Return Entire thread

ITT: You're favorite 2hu and when you realized you were gay

2 Name: Anonymous 2018-10-01 20:49
In general, I think security/cryptography/etc is so incredibly complicated and difficult

Nah. Crypto is actually pretty easy at the high level to understand. And the low level details are also quite simple, mixing, XORing, shifting, multiplying or exponentiation modulo a bit-length, solving the equation of an elliptic curve, etc. Once you have a basic understanding you can quickly string together cryptographic primitives and design new ciphers fairly simply.

What's complicated is testing to ensure that the resultant algorithm doesn't create bit dependencies which can be exploited by cryptanalysis. However, we have automated tests for that now. Side channel attacks are also a PITA to avoid, but there are guidelines which help nail them down. Really, what's crazy is running your system on a shared hosting platform then calling it secure when you've already lost any guarantee that your data isn't visible to 3rd parties. If you're worried about "side channel attacks" on code you've entrusted "The Cloud" to run for you... that's crazy. If you're running on your own hardware, and there's malicious stuff crawling around in there, you've also got bigger problems than passive side channel attacks.

What's insane is using an algorithm (Like SHA3) that NSA tweaked parameters to. It's silly to assume they didn't indroduce bit dependencies to make a back door... Like the backdoored Dual Elliptic Curve Pseudo Random Number Generator NSA submitted, which is now also a NIST recommended algorithm.

What's insane is NOT learning enough crypto to roll your own system, and instead trusting that some crypto library like OpenSSL isn't maintained by morons (it was), and hasn't just become a giant single point of failure for state actors to attack. Protip: The patch that introduced the 'Heart Bleed' bug was accepted on New Years Eve, when everyone else was too drunk to notice.

Sorry, the "common wisdom" of the crypto community is exactly the problem.

Before you downvote, go and look in your browser's trusted roots.

FF > [Preferences | Options] > Advanced > Certificates > View Certificates > Authorities.

Chrome > Options > Under the Hood > Manage Certificates > Trusted Root Certificates

If you have CNNIC (China's Root Cert) or The damn "Hong Kong Post Office" listed as a TRUSTED ROOT, then you're not qualified to say jack shit about security... seriously.

Return Entire thread
Leave this field blank: