salusasecondus / cryptogotchas Goto Github PK
View Code? Open in Web Editor NEWA collection of common (interesting) cryptographic mistakes and learning resources.
License: Other
A collection of common (interesting) cryptographic mistakes and learning resources.
License: Other
There are multiple meanings of "robust" (https://eprint.iacr.org/2008/440 and https://eprint.iacr.org/2014/793) and AES-GCM meets neither definition.
Additionally, there is the concept of "committing" (see work on eprint by Grubbs and Woodage).
We should expand this point to define what we mean a bit more fully and provide reference links.
People keep messing up domain separation, so we need to talk about it. Things to include are:
Separate from keyed functions:
If an adversary can get you to use an arbitrary algorithm, then they can select and insecure or completely broken one.
Create a list of papers/articles/blogs which are good introductions to various topics.
(Note to miscellaneous people. If you have good resources for this list, please link them here.)
Hi, nice collection of gotchas. Here's another suggestion:
An Australian government org created a cryptosystem called PLAID that tried to treat RSA public keys like secret IDs. RSA doesn't guarantee secrecy of public keys, and figuring out the public key from messages is an example of the German Tank Problem: https://eprint.iacr.org/2014/728.pdf (That whole doc is a good read for analysis of real-world cryptosystems.)
Just a neat example of "Only rely on what your primitives explicitly promise."
Actually, you could do a whole section on misuses of RSA :/
People cannot assume that values derived from secrets can be made public unless guaranteed by the specification. For example, the hash of a secret key might reveal overly sensitive information about the key.
Reading list is missing things. Use discussed reading list as a starting point for here.
From #23 and side-discussions, it is clear that the signatures section needs to be fundamentally reorganized.
There was a similar earlier issue which resulted in the "how to read" page, but we still need an easily searchable glossary.
I need a way to easily find short definitions/descriptions of every cryptographic concept I keep bumping into along with links to references (wiki or articles) to help me learn more.
This should be a raw list (rather than narrative) and easily searchable.
We need to pull discussion of keys out to their own section. We should definitely touch upon that a key isn't just the literal bytes but also all of the parameters/etc. needed to use it. (Tink takes this philosophy also). We should also talk about types/permissions/etc. as expressed in PKCS#11 and/or the JDK.
https://loup-vaillant.fr/tutorials/cofactor and many more references.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.