Profile

Cover photo
Hanno Böck
55 followers|8,417 views
AboutPostsPhotosYouTube

Stream

Hanno Böck

Shared publicly  - 
Peer review is often described as one of the cornerstones of good science. The idea is simple: Before a scientific work is published it is reviewed by at least two people from the same field and they decide if it is worth publishing. Peer review is widely seen as the thing that distinguishes ...
2
Add a comment...

Hanno Böck

Shared publicly  - 
1
Add a comment...

Hanno Böck

Shared publicly  - 
 
I tested LibreSSL on Gentoo https://blog.hboeck.de/archives/851-LibreSSL-on-Gentoo.html

Portage overlay is available: https://svn.hboeck.de/libressl-overlay/

Test webpage https://tlsfun.de/ now runs with LibreSSL and supports ChaCha20-Poly1305 ciphers.
3
1
Tony Sidaway's profile photo
Add a comment...

Hanno Böck

Shared publicly  - 
 
I did some tests with TLS and nonsense parameters for Diffie Hellman key exchanges.

Here are the online tests for browsers (WARNING: can crash Chrome/Chromium):
https://dh.tlsfun.de/

Blog entry:
http://blog.hboeck.de/archives/841-Diffie-Hellman-and-TLS-with-nonsense-parameters.html
tl;dr A very short key exchange crashes Chromium/Chrome. Other browsers accept parameters for a Diffie Hellman key exchange that are completely nonsense. In combination with recently found TLS problems this could be a security risk. People who tried to access the webpage https://demo.cmrg.net/ ...
1
Add a comment...

Hanno Böck

Shared publicly  - 
 
danke für das lob :-)
 ·  Translate
 
Crypto is hard - let's check your implementation

TL;DR: Kryptographie sicher zu implementieren ist schwierig. Um abzuschätzen, ob ein Dienst mit einem Kryptosystem sicher ist, reicht es nicht, den Herstellerversprechen zu glauben. Sichere Dienste haben ihre Implementierung offengelegt und von Dritten prüfen lassen.

Paradoxerweise funktioniert sichere Kryptographie nur mit ganz viel Transparenz, denn die Sicherheit ergibt sich nicht aus der Geheimhaltung der Umsetzung (im Gegenteil!), sondern aus der Geheimhaltung der Schlüssel.

Ein ausgezeichneter Artikel von +Hanno Böck - freier Journalist auf Golem.
 ·  Translate
Eine Menge verschlüsselter Messenger-Dienste wie Threema buhlt zurzeit um Nutzer, die aufgrund der Whatsapp-Übernahme durch Facebook nach Alternativen suchen. Skepsis ist angebracht.
1
Add a comment...
Have him in circles
55 people
Holger Szillat's profile photo
Lars Strojny's profile photo
Marc Redmann's profile photo
Pedro Caetano's profile photo
Reinhard Peiler's profile photo
Andre Klärner's profile photo
Ulrich Sibiller's profile photo
Christopher Lorenz's profile photo
Daniel M. Weeks (doctaweeks)'s profile photo

Hanno Böck

Shared publicly  - 
 
Wrote a long blog post explaining the latest problems with SSL/TLS and what I think we need to do next:
Dancing protocols, POODLEs and other tales from TLS
https://blog.hboeck.de/archives/858-Dancing-protocols,-POODLEs-and-other-tales-from-TLS.html
1
1
Amir el G's profile photo
Add a comment...

Hanno Böck

Shared publicly  - 
1
Add a comment...

Hanno Böck

Shared publicly  - 
1
Add a comment...

Hanno Böck

Shared publicly  - 
 
I think a fast and secure stream cipher for TLS is desparately needed and Salsa20 seems a natural choice.

However, if I read your definition right you intend to do mac-then-encrypt in your proposal. That's most likely a terrible idea. All the trouble the CBC-modes in TLS had - Padding Oracle, BEAST-attack etc. - were due to then wrong use of mac-then-encrypt. You get all kinds of possible timing problems and even if you try to avoid them, I'd bet someone will come up with an implementation that will bring us back some variant of these attacks.

One option is to use mac-then-encrypt, however the general conclusion from most cryptographers seems to be that protocol designers shouldn't bother mixing mac and encryption at all, instead they should use well established authenticated encryption standards. However, right now I don't know if there's any AEAD-standard that can be used in conjunction with a stream cipher like salsa20.

Letting the experts speak, Matthew Green proposes to use salsa20 with a construction called poly1305:
http://blog.cryptographyengineering.com/2012/10/so-you-want-to-use-alternative-cipher.html
I'm not familiar with that one, but certainly these questions should be answered before having a TLS standard.

Having a mac-then-encrypt-construction would be almost certainly a mistake and repeating the mistakes of the 90s that gave us so much trouble lately with TLS.
1
Hanno Böck's profile photoNikos Mavrogiannopoulos's profile photo
3 comments
 
+Hanno Böck For your first question, you may want to check Krawczyk's paper at http://www.iacr.org/archive/crypto2001/21390309.pdf and more specifically his Theorem 4, where he proves this construction correct. As it is now, only the TLS' CBC construction has issues with mac-then-encrypt method.

As I work as a security researcher in http://www.esat.kuleuven.be/scd/?view=cosic I had the opportunity to discuss the draft with colleagues that are considered experts in the field. Of course no document or proposal is perfect and we don't expect anyone to trust us blindly. We present a proposal and argumentation and we make it public so we can receive comments and criticism.

UMAC was selected for being an older and more studied construction, but poly1305 could have been an option too (in fact this is one of the main comments received so far).
Add a comment...
People
Have him in circles
55 people
Holger Szillat's profile photo
Lars Strojny's profile photo
Marc Redmann's profile photo
Pedro Caetano's profile photo
Reinhard Peiler's profile photo
Andre Klärner's profile photo
Ulrich Sibiller's profile photo
Christopher Lorenz's profile photo
Daniel M. Weeks (doctaweeks)'s profile photo
Basic Information
Gender
Male
Story
Introduction
Siehe Blog unter
http://www.hboeck.de/
Links
Other profiles
Contributor to