Security Cryptography Whatever

Another day, another ostensibly secure messenger that quails under the gaze of some intrepid cryptographers. This time, it's Threema, and the gaze belongs to Kenny Paterson, Matteo Scarlata, and Kien Tuong Truong from ETH Zurich. Get ready for some stunt cryptography, like 2 Fast 2 Furious stunts.Transcript: https://securitycryptographywhatever.com/2023/01/27/threema/Links:https://breakingthe3ma.app/https://threema.ch/press-files/2_documentation/cryptography_whitepaper.pdfhttps://threema.ch/en/blog/posts/ibex"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

There's a paper that claims one can factor a RSA-2048 modulus with the help of a 372-qubit quantum computer. Are we all gonna die?Also some musings about Bruce Schneier.Errata:Schneier's honorary PhD is from the University of Westminster, not UW.Transcript:https://securitycryptographywhatever.com/2023/01/06/has-rsa-been-destroyed-by-a-quantum-computer/Links:https://arxiv.org/pdf/2212.12372.pdfhttps://eprint.iacr.org/2021/232.pdfhttps://github.com/lducas/SchnorrGatehttps://sweis.medium.com/did-schnorr-destroy-rsa-show-me-the-factors-dcb1bb980ab0https://www.schneier.com/blog/archives/2023/01/breaking-rsa-with-a-quantum-computer.htmlhttps://scottaaronson.blog/?p=6957"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

David and Deirdre gab about some stuff we didn't get to or just recently happened, like Tailscale's new Tailnet Lock, the Okta breach, what the fuck CISOs are for anyway, Rust in Android and Chrome, passkeys support, and of course, SBF.Transcript:https://securitycryptographywhatever.com/2023/01/04/end-of-year-wrap-up/Links:https://tailscale.com/blog/tailnet-lock/https://security.googleblog.com/2022/12/memory-safe-languages-in-android-13.htmlhttps://groups.google.com/a/chromium.org/g/chromium-dev/c/0z-6VJ9ZpVU"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

We talk to Kevin Riggle (@kevinriggle) about complexity and safety. We also talk about the Twitter acquisition. While recording, we discovered a new failure mode where Kevin couldn't hear Thomas, but David and Deirdre could, so there's not much Thomas this episode. If you ever need to get Thomas to voluntarily stop talking, simply mute him to half the audience!https://twitter.com/kevinriggleTranscript: https://securitycryptographywhatever.com/2022/11/24/software-safety-and-twitter-with-kevin-riggle/ErrataIt was the Mars Climate Orbiter that crashed due to a units mismatchDavid confused the Dreamliner with the 737 MaxLinkshttps://free-dissociation.com/blog/posts/2018/08/why-is-it-so-hard-to-build-safe-software/https://complexsystems.group/https://how.complexsystems.fail/https://noncombatant.org/2016/06/20/get-into-security-engineering/https://blog.nelhage.com/2010/03/security-doesnt-respect-abstraction/http://sunnyday.mit.edu/safer-world.pdfhttps://www.adaptivecapacitylabs.com/john-allspaw/https://www.etsy.com/codeascraft/blameless-postmortemshttps://increment.com/security/approachable-threat-modeling/https://www.nytimes.com/2022/11/17/arts/music/taylor-swift-tickets-ticketmaster.htmlhttps://www.hillelwayne.com/post/are-we-really-engineers/https://www.hillelwayne.com/post/we-are-not-special/https://www.hillelwayne.com/post/what-we-can-learn/https://lotr.fandom.com/wiki/Denethor_IIhttps://twitter.com/sarahjeong/status/1587597972136546304"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

No not the movie: the secure group messaging protocol! Or rather all the bugs and vulns that a team of researchers found when trying to formalize said protocol. Martin Albrecht and Dan Jones joined us to walk us through "Practically-exploitable CryptographicVulnerabilities in Matrix".Transcript:https://securitycryptographywhatever.com/2022/11/02/Matrix-with-Martin-Albrecht-Dan-Jones/Links: https://nebuchadnezzar-megolm.github.io/static/paper.pdfhttps://nebuchadnezzar-megolm.github.ioSignal Private Group system: https://eprint.iacr.org/2019/1416.pdfhttps://signal.org/blog/signal-private-group-system/https://spec.matrix.org/latest/WhatsApp Security Whitepaper: https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdfhttps://www.usenix.org/conference/usenixsecurity21/presentation/albrecht FS, PCS etcOther clients: https://nvd.nist.gov/vuln/detail/CVE-2022-39252 https://nvd.nist.gov/vuln/detail/CVE-2022-39254 https://nvd.nist.gov/vuln/detail/CVE-2022-39264 https://dadrian.io/blog/posts/roll-your-own-crypto/https://podcasts.apple.com/us/podcast/the-great-roll-your-own-crypto-debate-feat-filippo-valsorda/id1578405214?i=1000530617719 WhatsApp End-to-End Encrypted Backups: https://blog.whatsapp.com/end-to-end-encrypted-backups-on-whatsappRoll your own and Telegram: https://mtpsym.github.io/ "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

We have Sarah Harvey (@worldwise001 on Twitter) to talk about SOC2, what it means, how to get it, and if it's important or not. The discussion centers around two blog posts written by Thomas:SOC2 Starting Seven: https://latacora.micro.blog/2020/03/12/the-soc-starting.htmlSOC2 at Fly: https://fly.io/blog/soc2-the-screenshots-will-continue-until-security-improves/Transcript:https://securitycryptographywhatever.com/2022/10/16/SOC2-with-Sarah-Harvey/Links:Tailscale recent post on getting SOC2’d: https://tailscale.com/blog/soc2-type2/SSO Tax: https://sso.taxDavid’s previous job: https://getnametag.comDavid's other startup: https://censys.ioThomas works at https://fly.io"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

This episode got delayed because David got COVID. Anyway, here's Nate Lawson: The Two Towers.Steven Chu: https://en.wikipedia.org/wiki/Steven_ChuCFB: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_feedback_(CFB)CCFB: https://link.springer.com/chapter/10.1007/11502760_19XXTEA: https://en.wikipedia.org/wiki/XXTEACHERI: https://cseweb.ucsd.edu/~dstefan/cse227-spring20/papers/watson:cheri.pdfTranscript:https://securitycryptographywhatever.com/2022/09/29/nate-lawson-ii/Errata:Pedram Amini did in fact do Pai Mei"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

We bring on Nate Lawson of Root Labs to talk about a little bit of everything, starting with cryptography in the 1990s.Transcript:https://securitycryptographywhatever.com/2022/09/09/nate-lawson-part-1/ReferencesIBM S/390: https://ieeexplore.ieee.org/document/5389176SSLv2 Spec: https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.htmlXbox 360 HMAC: https://beta.ivc.no/wiki/index.php/Xbox_360_Timing_AttackGoogle Keyczar HMAC bug (reported by Nate): https://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/ErrataHMAC actually published in 1996, not 1997"That was one of the first, I think hardware applications of DPA was, was, um, satellite TV cards." Not true, they first were able to break Mondex, a MasterCard smart card"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Are the isogenies kaput?! There's a new attack that breaks all the known parameter sets for SIDH/SIKE, so Steven Galbraith helps explain where the hell this came from, and where isogeny crypto goes from here.Transcript: https://securitycryptographywhatever.com/2022/08/11/hot-cryptanalytic-summer-with-steven-galbraith/Merch: https://merch.scwpodcast.comLinks:https://eprint.iacr.org/2022/975.pdfhttps://eprint.iacr.org/2022/1026.pdfhttps://ellipticnews.wordpress.com/2022/07/31/breaking-supersingular-isogeny-diffie-hellman-sidh/GPST active adaptive attack against SIDH: https://eprint.iacr.org/2016/859.pdfFailing to hash into supersingular isogeny graphs: https://eprint.iacr.org/2022/518.pdfhttps://research.nccgroup.com/2022/08/08/implementing-the-castryck-decru-sidh-key-recovery-attack-in-sagemath/Kuperberg attack via Peikert: https://eprint.iacr.org/2019/725.pdfSQISign: https://eprint.iacr.org/2020/1240.pdf(Post recording)  Breaking SIDH in polynomial time:https://eprint.iacr.org/2022/1038.pdf"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Adam Langley (Google) comes on the podcast to talk about the evolution of WebAuthN and Passkeys!David's audio was a little finicky in this one. Believe us, it sounded worse before we edited it. Also, we occasionally accidentally refer to U2F as UTF. That's because we just really love strings.Transcript: https://securitycryptographywhatever.com/2022/08/11/passkeys-with-adam-langley/Links:GoogleIO PresentationWWDC PresentationW3C WebAuthNAdam's blog on passkeys and CABLECable / Hybrid PRCTAP spec from FIDONoise NKPSKDERPDon't forget about merch! https://merch.securitycryptographywhatever.com/"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)