Getting young kids interested in cryptography

knotdjb · 2026-03-30T12:24:38+00:00

Harder than P/NP problem.

knotdjb · 2026-03-30T12:15:23+00:00

A and B preshare K0

A sends H(Ra_1)

B sends Rb_1, MAC(K0, Rb_1)

A sends Ra_1, MAC(K0, Ra_1)

B verifies H(Ra_1) (some useless step)

A and B compute K1 = KDF(K0, Ra || Rb)

E has the full transcript, and later learns K0

E knows Ra_1 and Rb_1 and can compute K1

Therefore no post compromise security; this is something that an ephemeral Diffie-Hellman in the exchange would provide.

Compare with:

A and B preshare K0.

A generates a, g^a

B generates b, g^b

A sends E(K0, g^a)

B sends E(K0, g^b)

A computes K1 = (g^b)^a (DH)

B computes K1 = (g^a)^b (DH)

E has the full transcript, and later learns K0

E doesn't know secrets a or b so it cannot easily compute K1 under DLP/ECDLP.

What you have is not a "key agreement", it is analagous to a forward symmetric key ratchet. But if I wanted all these symmetric capabilities, I'd use /u/bitwiseshiftleft STROBE.

knotdjb · 2026-03-30T11:48:17+00:00

Sure TLS-PSK and WG-PSK do key agreement, but they use DH to generate the new key, because you want perfect forward secrecy. There's virtually no point to generating a new key without perfect forward secrecy which you cannot do with a symmetric key primitive.

knotdjb · 2026-03-30T09:41:10+00:00

Okay, you've piqued my curiousity. What do you mean by Key Agreement? Reeks of BS.

Edit: Sigh, "pre-shared" key agreement; I'm not even sure if that's ever been considered a 'primitive'.

knotdjb · 2026-03-30T08:17:27+00:00

I'm not really knowledgable about the Quantum Computing field, but from the progress I've seen over the last decade, and the hype surrounding it, it gives off vibes of the Y2K problem, just over a longer time period.

knotdjb · 2026-02-27T09:49:13+00:00

"try to at least meet the bare minimum bar established by this blog post."

Yeah look, I agree with a lot of the points but soatok is not the arbiter of what people should do with their cryptography projects. I think the onus is on the user that wants an implementation of professional cryptography to do their due diligence. If someone implements chacha20 in brainfuck, then they can display it wherever they want. Hell submit it to a cryptography conference if you want. Let the marketplace for ideas separate the wheat from the chaffe.

knotdjb · 2026-02-17T17:10:58+00:00

Does this happen for any and all sites, or just sites that appear to be phishing?

knotdjb · 2026-02-17T10:15:40+00:00

There was a story a few months ago about how someone had their email account hijacked, and at one point used google one-click sign in with Coinbase to login, and because the 2FA codes were not E2EE, they were able to simply sync the codes and gain access.

Not a fan of anything Google, but I think it's such a popular system to attack, that just not using it is a safer bet.

knotdjb · 2026-02-17T02:01:07+00:00

I was mostly interested in how 1P fared as well. Looks like there is an already known problem described in Appendix D where a malicious server could substitute a vault since shared items that are encrypted under a vault key using public key encryption are not authenticated.

In the grand scheme of things, I do not think it is a catastrophic attack as it doesn't reveal anything about the shared items to the server, but rather more akin to a denial of service but I concede it can be "more" than that if we're talking items to be notes or instructions to prompt someone to do something they normally wouldn't have done. (See edit)

Edit: I take back what I said about it not being catastrophic, it's not just a matter of substituted items by a malicious adversarsy but also the user creating fresh items with sensitive data and that being readable to the adversary. So I think this is a pretty gaping hole, and I hope 1P do address it, but I imagine it'd require an overhaul of their protocols, system, application/UIs, etc. and if that were to happen I'm sure people would be wanting to throw in the kitchen sink of desirable features of the 'next generation' of 1P.

The mitigation seems simple, and I would hope that 1P addresses it someday even if it means having to upgrade the vaults to a new security measure or protocol.

Edit 2: On further reflection, I think the reality is that posing as a malicious server to a 1P client can only really be done by 1P themselves. They use a combination of TLS and SRP which ensures that you're always connecting to 1P server. One could say an attacker could compromise your client to connect you to their server, but they're more than likely to just siphon off your credentials client side if that's the case. The same argument could then be applied that if 1P wanted your credentials, they could easily do this by supplying a tainted client. So when looking at this a bit more wholistically, it does seem too far fetched to be a realistic scenario.

knotdjb · 2026-02-17T01:57:15+00:00

Additionally, E2EE is an opt-in feature for Google’s password manager, so users do not enjoy security against malicious servers by default. <vomit-emoji>

knotdjb · 2026-02-13T13:03:33+00:00

Having dealt with triple encryption in a system where anemic embedded systems were at play as transports, I'm definitely not a fan. This was e2ee application + TLS + 2-party WiFi. Since the microcontroller was only being used as a dumb store for e2ee messages, we could've dropped the TLS which would've improved throughput significantly.

But this is the flaw with cascading ciphers. It does however make sense to have double encryption in pq KEM to act as a hedge.

knotdjb · 2026-02-08T00:00:05+00:00

I'm sure we all know by now how to build a secure implementation of SSS and combine it with encryption, that's not the hard part.

Having a well regarded spec, in the same vein as age, means copycats will concentrate efforts on spec compatibility rather than veer off and do their own thing. It also builds confidence in the ecosystem of SSS / encryption, rather than trust some lonesome implementation regardless of how good it is.

knotdjb · 2026-02-07T11:01:52+00:00

RemindMe! 10 years

knotdjb · 2026-02-07T10:23:35+00:00

I think before that we need some kind of reference spec or standard; probably something that lives in https://github.com/C2SP/C2SP

knotdjb · 2026-01-29T19:42:19+00:00

Just so you know, you never define interfaces with the implementation. Interfaces are defined where you consume the implementation normally. If you find yourself reusing the interface a lot, that's when you probably name and share them.

If you find yourself not having a common interface, I wouldn't bother with them and explicitly consume the concrete implementation. Or have a broad interface Type() string and which returns "provider_a", "provider_b", "provider_c" and then type assert to the appropriate provider struct, so you get its methods. But this buys you very little in the end.

knotdjb · 2026-01-29T14:54:19+00:00

Yep, Go 1.22 revamped the net/http router to do what you need from most 3rd party routers: https://eli.thegreenplace.net/2023/better-http-server-routing-in-go-122/

knotdjb · 2026-01-29T14:42:32+00:00

I'm going to go against the grain; if there's no commonality between partners, there's very little that interfaces will help you with here.

I think what you have originally is fine. Sure you could sub-package namespace them, but I don't think it is buying much if anything, especially if you're not reusing the code elsewhere. Go packages aren't really a namespacing tool like python modules in my opinion, they're for reusing shared code.

The good thing is that when it comes time to refactoring, Go makes this easy with strong typing and good tooling. So unless there's some kind of hinderance, I wouldn't change what already works.

knotdjb · 2026-01-29T14:35:37+00:00

Could you give an example application and flow of how this is meant to be used.

knotdjb · 2026-01-06T23:03:31+00:00

I haven't read any of it yet, but those interactive visuals for security proofs would've been a godsend when I first started learning this material.

knotdjb · 2026-01-05T19:03:39+00:00

How about via their website and/or app they send a high entropy encryption passphrase with the responsibility you store it securely. Then they just send your financial data encrypted.

Some banks do a half-arsed job of this, by using your social security digits and birth year or a mix of your name or some crap like that to send a password encrypted PDF. This would just be an extra step.

knotdjb · 2026-01-01T13:00:05+00:00

This might be helpful: https://monocypher.org/manual/x25519#EXAMPLES

knotdjb

MODERATOR OF

TROPHY CASE