crypto101 / book Goto Github PK

Perhaps move/edit "There is an obvious flaw with it" to the end of the paragraph: "But this scheme actually presents a huge security flaw."

It didn't appear to be an obvious flaw until after I read the Visual Inspection section and saw the image examples.

We should explain Tahoe-LAFS as a complete cryptosystem. It has lots of cool tidbits including being distributed and being an object-capability system; as a consequence, it puts it to people that key pairs can be a lot more than a (human or human-constructed) identity.

Right now, we assume key derivation just means "the thing you use when someone gives you a password and you want to store it securely". It can also mean "that thing you use when you want to turn a DH secret into an encryption + MAC key", or "that thing you use to do key cycling but you don't have any new secret bits".

These should probably go in the signatures section, near the end.

The GCM mode thing appears to end in a stub:

*** <<<GCM mode>>>

GCM mode is an \gls{AEAD mode} with an unfortunate case of RAS
syndrome (redundant acronym syndrome): GCM itself stands for "Galois
Counter Mode". It is formalized in a NIST Special
Publication\cite{gcm} and roughly boils down to a combination of
classical CTR mode with a \gls{Carter-Wegman MAC}. That MAC can be
used by itself as well, which is called \gls{GMAC}.

**** Authentication

GCM mode (and by extension GMAC)

Paper: http://eprint.iacr.org/2009/241

The current version of the book cites RSA Labs which talks about relative required key sizes for the RSA problem (solved with GNFS) versus an elliptic curve variant (solved using some unnamed sqrt(n) algorithm). We're using this for DH, even though it's obviously not about DH. There's a footnote clarifying that EC vs classic DH has a similar work factor, but it'd be cool if we had a real citation for this instead of just a handwave.

Candidates:

• HMAC
• UMAC

Replace "ofr" with "for":

"it will probably continue to be used ofr many years to come"

"it will probably continue to be used for many years to come"

Instead of: "Decryption, is, obviously, the inverse construction."

Consider: "Decryption is the inverse of construction."

Right now external links like URLs are just links. That's great when the output format is a PDF, but sucks when the output format (eventually) is dead tree.

Basically, illustrate the obvious meet-in-the-middle attack on 2DES. Right now we just pretend that it's because 3DES gives an obvious way to have the same hardware be compatible with old single DES (k1=k2=k3), but that's not really the main reason.

For slight increase in readability / flow:

Instead of:
"That's a huge number, consisting of 39 digits, a number large enough that trying all combinations is considered impossible. This attack allows them to do it in at most"

Consider:
"That's a huge number—consisting of 39 digits. It's so large that trying all combinations is considered impossible. This attack, however, allows them to do it in at most"

Perhaps spell out what the acronym "BEAST" stands for.

I'm not sure I understood what was being communicated through the conclusion...

Maybe the items listed below can be clarified?
"none of these issues apply"--what issues was this referring to?
"We can discover many things about the data"--wasn't sure if this was a good or bad thing.
"Real world block ciphers obviously have many more limitations."--compared to which other limitations?

We should explain HMAC.

Consider moving (b) to the end of the image series. Does it make more sense to progress from non idealized to idealized?

http://www.ecrypt.eu.org/documents/D.SPA.20.pdf chapter 7 gives a nice table to equate human-recognizable entities to security levels.

In the part about BEAST it suggests that IVs should be truly random. That's not true. They have to be unpredictable. The fact that IVs should be unpredictable should be in the paragraph where we first introduce IVs, as well.

"but the fundamental problem still remains"

Can you reiterate the fundamental problem? At this point in the reading, I'm unclear as to what it is...

Instead of: "As you can see, the situation gets slightly "better" with"

Consider:
"As you can see, the original plaintext image is slightly better encrypted with"

Instead of: "Initialization vectors come back in many other algorithms."

Did you mean: "Initialization vectors appear in many other algorithms."

IV = Initialization Vector

They are in the acronym list, and the HMAC section expects you to know what those words mean in order to understand the security proof.

Consider:
"If the properties of the block cipher hold, then solely within this stream, an attacker still wouldn't be able..."

5.2, 8th paragraph: "Using ECB mode with a plaintext consisting of an attacker-controlled part followed by some secret data, allows the attacker to decrypt a block's worth of that secret data"

I found myself having a bit of trouble comprehending the above paragraph.

Would it thus be helpful to remove this paragraph and instead place tail end of it after the formula?
i.e.
"C=ECB(Ek, A || S)
This allows the attacker to decrypt a block's worth of secret data"

Would it be more helpful to define the acronym ECB here as opposed to section 5.3?

Right now the PGP section is pretty much just the web of trust.

We should explain why e.g. SHA2(prefix + something) isn't a secure MAC.

We could also add that it can be a secure MAC under most SHA3-era hashes, but I feel bad suggesting it over HMAC.

"Only the first block size is realistic"

Perhaps consider calling out the first block size, i.e. "Only the first block size (c)" is realistic."

I was unsure of which image the 'first block size' referred to.

Instead of: "We then visually inspect"

Consider: "We'll then visually inspect..."

It seems to conform with the style used in the prior sentence.

Would it be helpful if this paragraph were removed? Wasn't sure what it added to the conceptual understanding that wasn't already stated or that couldn't be quickly grokked by the image example.

If not, consider:

Instead of: "Because identical blocks of pixels in the input map to"

Perhaps consider: ""Because identical blocks of pixels in the input will map to"

I got confused thinking this was one concept--an "input map".

This should be in the RSA pitfalls section.

"But AES is the workhorse of modern block ciphers:"

Consider replacing ":" with "—"

"But AES is the workhorse of modern block ciphers—it can't be at fault, certainly not because"

They are described here: https://otr.cypherpunks.ca/Protocol-v3-4.0.0.html

Consider defining "ECB" in the beginning of section 5.2

Examples: