Hey! I'm David, the author of the Real-World Cryptography book. I'm a crypto engineer at O(1) Labs on the Mina cryptocurrency, previously I was the security lead for Diem (formerly Libra) at Novi (Facebook), and a security consultant for the Cryptography Services of NCC Group. This is my blog about cryptography and security and other related topics that I find interesting.

more on the next page...

# Is there any particular reason to use Diffie-Hellman over RSA for key exchange? posted December 2014

I was wondering why RSA was used in the SSL handshake, and why Diffie-Hellman was used instead in a Perfect Forward Secrecy scheme.

http://security.stackexchange.com/questions/35471/is-there-any-particular-reason-to-use-diffie-hellman-over-rsa-for-key-exchange

There is, however, an advantage of DH over RSA for generating ephemeral keys: producing a new DH key pair is extremely fast (provided that some "DH parameters", i.e. the group into which DH is computed, are reused, which does not entail extra risks, as far as we know). This is not a really strong issue for big servers, because a very busy SSL server could generate a new "ephemeral" RSA key pair every ten seconds for a very small fraction of his computing power, and keep it in RAM only, and for only ten seconds, which would be PFSish enough.

comment on this story

# Transform your messages into spam! posted December 2014

When you encrypt your mail through PGP or GPG it's great. But people can tell you're sending an important email. What if you could encrypt your message to something innocent? This is what spammimic does. It transforms your message into a spam message so no one can guess it's a legit message! This idea is so neat.

There is tons of spam flying around the Internet. Most people can't delete it fast enough. It's virtually invisible. This site gives you access to a program that will encrypt a short message into spam. Basically, the sentences it outputs vary depending on the message you are encoding. Real spam is so stupidly written it's sometimes hard to tell the machine written spam from the genuine article.

The encrypted messages look like that:

Dear Friend ; Thank-you for your interest in our publication
. If you no longer wish to receive our publications
simply reply with a Subject: of "REMOVE" and you will
immediately be removed from our club ! This mail is
being sent in compliance with Senate bill 1626 ; Title
3 , Section 308 . THIS IS NOT MULTI-LEVEL MARKETING
. Why work for somebody else when you can become rich
as few as 10 WEEKS ! Have you ever noticed more people
than ever are surfing the web plus nearly every commercial
on television has a .com on in it ! Well, now is your
your orders within seconds and deliver goods right
to the customer's doorstep ! You are guaranteed to
succeed because we take all the risk . But don't believe
us ! Prof Simpson who resides in Illinois tried us
and says "Now I'm rich, Rich, RICH" . This offer is
100% legal ! We BESEECH you - act now . Sign up a friend
and you'll get a discount of 20% . God Bless ! Dear
Friend , Especially for you - this amazing news ! We
will comply with all removal requests . This mail is
being sent in compliance with Senate bill 1618 ; Title
2 , Section 301 . This is not multi-level marketing
! Why work for somebody else when you can become rich
in 58 weeks ! Have you ever noticed people will do
almost anything to avoid mailing their bills plus most
everyone has a cellphone ! Well, now is your chance
and increase customer response by 170% ! You are guaranteed
to succeed because we take all the risk . But don't
believe us . Mr Jones of Georgia tried us and says
"Now I'm rich many more things are possible" ! This
offer is 100% legal ! So make yourself rich now by
get a discount of 60% . Best regards !
comment on this story

# Real Life side-channels attacks posted December 2014

Some funny slides from Vitaly Shmatikov on side channels attacks: http://www.cs.utexas.edu/~shmat/courses/cs361s/sidechannels.pdf

So you can tell what someone is typing just by analyzing the sound of the fingers on the keyboard, from a certain distance.

If you observe someone typing at his computer from an outside window, you can analyze the reflections in many objects (glass teapots, plastic bottles, spoons!!! and even eyes).

Like we weren't worried enough.

comment on this story

# Network/Software Security posted December 2014

I was trying to find some info about the Heap and malloc (for the level 14 of microcorruption) when I ran into some very good videos from the Infosec Institute. I cannot find the name of the speaker but damn he's so good I just lost 2 hours of my life just watching his videos about nmap, pentesting, metaspoilt, and so on...

Here is his video on Heap Overflow:

And his talks are on several different youtube channels. I don't know how legit this is, and if someone can find the name of that guy I would love to know more about him. More about him: Advanced Recon, Advanced Exploitation, and so on...

comment on this story

# Pandoc : Markdown -> LaTeX posted December 2014

I just turned in my cryptanalysis project: A Linear Cryptanalysis of A5/2 with Sage. Had to write a rapport in LaTeX.

Now I have to finish the challenges over at Microcorruption and produce a write up in LaTeX as well.

Well LaTeX is awful as a writing syntax. I'd rather focus on writing with John Gruber's excellent markdown syntax and then later convert it to LaTeX. And Pandoc does just that! It's magic. Now that I have all my .md files I concat them with a quick python script

output = ""
for ii in range(1,15):
markdown = open(str(ii) + ".md", "r")
output += "\n\n"
markdown.close()

output_file = open("rapport.md", "w")
output_file.write(output)
output_file.close()

A bit of Pandoc magic and voilà ! I have a beautiful .tex

Now let's finish Microcorruption (or at least try :D it's getting pretty hard).

PS: I use Markdown for everything. This blog is written in Markdown and then converted to HTML. I'm also writing a book in Markdown. Well Markdown is awesome.

comment on this story

# Format String, Heap Overflow posted December 2014

In my Software Security class that looks like a continuous game in assembly, we're now learning format string and heap overflow through Protostar a set of challenges on those attacks. It's a nice addition to crackmes and microcorruption.

comment on this story

# Forward Secrecy posted December 2014

I was asked during an interview how to build a system where Alice could send encrypted messages to Bob. And I was asked to think outloud.

So I imagined a system where both Alice and Bob would have a set of (public key, private key). I thought of RSA as they all use RSA but ECIES (Elliptic Curve Integrated Encryption Scheme) would be more secure for smaller keys. Although here ECIES is not a "pure" asymmetric encryption scheme and Elgamal with ECs might be better.

Once one wants to communicate he could send a "hello" request and a handshake protocol could take place (to generate a symmetric encryption key (called a session key in this case)).

I imagined that two session keys would be generated by each end. Different set of keys depending on the direction. One for encrypting the messages and one for making the MAC (that would be then appended to the encrypted message. So we EtM (Encrypt-then-Mac)).

Then those keys would be encrypted with the public signature of the other one and sent over the wire like this. And Let's add a signature so we can get authentication and they also won't get tampered. Let's use ECDSA (Elliptic Curve Digital Signature Algorithm) for that.

Although I'm wondering if two symmetric keys for encrypting messages according to the direction is really useful.

I was then asked to think about renewal of keys. Well, the public keys of Alice and Bob are long term keys so I didn't bother with that. About the symmetric keys? What about their TTL (Time To Live)?

My interviewer was nice enough to give me some clues: "It depends on the quantity of messages you encrypt in that time also."

So I thought. Why not using AES in CTR mode. So that after a certain number of iteration we would just regenerate the symmetric keys.