom filters to shrink, and supports queries for un-expired certs
#realworldcrypto
#realworldcrypto
Oh in Firefox, they don't use OCSPs, just the CRLs. Distributed 4X per day. Already had the infra for signing and pushing down to clients.
#realworldcrypto
#realworldcrypto
Aww the paper version used javascript crypto, Firefox uses native code (C++ and Rust) and a little but of js (?)
0.04ms to check a cert, <8ms to check a whole chain
#realworldcrypto
0.04ms to check a cert, <8ms to check a whole chain
#realworldcrypto
Set generation takes about 30 minutes, generating the filter files takes about 20 minutes
#realworldcrypto
#realworldcrypto
Q: Why cascading bloom filters?
A: The paper we were implementing suggested them, but it did mention other options like hashing
#realworldcrypto
A: The paper we were implementing suggested them, but it did mention other options like hashing
#realworldcrypto
Q: Does this replace OCSP-must-staple or is it an intermediate step?
A: OCSP-must staple is an idea that's been around for a while without much adoption, we think CRLite is a replacement.
#realworldcrypto
A: OCSP-must staple is an idea that's been around for a while without much adoption, we think CRLite is a replacement.
#realworldcrypto
No two certs should have the same thumbprint, and a thumbprint should uniquely ID a cert. Right? (Spoiler: nope.)
#realworldcrypto
#realworldcrypto
Tricky to mount a collision attack as the hash is over the whole cert and the signature on the cert
#realworldcrypto
#realworldcrypto
@str4d X.509 specifies that the signatureAlgorithm must match the signature field of the tbs Certificate. It doesn't always (cough windows cough).
#realworldcrypto
#realworldcrypto
During scanning, discovered a Cisco CVE due to insufficient entropy in the DRBG (RELEVANT) that resulted in the same ECDSA blinding value.
#realworldcrypto
#realworldcrypto
- Please migrate to SHA256 or stronger
- If that's too long, truncate the stronger hash instead
- PKI like CT should scan for MD5 and SHA-1 thumbprints w/ collision detection
- be wary
#realworldcrypto
- If that's too long, truncate the stronger hash instead
- PKI like CT should scan for MD5 and SHA-1 thumbprints w/ collision detection
- be wary
#realworldcrypto
Q: How do you check for collisions?
A: While computing an mD5 or SHA-1 hash, check for diffs in input blocks while hashing (i'm a little confused by this)
#realworldcrypto
A: While computing an mD5 or SHA-1 hash, check for diffs in input blocks while hashing (i'm a little confused by this)
#realworldcrypto
A: re the cisco vuln of low entropy, new vendors keep introducing the same vuln over and over so, it's never going away
#realworldcrypto
#realworldcrypto
- very long
- very painful
- expensive
- "know where all your crypto is" oooof for some orgs this is _not_ feasible
#realworldcrypto
- very painful
- expensive
- "know where all your crypto is" oooof for some orgs this is _not_ feasible
#realworldcrypto
"I like post-quantum cryptography", me too! Came up as a way to head off emergency deprecation when large quantum computers come online.
#realworldcrypto
#realworldcrypto
"I hear a lot of talk about crypto agility at the moment..." who? I feel like we've been moving away from 'agility' because look at TLS, that's what agility results in.
#realworldcrypto
#realworldcrypto
Success story: fraud detection using MPC to exchange flagging with other banks. 'ok fine'
#realworldcrypto
#realworldcrypto
Q: What steps are you taking to prepare for PQ crypto
A: Need inventory of all your current usage, waiting for asymmetric standards (NIST), can double symmetric keys sizes today.
#realworldcrypto
A: Need inventory of all your current usage, waiting for asymmetric standards (NIST), can double symmetric keys sizes today.
#realworldcrypto
Last talk of the day, "Rolling the DiSE: Taking Threshold Encryption to Enterprise"
#realworldcrypto
#realworldcrypto
My next level of live tweeting will be screen recording slide animations 📹
Cheaper and more scalable than HSMs (more secure too? 🤞)
No need to recombine as in secret sharing
Better performance than MPC
#realworldcrypto
No need to recombine as in secret sharing
Better performance than MPC
#realworldcrypto
Deployment of DiCE in North america and in europe, same data, need to import/export master keys, have key backup, data migration in and out, and built on top of hardware root of trust for PCI compliance.
#realworldcrypto
#realworldcrypto
Need authentication and authorization controls for use of different master keys, committing to policies…
#realworldcrypto
#realworldcrypto
API and Connection Management:
- minimal API
- connection broker
Avoiding single points of failure and mitigating attack surface
#realworldcrypto
- minimal API
- connection broker
Avoiding single points of failure and mitigating attack surface
#realworldcrypto
Many different DiCE nodes. An attacker needs to break a threshold number of nodes, so they are varied (linux, windows, etc) to make the burden on attackers higher (but also admins?)
Security people, what do you think about this strategy?
#realworldcrypto
Security people, what do you think about this strategy?
#realworldcrypto
Q: Any risk analysis on the diversity of platforms?
A: Not yet, we would not necessarily do this for every project
#realworldcrypto
A: Not yet, we would not necessarily do this for every project
#realworldcrypto
