Conversation

Notices

1. Embed this notice
   Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 30-Jan-2025 22:17:23 JST Soatok Dreamseeker

   My job involves auditing and developing cryptographic software.

   Most developers don't understand cryptography.

   Most developers shouldn't ever need to understand cryptography.

   Most users understand it less than developers do!

   A large unwritten part of my job responsibility involves talking developers down from the ledge when they think cryptography is easy.

   Once in a blue moon, I have a conversation that looks like this:

   Dev: "I don't get why more people don't add end-to-end encryption! It was really easy: I broke the plaintext into 256 byte blocks and encrypted them independently with their recipient's RSA 2048-bit public key. I wrote it using BigInts in my computer science class, and it just works."

   Me: "Hey that's horrifying and all but before we get into the details, how do you know which public key to use?"

   Dev: "Oh, I store it in MySQL! The encryption is done in JavaScript, so I never see plaintext."

   Me: [crying inside]

   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 30-Jan-2025 22:17:20 JST Soatok Dreamseeker

     in reply to

     At the end of 2022, I was like:

     "DMs are plaintext? I should fix that."

     And I still haven't even gotten to the actual part where messages would be encrypted or not, because I want to correctly tackle the hard problems around key management.

     I've been rewriting drafts for a blog post since July 2023 about key management, and it's still deeply unsatisfying to me. I may never publish it at this rate.

   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 30-Jan-2025 22:17:21 JST Soatok Dreamseeker

     in reply to

     It doesn't even matter to me whether a protocol is exploitable or not, the second it fails to manage keys this way, I will never recommend it.

     Do not pass go.

     Do not collect $200.

     GreenSkyOverMe (Monika) repeated this.
   • Embed this notice
     Soatok Dreamseeker (soatok@furry.engineer)'s status on Thursday, 30-Jan-2025 22:17:22 JST Soatok Dreamseeker

     in reply to

     This contrived dialogue may have tripped alarms in your mind, even if you're not a nightmare magic math specialist.

     If so, this is the same kind of "oh noooooo" I feel whenever a protocol decides which algorithm to use based entirely on potentially attacker-controlled data.

     Grabbing the algorithm from a message signature? Bozo bit flipped!

     Grabbing the public key from the message signature? I'm over the moon. (Session does this, even though there's an external bit of logic binding it to the user's long-term birationally equivalent X25519 public key.)

     The only acceptable way to do this is:

     1. Have a randomly generated Key ID that points to a specific keypair.
     2. Include this Key ID in the data being authenticated.
     3. To figure out the algorithm to use for a given key, consult the key (not the signature or message).