Twitter | Pretraživanje | |
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Multiple sessions over multiple servers, looks similar to solving the hidden number problem, which can be attacked via the closest vector problem in a lattice
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Found these vulns in 7 out of 9 impls 🍵
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Paper includes layers of recommended mitigations , but if you really have to use RSA, separate your certificates. But maybe just… please don't use RSA.
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Bleichenbacher attacks in 2020
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Next up! Deco: Liberating Web Data Using Decentralized Oracles for TLS
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Applying DECO to smart contracts, like on blockchain thingies
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Smart contracts need to be online to respond in a timely manner to things happening in the world.
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
✨decentralization ✨ for your decentralized smart contracts thing on a blockchain
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Possible solutions: - change TLS to sign data - trusted hardware (SGX*) * welp
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹
DECO facilitates privacy-preserving proofs about TLS data to oracles and can be used for these smart contracts
Reply Retweet Označi sa "sviđa mi se" More
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
The primary goal is to prove provenance of TLS ciphertext.
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
(in zero knowledge)
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
The three-party handshake logo is cut off, my apologies
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
(That ⭐operation is an elliptic curve group operation)
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Results in a handshake circuit with AND complexity of ~770k, runs in ~1.40seconds on wired network. Plenty fast for DECO.
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
So, if this is a proof based on the TLS connection of the data provider, what happens when the data provider gets social engineered or forgets to patch their database backend?
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Q: In the MPC it's broken into two parts, what prevents a malicious input in the second part? A: This will be caught later on in the protocol in the proof stage this will be caught, the two parties commit to their shares beforehand
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Short break ☕
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Next up is the first symmetric crypto session, starting with Attacks only get better: The case of OCB2 by Tetsu Iwata
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
"Say you want to encrypt a penguin"
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
No authenticity, allowing the ciphertext to be manipulated.
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Nonce changes for every* encryption operation *except when it doesn't , like when you ask the user to provide a nonce
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
GCM, CCM are NIST-certified IETF ones include GCM, ChaCha20-Poly1305 CAESAR includes 6 more Some more in the ongoing NIST lightweight crypto competition
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
OCB includes 3 versions, nonce-based AE with AD with strong features, including proof of security
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
No known vulnerabilities. 'Yet'.
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Result: authenticity attack on OCB2, not related to the underlying block cipher.
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
> SJCL affected Free corgi pix to someone who collects metrics on real world usage of the SJCL in the wild. 🐕
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
If we encrypt the same message twice, the nonce will* be different and the ciphertext will be different. * CAVEAT EMPTOR
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Simplest attack is a minimal forgery (existential forgery), adversary must know content of the message, it might not be that important but it's still not generated by the original sender.
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
Reply Retweet Označi sa "sviđa mi se"
Deirdre Connolly¹ 8. sij
Odgovor korisniku/ci @durumcrustulum
On its own may not mean much, but can be leveraged into more powerful attacks.
Reply Retweet Označi sa "sviđa mi se"