salusasecondus / cryptogotchas Goto Github PK

There are multiple meanings of "robust" (https://eprint.iacr.org/2008/440 and https://eprint.iacr.org/2014/793) and AES-GCM meets neither definition.

Additionally, there is the concept of "committing" (see work on eprint by Grubbs and Woodage).

We should expand this point to define what we mean a bit more fully and provide reference links.

People keep messing up domain separation, so we need to talk about it. Things to include are:

• Using explicitly different keys for different domains
• Deriving different keys for different domains
• AAD
• Having some universally parsable portion of the ciphertext which indicates the domain (this is a bad solution, but works)

Separate from keyed functions:

• Different algorithms
• Different prefixes
• Different salts
• etc.

If an adversary can get you to use an arbitrary algorithm, then they can select and insecure or completely broken one.

Create a list of papers/articles/blogs which are good introductions to various topics.

(Note to miscellaneous people. If you have good resources for this list, please link them here.)

• Short summary of different methods (KEM/KEX/???)
• Key Confirmation Impersonation (with link to blog post and possibly link to eprint)
• Unknown key-share attack

Hi, nice collection of gotchas. Here's another suggestion:

An Australian government org created a cryptosystem called PLAID that tried to treat RSA public keys like secret IDs. RSA doesn't guarantee secrecy of public keys, and figuring out the public key from messages is an example of the German Tank Problem: https://eprint.iacr.org/2014/728.pdf (That whole doc is a good read for analysis of real-world cryptosystems.)

Just a neat example of "Only rely on what your primitives explicitly promise."

Actually, you could do a whole section on misuses of RSA :/

People cannot assume that values derived from secrets can be made public unless guaranteed by the specification. For example, the hash of a secret key might reveal overly sensitive information about the key.

Reading list is missing things. Use discussed reading list as a starting point for here.

From #23 and side-discussions, it is clear that the signatures section needs to be fundamentally reorganized.

There was a similar earlier issue which resulted in the "how to read" page, but we still need an easily searchable glossary.

I need a way to easily find short definitions/descriptions of every cryptographic concept I keep bumping into along with links to references (wiki or articles) to help me learn more.

This should be a raw list (rather than narrative) and easily searchable.

We need to pull discussion of keys out to their own section. We should definitely touch upon that a key isn't just the literal bytes but also all of the parameters/etc. needed to use it. (Tink takes this philosophy also). We should also talk about types/permissions/etc. as expressed in PKCS#11 and/or the JDK.

https://loup-vaillant.fr/tutorials/cofactor and many more references.