Matthew Green Profile picture
Jul 6, 2021 13 tweets 3 min read Twitter logo Read on Twitter
I was going to laugh off this Kaspersky password manager bug, but it is *amazing*. In the sense that I’ve never seen so many broken things in one simple piece of code.…
Like seriously, WTF is even happening here. Why are they sampling *floats*? Why are they multiplying them together? Is this witchcraft? Image
And here, Kaspersky decided that instead of picking a random password, they should bias the password to be non-random and thus “less likely to be on a cracker list”. 🤦🏻‍♂️ ImageImage
Then they used a non-cryptographic PRNG (Mersenne Twister). Amusingly, this is probably the *least* bad thing Kaspersky did, even though it’s terribly bad. Image
And in case you thought that after doing everything else wrong, they were going to do the next part right: nope. They then proceed to seed the whole damn thing with time(0). Image
I have to admire the combination of needless complexity combined with absolutely breathtaking incompetence.
Anyway, before anyone kills me for being mean to developers doing the best they can… The real takeaway here is that (obviously) nobody with even modest cryptographic knowledge ever audited, thought about, or came near this product.
And in case you’re of the opinion that bad implementations are unique to Kaspersky: it’s entirely possible to make some other mainstream password managers “hang forever” by setting the password chatset constraints too high, indicating that they haven’t figured this out either.
Some actual constructive lessons:

* Always use a real RNG to generate unpredictable seeds, never time(0)
* Always use a cryptographic RNG
* Never ever use floats in cryptography (I suspect some Javascript nonsense here)
* To convert from bits to an alphabet of symbols… 1/
(Rewriting this because now I’m afraid people will take advice from tweets)

You should use rejection sampling, with you can find articles about online. Be careful that your rejection loop doesn’t run forever.
And please, get someone to look at your code. Especially if it’s going to be in a mainstream product. You cannot ever ship anything bespoke like this without having an expert glance it over. Even an hour would have flagged all this stuff.
Oh gosh. Image
Anyway I recently had a discussion with a group of expert cryptographers/cryptographic engineers about whether “don’t roll your own crypto” is a helpful rule, or if it’s non-inclusive.

I don’t know the answer, but stuff like this is why the phrase was invented.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Matthew Green

Matthew Green Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @matthew_d_green

Nov 12
I’m a sucker for crypto papers that do insane things like build ciphertexts out of garbled circuits, and then use the garbled circuit to do stuff that only shows up in the security reduction. Eg:
So what’s fun about this paper is that it’s trying to do something weirdly hard: build cryptosystems that allow you to encrypt (functions of) secret keys. This can be encrypting your own secret key, or eg I can encrypt your secret key and you can encrypt mine to form a “cycle”.
The reason this is hard is that our standard definitions of security (eg semantic security) say that encryption must be safe for any possible messages an adversary can come up with. But adversaries don’t know my secret key, so the definition says nothing about that.
Read 12 tweets
Oct 29
So Apple deployed an entire key transparency thing for iMessage and it literally seems to be documented in a blog post. What the heck is the point of key transparency if you don’t document things, and (critically) provide open source ID verification tools?
Key transparency is about deterring attacks. But it doesn’t deter them if you keep it all secret, Apple! Image
Here’s the blog post. TLDR every device shares (?) an ECDSA signing key synced by iCloud key vault, all public keys go into CONIKS, encryption keys are authenticated by signing keys. So many little details unknown.…
Read 4 tweets
Oct 13
Oh god: “Mathematician warns US spies may be weakening next-gen encryption.” 🙄…
For the record, whatever issues have come up in the PQC competition, this is absolutely not the right way to address them.
I have read the HN discussion, and that is all I want to say on that topic.
Read 10 tweets
Sep 29
If anyone thought that the EU legislation on content scanning would be limited, you can forget about that. Europol has demanded unfiltered access to all data produced by these systems.…
To be clear what this means: these scanning systems may produce huge numbers of false positives. That means your private, encrypted messages get decrypted and handed over to the police *even if you haven’t sent anything illegal.*
A lot of people have justified the deployment of these systems (which will scan images, text and maybe audio) by claiming there are “safeguards.” This usually means employees check to see if there’s a crime before they report you to the cops. This would remove those checks.
Read 8 tweets
Sep 23
I wonder who exactly is paying for the ads and what their specific business interests are.
Like if I was in the adtech or data brokerage industry, I’d sure love these ads. Encryption is bad! Apple is too private. Let’s pass some laws to “protect the children.”
If there’s one thing that makes me deeply suspicious, it’s scrappy child-safety organizations suddenly having huge piles of money to spend on hyper-specific tech focused political pressure campaigns as opposed to, say, children.
Read 9 tweets
Sep 19
New leak from the Snowden documents. Image
To give some context, here are the contents of an initial Snowden leak from September 2013. Cavium was a leading manufacturer of cryptographic co-processors for VPN devices at that time.…
Just to give a sense of how important these chips are to VPN security (and without making any specific claims about this hardware) here’s the FIPS security policy for Cisco’s ASA crypto module, showing how much crypto the Cavium Nitrox chip implements.…
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!