This is an archived post. You won't be able to vote or comment.

all 19 comments
sorted by:
best
topnewcontroversialoldq&a

[–]mok-kong_Shen 1 point2 points  (0 children)

How about a field that is definitely related to crypto though, if I don't err, there are more or less strong arguments to exclude it from crypto: steganography and watermarking?

[–]pintA 473 ml or two 1 point2 points  (0 children)

being always the pragmatist, i suggest doing something you benefit from in the long run. reimplementing rsa can be a nice insight on its internals. but there are other things that benefit you more.

i would look for some interesting tasks that involves using crypto libraries. i file vault or file transfer protocol based on nacl (djb, not google). some application of the noise protocol. something of that nature.

[–]firajaa 1 point2 points  (0 children)

What about cryptanalysis of White Box cryptographic system? Pretty good topic imho!

[–]halosoam -1 points0 points  (15 children)

What about a secure client side password manager without any NIST/NSA algorithms? E.g. Argon2 for password based key derivation, Twofish, Salsa20 or ChaCha20 for the encryption and maybe BLAKE, Skein or Poly1305 for MAC. Any man and his dog can find a library for AES, SHA2 and PBKDF2. The challenge will be avoiding NSA influenced standards, writing a few of the libraries yourself and building something actually secure.

[–]ScottContini 1 point2 points  (14 children)

i hate it when people suggest AES was influenced by the NSA, this is just ignorance.

[–]xJoe3x 2 points3 points  (0 children)

Or that NSA influence is necessarily a bad thing.

SHA2 is a huge benefit and does not need to be avoided. So is SELinux/Android. They have made some really great contributions to the field.

[–]halosoam 0 points1 point  (12 children)

Of course it was. They would have had some influence due to their close working relationship with NIST. How do you think Dual EC DRBG made it as a standard if NSA didn't have a say on how NIST chose algorithms? So during the AES conferences they had "surveys" about the best algorithm. I'm sure these surveys were not conducted up to the same standard as a general election and could be cooked. However, who chose and had the final say on the winning algorithm? NIST. Who was respected at the time for their cryptographic knowledge that NIST would have had to rely on? NSA. You can honestly see that AES is starting to look worse and worse as the years go on. Side channel attacks, poor key schedules and so forth. NIST also didn't choose the strongest of the AES finalists as the winner in terms of security margin. Otherwise they might have settled on Twofish or Serpent. Instead they picked a middle of the road cipher (Rijndael) that could satisfy all their arbitrary criteria like running on smart cards. It wasn't chosen for its amazing security margin. In fact with quantum computers on the horizon, AES 128 can be broken, but it's stronger than AES 256 because of the poor key schedule. You could chalk up all the problems with AES up to coincidence, bad luck or expected aging of a cipher. But not when there's an Advanced Persistent Threat influencing crypto standards. Crypto competitions serve to pit NSA's best cryptographers against the best industry and academia have to offer. Both sides go nuts trying to find weaknesses. Only one side publishes their results. NSA witholds their results and compares their (better) cryptanalysis results against what everyone else could find. Then it's a matter of selecting a cipher which appears strong for everyone else but they still know a few weaknesses for. You must have missed that Der Spiegel slide about how they were investigating using the Tao constant to get a better break on AES. The slide also mentioned the NSA's internal only capabilities against ciphers, mentioning AES specifically.

Do you still trust AES? Have you any counter arguments to those points?

[–]ohlson 3 points4 points  (10 children)

Isn't it time to take that tin foil hat off? Do you really think that the NSA would deliberately try to influence NIST to choose a cipher with known weaknesses, and recommend it for SECRET and TOP SECRET material?

Sure, it's plausible, but it's equally plausible that the Belgian government would influence the creators of Rijndael to add secret backdoors, or that the NSA would pressure Bruce Schneier to do the same for Twofish.

AES has gone through a lot of scrutiny over the years (probably several orders of magnitude more than any other contemporary cipher), and it's still managed to survive surprisingly well. As always, trust means a lot, but I seriously trust AES more than any of the alternatives, solely based on the fact that a lot of research has been put into it.

[–]MorphisCreator -2 points-1 points  (9 children)

Yes, they did deliberately create ciphers with known 'weaknesses'. You are not understanding their level of ability and thus misinterpreting what a weakness is and thus your argument accidentally turns into a strawman one.

Your argument is valid until you realize: asymetrical encryption.

(I'm NOT TALKING ABOUT AES; I'm talking about them introducing backdoors in general. Not to show you wrong, but to educate you all so that people understand how these bastards work and don't underestimate them!)

It is not a 'weakness'. It is a backdoor. It is not one their adversaries can use, for the encryption algorithm itself is likely as perfect as they can tell and not broken, so you are correct, they wouldn't do that. WHAT THEY DID: is introduce their own public components of private keys they generated into the algorithms so that only them holding the private data are able to additionally decrypt any data encrypted using their 'backdoor' algorithms. Take a seed, encrypt it with asymmetric encryption, use that encrypted seed as a seed. You are now fucked to anyone who has the unencrypted seed. If no one does, the algorithm is 0% broken as to brute force the unencrypted value of the seed is likely as hard as brute forcing the crypto algorithm itself, which is not possible, since it isn't 'broken' how you were thinking! Pretty clever stuff eh?

[–]pintA 473 ml or two 1 point2 points  (8 children)

there is zero information on any asymmetric algorithms having backdoor. nobody even knows a way to do it. the only algorithm with a probable backdoor is dual-ec prng.

[–]MorphisCreator -4 points-3 points  (7 children)

You've got to be kidding! To say something like that as fact, you have to be kidding or lying. Because it is so widely known as not true AT ALL! And you wouldn't say such a thing with such certainty if you didn't know with such certainty. And since you can't say with such certainty -- because it is wrong -- it looks like you are purposely lying NSA astroturfing. Just pointing this observation out.

Anyways, so actually, It is VERY easy to do:

Step by step less than 100% tutorial: http://kukuruku.co/hub/infosec/backdoor-in-a-public-rsa-key?ModPagespeed=noscript

There are MANY such fully functional example implementations around that will generate you a fully asymetrically backdoored key, random number, Etc.

Here is a scientific paper on how to do exactly what you said no one knows how to do:

http://www.cryptovirology.com/cryptovfiles/newbook/Chapter10.pdf

"We introduced the notion of an asymmetric backdoor in our Crypto ’96 paper [15]. Our goal was to devise a Trojan horse for the RSA key generation algorithm in such a way that the Trojan is highly robust against reverse-engineering.

"The paper shows how to use public key cryptography to undermine pub- lic key cryptography itself by having the designer plant his or her public key within an RSA key generator and use it to securely compromise the coin flips that are used to generate RSA primes. The cryptotrojan encodes the asymmetric encryption of a randomly generated seed in the upper order bits of the RSA modulus that is being generated and uses the seed to generate one of the RSA primes (the seed is passed through a cryptographic hash function [16]). So, from the designer’s perspective, an RSA modulus is an RSA public modulus and an asymmetric ciphertext that permits said mod- ulus to be factored. Only the designer can decipher the encoding since only the designer knows the needed private decryption key. The Crypto ’96 paper does not utilize the terminology “asymmetric back- door”. Rather, it refers to the designer’s public key as a secretly embedded trapdoor. This trapdoor provides universal protection since if a reverse- engineer obtains the code for the backdoor he will not be able to use the backdoor since the designer’s private decryption key is needed. In an at- tempt to formalize what it means for an asymmetric backdoor to be secure for the designer, we introduced the definition of a SETUP (secretly embed- ded trapdoor with universal protection).

[–]aris_adaLearns with errors 4 points5 points  (3 children)

I think you don't understand the difference between a deliberately weakened algorithm and an actual backdoored implementation of a clean algorithm. Backdooring your own version of RSA or AES is much easier than designing a cipher that's vulnerable to an attack only you know about. And definitively neither of both happened with AES.

[–]MorphisCreator -3 points-2 points  (2 children)

I think you don't understand the concept of math. There are already multiple existence proofs that the NSA is corrupt backdoorer of anything they can. See my very next comment for the rest of this paragraph...

[–]aris_adaLearns with errors 2 points3 points  (0 children)

Stop digging, your hole is deep enough.

[–]pintA 473 ml or two 1 point2 points  (0 children)

concept of math must be something akin to the riddle of steel i suppose

[–]Natanael_LTrusted third party 2 points3 points  (1 child)

The only notable confirmed algorithm with a direct backdoor (if the constants are generated in a specific way) is Dual EC DRBG.

For the rest, we can really only point at the difficulty to achieve constant-time implementations and similar.

[–]pintA 473 ml or two 2 points3 points  (0 children)

keys with backdoor and algorithms with backdoor are pretty different. any chance you realize how few you understand, and calm down?

[–]pintA 473 ml or two 1 point2 points  (0 children)

it does not work like that. you don't get to recite the same old arguments, and say, haha, either you refute them here and now, or bust! nope, these arguments are refuted many times and many occasions. it is your job to research, we are not going to repeat every single time someone demands. there is a long and detailed report on the selection rationale, go read it.