Share this page!

Thomas H. Ptacek Profile picture
Twitter logo
8 Jun, 15 tweets, 3 min read
This, as they say, is “a take”.
I don’t even know what to say.
Yes. Yessss. More.
So like, it’s maybe worth picking apart what’s going on in this thread as opposed to just having cryptography hipsters dunk on it.
I “learned” cryptography back in the 1990s from Schneier’s Applied Cryptography, and what I remember most — all I remember really — from the cipher modes chapter was “some cipher modes give you error recovery and resynchronize after errors”.
Sounds like a good thing! Like, you don’t want a single bit error in your ciphertext to totally blow up your message?

Turns out, though, no, that’s exactly what you want.
The property we’re looking for, that any error — 1 bit, 10 bits, 1000 bits — blows up decryption, “authenticated encryption”. The original bits you produced from encryption _and only those bits_ can be decrypted with the right key.
There’s a bunch of theatrical examples of why this is the case. The best known is Vaudenay’s CBC Padding Oracle, where attackers could, by inducing errors in AES-encrypted blocks, decrypt whole messages under repeated trial decryption. Broke _TONS_ of real-world systems.
More recently, and in the context of PGP, similar attacks on PGP’s CFB-mode encryption allowed remote attackers to EXFILTRATE PLAINTEXT from PGP-encrypted email (never encrypt email).
There are generalizations of these attacks (“format oracles”) and generalizations of the generalizations and the general credo among cryptography engineers seems to be “authentication and confidentiality: pick 2 or 0”.
This was explained to me 15 years ago as the difference between “cryptography 1.0” (pre-authenticated 1990s cryptography) and “cryptography 2.0” (AEAD cryptography), by a researcher at Cryptography Research.
Since my biggest complaint with PGP is that it’s built out of jealously protected 1990s cryptography by Unix gnomes who constitutionally fear change, it’s rich to see PGP defended using Schneier’s error-recovery logic from Applied Cryptography. More:

sockpuppet.org/blog/2013/07/2…
The most popular reference for “authentication or confidentiality, pick 2 or 0” is Moxie Marlinspike’s “Cryptographic Doom Principle” post: moxie.org/2011/12/13/the…
Moxie’s post is great, but if you’re looking to win a message board slapfight, the best closer is probably Rogaway (this paper is great, and extremely approachable): cs.ucdavis.edu/~rogaway/paper…
And then, if you’re looking to put cryptography hipsters in their place, the deep cut cite is Bellare and Namprempre; you don’t even really have to understand it (I mostly don’t). cseweb.ucsd.edu/~mihir/papers/…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Thomas H. Ptacek

Thomas H. Ptacek Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @tqbf

Thomas H. Ptacek Profile picture
19 Jan
Today is the deadline for questions to be added to the 2021 Oak Park village ballot and one of our anti-defund trustees just slipped a resolution to add “Should Oak Park defund its police department” to the ballot.
If that question hits the ballot it will almost certainly fail _dramatically_, so the pro-defund trustees basically have to vote against it. It’s probably too late for them to introduce a competing resolution with friendlier wording, too.
I don’t like the trustee that did this but I have to concede this was well played: defund supporters are going to end up voting against a measure to put the question to the voters in plain language, thus effectively conceding the unpopularity of the slogan.
Read 4 tweets
Thomas H. Ptacek Profile picture
18 Jan
Why does the Go standard library think an rcode of REFUSED is a temporary error of “server misbehaving”? I just REFUSED you.
(The Go stdlib appears to reconnect a _bunch_ of times on REFUSED, is why we noticed; switching REFUSED to NXDOMAIN fixes that problem.)
Another weird thing is that the Go stdlib flips out if there’s no Question record in an error response — it claims not to be able to unmarshal the message, doesn’t show the rcode, and reconnects.
Read 4 tweets
Thomas H. Ptacek Profile picture
14 Jan
This is extremely cool. The basic idea: WireGuard is just a network protocol, like any other, and you can drive it from unprivileged userland code… which means you can drive all of TCP/IP from unprivileged userland code, through WireGuard.
Why would you ever want to do that? Well, we expose services on Fly.io over WireGuard (and, for security, over no other interfaces) but not all of our users are going to install OS WireGuard.
But: all of our users have our (Golang) `flyctl` installed, and flyctl can do WireGuard via wireguard-go, and then userland TCP/IP, to be a client of a network service exposed over WireGuard, without installing WireGuard itself.
Read 4 tweets
Thomas H. Ptacek Profile picture
9 Jan
This is super smart, and it took me less than 4 minutes to do the same thing for Oak Park, the suburb in which I live.
Illinois makes it super easy to send FOIA requests to any municipality (just look up their FOIA officer’s email); it’s free, and they get just 5 days to respond (10 with a written extension) before you can sue and have them pay your legal costs if you win.
What I’m saying is, not a crazy project to just come up with every police officer in all of Chicagoland who took PTO during the riots in DC.
Read 4 tweets
Thomas H. Ptacek Profile picture
26 Dec 20
This paper is very cool: behavior oracles in interactive systems that reveal successful decryption can, with a bunch of different AEADs incl. GCM and Chapoly, discern which specific key was used in something resembling log k queries. eprint.iacr.org/2020/1491.pdf
It’s based in part on the idea of “non-committing AEADs”, which are, roughly, AEADs where the specific key used to encrypt isn’t encoded into the output. For something like GCM, this means it’s straightforward to generate K_1, K_2, and C which decrypts under K_1 and K_2.
I found Shay Gueron’s writeup on key committing AEADs to be pretty accessible (I’m just reading casually), with worked examples. eprint.iacr.org/2020/1153.pdf
Read 14 tweets
Thomas H. Ptacek Profile picture
16 Nov 20
Mudge is the new head of security at Twitter, which got me talking about cDc, hacking groups, cliques, and the distinctions between them. I mentioned 8lgm and TESO as examples of hacking groups best understood as hacking groups, unlike cDc.

Someone said: “never heard of them”.
This creates an opportunity for me to talk again about my favorite exploit of all time, unquestionably a part of the canon of our field.
The year is 1995 and BSD Unix runs the Internet. The most important hacking target is SunOS 4.1.3; every network you want to get on is running it somewhere, and often everywhere.

The most important SunOS security research group: 8lgm.
Read 19 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @tqbf has new unrolls!

Check out other threads from @tqbf!

Read all threads by @tqbf

:(