Hey! I'm David, cofounder of zkSecurity and the author of the Real-World Cryptography book. I was previously a crypto architect at O(1) Labs (working on the Mina cryptocurrency), before that I was the security lead for Diem (formerly Libra) at Novi (Facebook), and a security consultant for the Cryptography Services of NCC Group. This is my blog about cryptography and security and other related topics that I find interesting.
The funny one is this realistically proportional figure where the areas of the different circles are representing the number of lines-of-code of each libraries.
The C library is currently awful, so I won't link to it until I get it to a prettier place, but as a proof of concept it shows that this can be achieve in a mere 1,000 lines-of-code. That while supporting the same functionalities of a TLS library and even more. The following diagram is the dependency graph or "trust graph" of an implementation of Disco:
As one can see, Disco relies on Strobe (which further relies on keccak-f) for the symmetric cryptography, and X25519 for the asymmetric cryptography. The next diagram shows the trust graph of a biased TLS 1.3 implementation for comparison:
This was done mostly for fun, so I might be missing some things, but you can see that it's starting to get more involved. Finally, I made a final diagram on what most installations actually depend on:
In this one I included other versions of TLS, but not all. I also did not include their own trust graph. Thus, this diagram is actually less complex that it could be in reality, especially knowning that some companies continue to support SSL 3.0 and TLS 1.0.
I've also included non-cryptographic things like x509 certificates and their parsers, because it is a major dependency which was dubbed the most dangerous code in the world by M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov.
I love Real World Crypto. It's just the best applied crypto conference and a must if you work in the industry and do cryptography. I've tried to cover it many times; here is RWC 2018, RWC 2017 and here is my coverage of RWC 2016. I will be at RWC 2019 because I just won't miss it. It's in San Jose this year. You should go too.
Encrypting a file is hard. I often need to do it to protect confidential data before sending it to someone. Besides PGP (yerk) there doesn't seem to be any light tools to do that easily. The next best option is often to have a common messaging app like Signal. So I made my own. It's called Eureka and it's available in binaries or if you have Golang installed on your device, directly by doing this:
$ go get github.com/mimoo/eureka
It's also 100 LOC. It's just doing a simple job that seems to be missing from most default tooling.
Disco is a specification that once implemented allows you to encrypt sessions (like TLS) and encrypt, authenticate, hash, generate random numbers, derive keys, etc. (like a cryptographic library). All of that usually only needs less than a thousand lines of code.
Here's how you can do it:
1. Strobe. The first step is to find a Strobe implementation (Disco uses Strobe for all the symmetric crypto). Reference implementations of Strobe exist in C and Python, unofficial ones exist in Golang (from yours truly) and in Rust (from Michael Rosenberg). but if you're dealing with another language, you'll have to implement the Strobe specification first!
2. Noise. Read the "How to Read This Document and Implement Disco" section of the Disco specification. What it tells you is to implement the Noise specification but to ignore its SymmetricState and CipherState sections. (You can also ignore any symmetric crypto in there.) You can find Noise libraries in any languages, but implementing it yourself is usually pretty straight forward (here you only really have to implement the HandshakeState).
3. Disco. Once you have that (which should take 500 LOC top), implement the SymmetricState specified by Disco.
I will be at Tamuro tonight. It's a security/crypto meetup where we mostly drink beers and chat.
To know the location you need to solve one of the challenges there summarized here as well:
EASY: Decrypt the cipertext (single byte XOR) to find the GPS coordinates of the next Tamuro London meetup:
6d69766d686f69747568766861686e (hex string)
MEDIUM: Solve the easy challenge without a brute-force method.
I'll personally introduce sponge constructions, Strobe and Disco:
Today, SSL/TLS is the de-facto standard for encrypting communication. While its last version (1.3) is soon to be released, new actors in the field are introducing more modern and better designed protocols. This talk is about the past, the present and the future of session encryption. We will see how TLS led the way, how the Noise protocol framework allowed the standardization of more modern and targeted protocols and how the duplex construction helped change the status quo.
Facebook has released their TLS 1.3 library Fizz in open source. In their post they mention early data (0-RTT):
Using early data in TLS 1.3 has several caveats, however. An attacker can easily replay the data, causing it to be processed twice by the server. To mitigate this risk, we send only specific whitelisted requests as early data, and we’ve deployed a replay cache alongside our load balancers to detect and reject replayed data. Fizz provides simple APIs to be able to determine when transports are replay safe and can be used to send non-replay safe data.
My guess is that either all GET requests are considered safe, or only GET requests on the / route are considered safe.
I'm wondering why they use a replay cache on the other side as this overhead could nullify the benefits of 0-RTT.
They also mention every state transitions being stored in one place, this is true:
I think this is a great idea, which more TLS libraries should emulate. I had started a whitelist of transitions for TLS 1.3 draft 18 here but it's probably outdated.
