Permanently Deleted

  • gammison [none/use name]
    ·
    edit-2
    4 years ago

    So I do cryptography research (I basically have two hats on this site, cs person, and history of socialism and science person), and the the mathematical constructions for secure group messaging like signal are sound. They work. If you use a signal client that has implemented them properly, your communication will not be intercepted and decrypted all other things equal. It is computationally infeasible. Now this does not mean if someone an adversary infiltrates the group you are good, an infiltrator has access to messages until they are removed and all the keys are refreshed. Nor does it mean your signal client is actually doing what it says its doing. Nor does it mean if your device is compromised you are safe. Nor does it mean metadata is not leaked. Nor, for signal, does it mean the server is actually running signal.

    For TOR, afaik, it has concrete attacks for triangulating users if one party controls a significant portion of TOR nodes. Does one party have that, idk, but it's not cheap to do this even with a single person. The only TOR compromises I'm aware of have been people leaking their own info on the network. It's also open to general attacks if AES is not secure obviously (but that'd be a much bigger problem lol).

    The US govt funding signal and TOR do not mean they are not secure. It's a catch 22 of making mathematically secure communication protocols, if the protocol is out and known, you can't stop someone else from using it. This has actually been a problem in the past because US intelligence game theorists want other nations to know things are secure otherwise their game theory is less accurate. Remember these tools are designed for use in countries that have considerable mathematicians and computer scientists of their own, they're designed to withstand that.

    • eduardog3000 [he/him]
      ·
      4 years ago

      It’s also open to general attacks if AES is not secure.

      We'd have much bigger problems if that was the case.

      • gammison [none/use name]
        ·
        edit-2
        4 years ago

        I have done research on AES cryptanalysis, and let me tell you, it's possibly open to some sort distinguishability attack (telling it apart from the ideal cipher, which doesn't matter much in practice), but we didn't make any progress on actually reversing it or recovering data.

    • NeoAnabaptist [any]
      ·
      4 years ago

      Could you weigh in on the Signal vs. Telegram catfight from a security perspective?

      • gammison [none/use name]
        ·
        edit-2
        4 years ago

        Signal is better than telegram. Telegram makes some odd choices (using proprietery encryption, not end to end encrypting everything by default etc), and signal at least got a formal analysis of all the parts of its protocol and how they interact, and signal chose very normal parameters. Unfortunately the formal analysis showed it was vulnerable to an Unknown Key-Share attack, whereby B can trick A into sending message M to C, such that A believes it has actually sent M to B. Dunno if that got fixed but it most likely did years ago as it's an easy thing to remedy.

        I do know that everyone doing group messaging with end to end encryption is trying to switch to a new standard called MLS, which is still in the finalization phase but offers some neat new security features. Actually, I think MLS is finalized at this point but still in some sort of discussion phase. Once that's done, everyone needs to switch to it that's doing secure group messaging. I've done some work in tangential group messaging stuff, trying to show lower bounds on how much communication is required to restore a corrupted group in particular models.

        Here's the original MLS draft: https://tools.ietf.org/id/draft-barnes-mls-protocol-00.html

        Also, here is a good answer regarding signal and telegram. I don't know how outdated this is though, I don't really work with either that much.

        • Civility [none/use name]
          ·
          edit-2
          4 years ago

          I'm struggling to understand what new vulnerabilities the Unknown Key-Share attack introduces. Like, if B wanted to/was coerced into just letting C read and write their messages to and from A, or hand their keys over to C and forget them themself that was always already an option for B.

          Would you mind elaborating?

          • gammison [none/use name]
            ·
            edit-2
            4 years ago

            It's a bit esoteric, the point is that A can be tricked into thinking it sent a message to someone, but in actuality it was sent to someone else without C needing to coerce anything to B. Like there's a series of mathematically precise steps done, without violating the protocol (well it's a violation but not a noticeable one). The attacker here is presumed to be computationally bounded. We're not modeling a scenario where C can go and break Bs legs for the keys. C is not even the attacker here, B is. B does not actually even get the key in this attack, they trick A into sending it to C without needing any private information from C. The important part is that from As perspective, without violating the protocol, they don't know they shared keys with the wrong person. Also note I'm like 90 percent sure this got fixed years ago.

            From the paper: Suppose Bart (Pb) wants to trick his friend Milhouse (Pa). Bart knows that Milhouse will invite him to his birthday party using TEXTSECURE (e.g., because Lisa already told him). He starts the UKS attack by replacing his own public key with Nelsons (Pe) public key and lets Milhouse verify the fingerprint of his new public key. This can be justified, for instance, by claiming to have a new device and having simply re-registered, as that requires less effort than restoring an encrypted backup of the existing key material. Now, as explained in more detail below, if Milhouse invites Bart to his birthday party, then Bart may just forward this message to Nelson who will believe that this message was actually sent from Milhouse. Thus, Milhouse (Pa) believes that he invited Bart (Pb) to his birthday party, where in fact, he invited Nelson (Pe).

            • Civility [none/use name]
              ·
              4 years ago

              Thanks!

              I think I get it now.

              So the problem is B is essentially forging A's private key by redirecting A's messages to whoever they want to while A thinks they're sending them to B and C thinks the messages are directly from A and has no idea about Bs involvement?

              • gammison [none/use name]
                ·
                4 years ago

                It's not forging the key, they can't make their own messages, or even read the messages A sent them that they're redirecting. Everything else, yeah that's pretty much right.

    • AliceBToklas [she/her]
      ·
      4 years ago

      With TOR I thought there was a thing where it was kinda assumed that US intelligence was running enough of the TOR endpoints that the whole network had a false sense of security; has that ever been addressed?

      • gammison [none/use name]
        ·
        edit-2
        4 years ago

        So with the number of hops (i.e layers of the onion), I would say it's unlikely you go over a route where every single entry and exit is controlled by the US govt. If they don't have the whole route, they can't unwrap every layer of encryption, as even a single AES encrypted layer is considered unfeasible right now. From the perspective of a user on the network, there's no way to tell who owns what nodes though. The ability for say the NSA to do a tracing attack is debated among the field but it's possible theoretically.

        AFAIK no one has ever been identified by unraveling their whole route. Rather it's always been leaking personal info while on TOR, like using TOR to do something very close to where you are, and well there's not many TOR connections coming from any single area so that narrows it down a lot. I have heard of cases with the FBI at least of them complaining in court and email released via FOIA requests that if someone had not leaked info that way they would never found the person, you can choose to believe that or not.

        • AliceBToklas [she/her]
          ·
          4 years ago

          IIRC it was an attack based around deductive assumptions from controlling a preponderance of the endpoints, definitely not actually stripping encryption or going through all the anonymizing hops. I was looking for anything that might help me remember what it was but all I can find is an attack from this year with 25% of endpoints stripping SSL to rewrite bitcoin transfer addresses lol

    • the_minority_retort [he/him, any]
      arrow-down
      1
      ·
      4 years ago

      With quantum getting more feasible, I’d imagine it’s almost without question that some parts of the government can use that to break AES. To me the question is really one of throughput — if they can only break, say, one a day, they won’t bother doing that for a small potatoes Signal convo between people planning a protest, or something.

      If it’s more like 100 million a day, though, It’s definitely time to start getting more worried...

      • gammison [none/use name]
        ·
        edit-2
        4 years ago

        Well AES is actually believed to be quantum resistant for any reasonable attack (however we have no proof). RSA and other factoring based key exchanges are not secure, however we already have quantum resistant lattice algorithms ready to go. IMO breaking a single in use Diffie Helman key exchange algorithm with a quantum computer is still at least 6-10+ years away.