Hacker News new | past | comments | ask | show | jobs | submit login
An Overview of Cryptography (garykessler.net)
332 points by miles 8 days ago | hide | past | web | favorite | 32 comments

"This scheme also provides nonrepudiation since it proves that Alice sent the message; if the hash value recovered by Bob using Alice's public key proves that the message has not been altered, then only Alice could have created the digital signature."

This is a common misconception.

Just because a signature verifies under Alice's public key, it does not necessarily imply Alice generated the signature. For many common signature schemes, if Bob makes a signature using their public/private key, Alice can produce a different private/public key such that Bob's signature will verify under Alice's key.

Paper (we) wrote on the impacts of this: https://eprint.iacr.org/2019/779

LetsEncrypt was vulnerable to this exact attack - it let people issue valid TLS certificates for domains they didn't control:


We discuss this exact attack (and blog post) in Section 5.1 of the paper :).

IIRC: it was missed by both an academic analysis of LE and a 3rd party audit of their crypto design. Thankfully Andrew spotted it a few weeks before they went live in major browsers!

In particular, see also this 2005 paper by Thomas Pornin: http://www.bolet.org/~pornin/2005-acns-pornin+stern.pdf

EDIT: Looks like this paper is also already included in the list of citations for the 2019 paper :)

This is also a Cryptopals exercise in Set 8:


The first time I heard of this bug was through the Another Look series where it was called DSKS.

> In the process, we find new attacks on DRKey and SOAP's WS-Security, both protocols which were previously proven secure in traditional symbolic models.

Does that mean the previous proofs were wrong? or that they proved a narrower version of "secure" that didn't include those particular attacks?

The latter. The tools in question (Tamarin and ProVerif) use a model of signatures that goes back to 2000/2001 which is around when these key substitution properties were discovered. Consequently, they were missed from the models and because the properties themselves aren't that well known, it took a while before it was noticed.

Btw you don’t mention repudiation in there, but would you say it makes sense to say that most signature scheme actually don’t provide non-repudiation?

It depends what you consider to be non-repudiation!

With key substitution, you have a signature that can verify under multiple public keys. However, each key was either honestly generated and used to sign the message, or was maliciously generated and intended to appear to have signed the message.

In this sense, the party associated with each public is indisputably associated with the corresponding signature.

However, this gets a bit more confusing with message key substitution (two public keys, two messages, one signature) or colliding signature (one public key, any number of messages, one signature). For example, a malicious party might produce a signature which is valid for any message. Does the fact that they've "signed everything" mean they can repudiate having signed anything? (The connection between intent to sign and the signature has arguably been lost).

We do discuss these other properties in the paper, but we don't really delve into non-repudiation in the informal sense.

It’s also worth pointing out that non-repudiation requires stronger properties than cryptography alone can guarantee. If I surreptitiously leak my private key onto the internet I can later plausible deny that I signed messages. (The Signal protocol deliberately leaks old MAC keys for this reason).

If you really want non-repudiation then you have to have hardware, legal, and procedural controls in place.

I may be misunderstanding the author's use of terms here, but this seems wrong (section 3.1):

> A block cipher is so-called because the scheme encrypts one block of data at a time using the same key on each block. In general, the same plaintext block will always encrypt to the same ciphertext when using the same key in a block cipher whereas the same plaintext will encrypt to different ciphertext in a stream cipher.

A block cipher will turn the same plaintext into the same ciphertext only if you're using it with the ECB mode; otherwise, the same plaintext in different places with the same key will encrypt into different ciphertext.

If he means "key" in the sense of "final thing that gets XORed to make the ciphertext", then that's true, but then it's equally true of stream ciphers as well.

I took this to mean "in the simple case" (which would be ECB), but the wording could be improved here to make that clearer.

Right, especially since a few paragraphs down, he introduces all the different modes, including ECB.

To me at least, it makes sense to introduce a complex topic gradually, in stages. But regardless, I still agree that the wording in the paragraph you called out could be improved for better clarity.

Sorry to keep hammering on this, but ...

I don't know in what context it would be reasonable even as a simplification to say that block ciphers are semantically insecure like that. Anyone who listed that as a disadvantage to block ciphers should be regarded as confused, not speaking from a big picture perspective.

Furthermore, even if you're going to explain it that way as a result of building up the complexity gradually, you need to explicitly "unring" that bell, e.g. "Earlier I said X, but actually Y...". This author didn't.

Cryptography was both my favorite topic in school and the one that cemented my realization in that I wasn't good enough to do math for a living.

Shameless plug: I’ve been writing my own introduction for students/developers/consultants/... and you can read it online for free it seems (or at least some chapters): https://www.manning.com/books/real-world-cryptography

The Bleeding Edge section has much on the current status of post-quantum attempts?

Side note: Diffie-Hellman predates RSA. I attended a talk by Rivest once, where he vividly described how that paper triggered them into exploring whether public key crypto was really possible or not. They ended up constructing RSA from those sessions.

"In many of the descriptions below, two communicating parties will be referred to as Alice and Bob; this is the common nomenclature in the crypto field and literature to make it easier to identify the communicating parties. If there is a third and fourth party to the communication, they will be referred to as Carol and Dave, respectively. A malicious party is referred to as Mallory, an eavesdropper as Eve, and a trusted third party as Trent."

I really love this naming system.

Holy smokes - I 'ran' into this website a few weeks ago whilst cleaning up an old computer.... and chuckled (my copy that I had saved on this computer is/was old - lets just say that).

And then I chance upon it being talked about on HN. Small world and maybe the universe is telling me something ;-)

For those who want a conceptual, visual, cartoon explainer, check out our 1min animated series: https://gun.eco/docs/Cartoon-Cryptography

I strongly recommend “The Code Book” by Simon Singh. Really readable and very informative!

It's a great read if you're not too in depth on the topic and want an overview, but it is badly in need of a modern revision that removes some of the more speculative parts of the last chapter and replaces it with what actually happened in the last 20 years.

Great paper! Given the write-ups of old and broken crypto, perhaps a better title would be History of Cryptography?

It does say at the top "originally written in 1998" and it was basically amended over time, but regardless I still love learning about "historical" views.

Example: A textbook from '95 had a pretty large section on "the future" of ECC and "current" trends in research. It was interesting seeing what came true, or what was still being worked on.

Indeed. Interesting mix of theory ("here's how RSA works and why") and practice (list of specs and RFCs), but very old-school.

Today, I'd expect less focus on RSA and PGP, and instead a mention of elliptic curves, the Signal protocol (double ratchet), etc.

Very interesting paper indeed.

Could be more appealing if the vanilla html was properly styled though.

I find it fairly decent, far better than the usual academic pdf anyway if that's the standard most accept.

How would you improve the page?

My personal tweaks:

body { font-size: 19px; width: 72ch; font-family: Charter; margin: 0 auto; line-height: 1.4; }

and then remove the size= option on the <font> element.

This is such an awesome paper, thanks for posting it!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact