undefined | Better HN

0 pointstptacek13y ago0 comments

Do you understand why I said a developer who wrote their own block cipher core and plugged it into Keyczar would be more secure than a developer who used AES directly?

If you don't understand, why do you "stand behind your point"? Why don't you instead try asking questions?

Similarly: you wrote none of that stuff about "whitelisting" (whatever it is you mean by that) in your "pledge". You just told developers, "use parameterized queries so you don't have to escape them". And now, when it's pointed out that that's not great advice, you find a way to argue with it?

0 comments

6 comments · 1 top-level

ircmaxell13y ago· 5 in thread

Ok, I'll bite. Why would it be more secure?

Would the following block cipher be more secure than AES?

    function encrypt(block, key) {
        return block XOR key;
    }

tptacekOP13y ago

That block cipher would not in practice be much worse than the cryptosystems developers end up with when they use OpenSSL, its bindings in Python or Ruby, or "javax.crypto" to get AES.

AES in its default block cipher mode can usually be byte-at-a-time decrypted. AES in its "conservative" mode can almost always be byte-at-a-time decrypted when not augmented with another crypto building block that developers invariably forget. When developers don't forget that building block, they often manage to implement it in such a way that it too can by byte-at-a-time broken. AES in its most "modern" mode ends up being exactly as secure as naive XOR when developers use it without understanding its parameters.

On the other hand, if you read the Wikipedia page on Feistel networks and wrote your own --- or if you just used reduced-round FEAL-4 --- but used Keyczar to actually deploy it against real data, all those mistakes I alluded to above would be avoided, and your attackers would have to do real cryptanalysis to attempt to break your application; nobody does that.

Knowing this, you can now see why I'd take issue with the idea that your "Secure Progammer's Pledge" urges people to use "vetted algorithms" to protect data. AES is about as "vetted" as algorithms ever get, and its use in production code by generalist developers is almost always comically insecure.

So: no, that one example turns out not to be more secure than AES, even in Keyczar. The problem is, by itself, it usually turns out not to be less secure either.

blazingice13y ago

As a security researcher (but not necessarily a crypto one), I do not understand this comment.

> AES in its default block cipher mode can usually be byte-at-a-time decrypted.

1. Block ciphers don't have default modes. Implementations might. Does OpenSSL really use ECB as the default mode? (I agree wholeheartedly with you that sensible defaults are extremely important, and so ECB-as-default seems hard to believe.)

2. What does "byte-at-a-time" decrypted mean? You haven't specified the threat or attacker models.

Are you saying that given several million ciphertexts, you can recover the key from AES-ECB? AES-CTR? Does the attacker need side channel acccess? How about given one ciphertext? Or is this a chosen-plaintext or chosen-ciphertext attack?

In short, could you please detail the attack you have in mind?

> AES in its most "modern" mode ends up being exactly as secure as naive XOR when developers use it without understanding its parameters.

As far as I can tell, this is entirely predicated on your later statement that "nobody does [real cryptanalysis]". What is AES's 'most "modern" mode'? Which parameters are you referring to here (key size, mode, any others?)

My guess is that XOR will fall in some small number of hours against someone who cares; AES-128-ECB (as bad as it is) may require many more resources for key retrieval.

For fun, which definition of security are you using to compare cryptosystems?

1 more reply

X-Istence13y ago

How would this change for example if instead of using just plain AES you use AES with a block cipher mode (CTR-BE/CBC/or others just no CBE)?

1 more reply

brohee13y ago

Actually, depending on the mode of operation it may be about as secure as AES in ECB... That's it, not secure at all.

Using a well known algorithm is such a small part of the overall security of a cryptosystem that it makes the call to use only well known algorithms useless by itself. Hence tptacek recommending using proven high level libraries (e.g. OpenSSL's EVP_* family of functions).

tptacekOP13y ago

Whoah. Hold on. OpenSSL EVPxxx claims to be a "high-level interface", but isn't one. Here's some acid tests for high-level libraries:

* Does the library expose block cipher mode choices to callers? It's not high-level.

* Does the library expose IVs to callers? It's not high-level.

* Does the library separate "encryption" from "authentication", offering the choice of doing one without the other? It's not high level.

* Does the library by default allow users to pass in raw buffers as keys? It's not high level.

Don't use OpenSSL directly to do crypto in applications.

2 more replies

j / k navigate · click thread line to collapse

0 comments

6 comments · 1 top-level

ircmaxell13y ago· 5 in thread

Ok, I'll bite. Why would it be more secure?

Would the following block cipher be more secure than AES?

    function encrypt(block, key) {
        return block XOR key;
    }

tptacekOP13y ago

That block cipher would not in practice be much worse than the cryptosystems developers end up with when they use OpenSSL, its bindings in Python or Ruby, or "javax.crypto" to get AES.

So: no, that one example turns out not to be more secure than AES, even in Keyczar. The problem is, by itself, it usually turns out not to be less secure either.

blazingice13y ago

As a security researcher (but not necessarily a crypto one), I do not understand this comment.

> AES in its default block cipher mode can usually be byte-at-a-time decrypted.

2. What does "byte-at-a-time" decrypted mean? You haven't specified the threat or attacker models.

In short, could you please detail the attack you have in mind?

> AES in its most "modern" mode ends up being exactly as secure as naive XOR when developers use it without understanding its parameters.

My guess is that XOR will fall in some small number of hours against someone who cares; AES-128-ECB (as bad as it is) may require many more resources for key retrieval.

For fun, which definition of security are you using to compare cryptosystems?

1 more reply

X-Istence13y ago

How would this change for example if instead of using just plain AES you use AES with a block cipher mode (CTR-BE/CBC/or others just no CBE)?

1 more reply

brohee13y ago

Actually, depending on the mode of operation it may be about as secure as AES in ECB... That's it, not secure at all.

tptacekOP13y ago

Whoah. Hold on. OpenSSL EVPxxx claims to be a "high-level interface", but isn't one. Here's some acid tests for high-level libraries:

* Does the library expose block cipher mode choices to callers? It's not high-level.

* Does the library expose IVs to callers? It's not high-level.

* Does the library separate "encryption" from "authentication", offering the choice of doing one without the other? It's not high level.

* Does the library by default allow users to pass in raw buffers as keys? It's not high level.

Don't use OpenSSL directly to do crypto in applications.

2 more replies

j / k navigate · click thread line to collapse