[messaging] Crypto standards in modern-day consumer apps

Mike Hearn mike at plan99.net
Sat Jun 20 09:29:52 PDT 2020


Well, let's not mix up human designed cryptography with natural laws like
physics.

No cryptographic system has ever been proven impossible to break. We make
assumptions like "ECDLP is hard" because lots of smart people (how many?
who?) have tried to break it (how hard did they try?) and failed (are we
sure all of them did?). At the root of all cryptographic schemes there are
social assumptions, like the assumption that if someone had found a
solution, they'd definitely have published a paper on it and not e.g. sold
it to the NSA.

For some problems we think those social assumptions are true because the
Snowden leaks seemed to suggest even the NSA can't solve them, if we ignore
cases where actually they could, like Logjam. And we assume the NSA is
filled with really smart people (is it?) who spend lots of time
cryptanalysing common algorithms (do they?) … and on we go.

Physics doesn't rely on assumptions like that. Anyone can do an experiment
to prove its laws are true.

Now, I'm not arguing cryptography is useless or doesn't work. Clearly in
the real world it does work. It solves lots of real problems, all the time.
But "work" sometimes has a rather technical definition that doesn't match
what regular people understand by the term. Do people differentiate between
"cryptography" and "encrypted messaging" for example? To the layman
cryptography *is* encrypting messages, that's what it's all about. But on
this list we know that encrypted messengers rely for security on a lot of
things being true, only a small number of which are cryptographic
assumptions. To reason about security we have to analyse the whole system
end to end. We can't just say, well, nobody knows how to break this
particular algorithm right here, so the system is secure.

Occasionally I worry that one day the credibility of end-to-end encryption
will be harmed, because it will turn out that one of the big players has
built in back doors or is changing public keys for targeted intercept. And
then we (the 'experts') will say, ah ha! In fact, we never claimed these
systems were secure against such attacks. And all the general public will
hear is, "you said tech firms couldn't read our messages and you were
wrong".

The restrictions WhatsApp put on forwarding messages might be an early sign
of what's to come.

https://slate.com/technology/2020/04/whatsapp-message-forwarding-disinformation-coronavirus.html

Cryptographically, the double ratchet/AES/Noise/etc are all designed to
stop a MITM detecting if the same message is being sent twice. This is a
core algorithmic property that cryptographers stress over. In the real
world, when Facebook decided they had a moral obligation to fight "rumours"
they just modified the software to stop people forwarding messages. When
the MITM controls the endpoints it's unclear what meaning cryptography
actually has, beyond time limited legal arguments.




On Sat, Jun 20, 2020 at 17:30:54, Mikalai Birukou <mb at 3nsoft.com> wrote:

> It won't surprise me if at some point EncroPhone gets silently taken over
> by the Dutch police and used in a sting operation
>
>
> Well, that didn't take long:
>
> https://www.irishnews.com/news/northernirelandnews/2020/06/20/news/
> wave-of-arrests-after-breach-of-encrypted-communication-network-1980136/
>
> In the end, cryptography still boils down to trusting people (the
> implementors).
>
> Since we have Mike from the guardian, a wordsmith, if I may, let's
> carefully note use of words and say that " *security of a thing* still
> boils down to trusting people (the implementors)".
> Wordsmiths, please, don't perpetuate a nihilism-leaning memes by loose use
> of words that somehow hint that cryptography is not reliable. If there were
> problems with cryptography, police would not need, quote, "sophisticated
> attack and the malware code". And when was the last time you've heard a
> phrase "physics still boils down to trusting GM car breaks"?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20200620/6969d076/attachment.html>


More information about the Messaging mailing list