Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On Wed, Mar 11, 2015 at 02:20:42PM +, Alfonso De Gregorio wrote: Until more browsers start supporting PBKDF2 with HMAC-SHA-256, you might be better of reverting to a JavaScript library, to be plugged in your scrypt implementation. I never took the chance to look at it, but I heard that asmcrypto.js provides the fastest PBKDF2-HMAC-SHA-256 implementation in town [2]. The uses of PBKDF2-HMAC-SHA-256 in scrypt are not performance-critical. When scrypt is invoked with sane settings, most of the processing time is spent in scrypt's SMix, not in PBKDF2. This might be the most suitable implementation of scrypt in JavaScript: https://github.com/dchest/scrypt-async-js Its performance test: http://dchest.github.io/scrypt-async-js/demo.html Alexander ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On Wed, Mar 11, 2015 at 11:53:35AM +0100, Fabio Pietrosanti (naif) - lists wrote: at GlobaLeaks we're undergoing implementation of client-side encryption Okay. I'm going to elide the fine points of madness here and just refer you to: http://matasano.com/articles/javascript-cryptography/ -- . ___ ___ . . ___ . \/ |\ |\ \ . _\_ /__ |-\ |-\ \__ ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NSA Apple DPA Cryptanalysis
On a related topic, I love the fact that they not only have a Trusted Computing Jamboree, a celebration of subverting TCG technology, but that this is the seventh annual one... Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NSA Apple DPA Cryptanalysis
On 11/03/2015 05:25 am, Peter Gutmann wrote: ianG i...@iang.org writes: We will also describe and present results for an entirely new unpublished attack against a Chinese Remainder Theorem (CRT) implementation of RSA that will yield private key information in a single trace. An actual cryptography breach! Outstanding if true... No, just a DPA attack, you've only quoted the last part of the full paragraph, which is about DPA attacks. (Before I read the full report my reaction was they specifically mentioned RSA CRT, it's either a fault attack or DPA, because if the attack description includes RSA CRT then it's a sure sign that it'll be one of those two). Oh I see. Right that makes sense, they say implementation so there is something fishy about the code. OK, something to put on the list of things to do the constant time makeover on, or at least the don't leak bits pass over. Maybe a summer internship for a student? /me musing on likely context of attacking the CRT ... suggests they have already breached the inner perimeter to do measurements, and know when the key is being made, and can run their evil listener. iang ps; Note their pride in expressing the entirely new unpublished attack ... for those who are questioning where the NSA is wrt the open source world, such snippets tell us we're not that far away. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
Hi all, at GlobaLeaks we're undergoing implementation of client-side encryption with server-side storage of PGP Private keys. Obviously the hashing to be used for storing such PGP private keys has to be strong enough, with valuable key-stretching approach. We're now considering using Scrypt with some finely tuned parameters, but we've concern regarding it's performance in the browser as a JS implementation. PBKDF2 is available from WebCrypto API and, as far as i read and understand but i'm not that low-level-crypto expert, is used internally to scrypt. Does anyone know of any scrypt implementation that try to leverage the WebCrypto API? -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] PPTP Security
Hello, I was wondering the security of PPTP. I know that MSCHAPv2 is vulnerable and it is not recommended to use MSCHAPv2 alone [0][1]. The recommended solution seems to use MSCHAPv2+PEAP accordingly to Microsoft but I'm not sure how secure it is as I don't know the state of MSCHAPv2+PEAP. Does anyone know about MSCHAPv2+PEAP implementation and security of it? I am thinking of migrating to OpenVPN but it takes a little bit time configuring the routers. The reason why PPTP was selected in the first place was the ease of configuration. [0] https://technet.microsoft.com/en-us/library/security/2743314.aspx [1] http://www.net-security.org/secworld.php?id=13342 Regards, -- Eren Türkay, System Administrator https://skyatlas.com/ | +90 212 483 7555 Yildiz Teknik Universitesi Davutpasa Kampusu Teknopark Bolgesi, D2 Blok No:107 Esenler, Istanbul Pk.34220 signature.asc Description: OpenPGP digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On 3/11/15 1:10 PM, stef wrote: GlobaLeaks it's designed to be a Whistleblowing framework that can be used in very different context, from WildLife Crime Activism up to Anticorruption in Serbia up to PubLeaks-like Journalism in Netherland, keeping the maximum level of security achievable for a specific context of use. serbia sounds like a state level actor, and i heard that the publeaks people also get attention from the local services. The reality is that each scenarios have it's own peculiarities, really, it would be a very long and complex discussion that require few hours to analyze each scenarios details. PubLeaks in the Netherland has been deployed with Tails as Leaktops for the journalists for end-point security, with GlobaLeaks being hosted by a well-known third party within the activists community (GreenHost), with servers deployed in a geo-political smart way, with service contract done with the PubLeaks Foundation (a legal entity created on purpose) to be resilient against certain kind of legal threats. OCCRPLeaks do require instead, in Bosnia and balkan-area, to leverage plausible deniability by embedding GlobaLeaks within existing HTTPS site (https://occrp.org) because plausible deniability has been considered, after threat-modelling with the stakeholders, more relevant than just saying Hey, use Tor to access this .onion site . In Africa for AfriLeaks we're considering that, in certain country, it's better to avoid using any Tails or Tor stuff, but better implement deception strategies. When you work supporting the many initiatives you'll just realize that many time, the cryptographic/technical implementation side of a Whistleblowing initiative's security, is a minor part and shall be considered in a broader Security threat model. Given that the picture is complex and variegate enough, we are providing such a differentiated set of security levels, from a technical and procedural point of view. Consider that in most situation, when you consider significant threats, only opsec procedures and stakeholder organization can provide some degree of protection (or at least detection), with technology playing a little role. The way you work in a place where The rule of law is effective, it's very different from working in a place where having an encrypted usb stick with you can lead to Tortures. Hope to have provided a broader view on how complex and complicated can be our threat model, so that we must choose individual security choices that enable use to provide a graduated/configurable level of security (that could go up, being very strong, or go down, being more flexible). Btw, that's not the goal of this thread, but i loved to articulate an answer! :) -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On Wed, Mar 11, 2015 at 11:53:35AM +0100, Fabio Pietrosanti (naif) - lists wrote: at GlobaLeaks we're undergoing implementation of client-side encryption with server-side storage of PGP Private keys. i didn't get the memo, that js in browsers is now the way to best mitigate against state level actors. i mean globaleaks clearly has state-level actors in their threat-model, right? -- otr fp: https://www.ctrlc.hu/~stef/otr.txt ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On 3/11/15 12:42 PM, stef wrote: On Wed, Mar 11, 2015 at 11:53:35AM +0100, Fabio Pietrosanti (naif) - lists wrote: at GlobaLeaks we're undergoing implementation of client-side encryption with server-side storage of PGP Private keys. i didn't get the memo, that js in browsers is now the way to best mitigate against state level actors. i mean globaleaks clearly has state-level actors in their threat-model, right? No, GlobaLeaks doesn't consider in it's threat model an NSA-like actor. GlobaLeaks it's designed to be a Whistleblowing framework that can be used in very different context, from WildLife Crime Activism up to Anticorruption in Serbia up to PubLeaks-like Journalism in Netherland, keeping the maximum level of security achievable for a specific context of use. Some deployment scenario is Safe Enough, some other is Super Paranoid, but we're bound to the reality of real-wold uses, that are differentiated as the risks scenario are. Check the Threat Model link on https://globaleaks.org in the footer to get a better insight. This email thread is specifically addressing the issue of using a strong client-side password hashing methods, such as scrypt (or maybe the upcoming winner of https://password-hashing.net/report1.html), in a way that could exploit the WebCrypto API primitives. Today with WebCrypto API you can only do hashing with PBKDF2 with tons of iterations, but i haven't found/seen an scrypt that leverage WebCrypto API or something similar to enable key-stretching client-side with a decent time-waiting/key-stretching-crypto-improvement ratio. -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On Wed, Mar 11, 2015 at 01:02:14PM +0100, Fabio Pietrosanti (naif) - lists wrote: against state level actors. i mean globaleaks clearly has state-level actors in their threat-model, right? No, GlobaLeaks doesn't consider in it's threat model an NSA-like actor. there's other state level actors. GlobaLeaks it's designed to be a Whistleblowing framework that can be used in very different context, from WildLife Crime Activism up to Anticorruption in Serbia up to PubLeaks-like Journalism in Netherland, keeping the maximum level of security achievable for a specific context of use. serbia sounds like a state level actor, and i heard that the publeaks people also get attention from the local services. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On Wed, Mar 11, 2015 at 01:28:27PM +0100, Fabio Pietrosanti (naif) - lists wrote: serbia sounds like a state level actor, and i heard that the publeaks people also get attention from the local services. The reality is that each scenarios have it's own peculiarities, really, it would be a very long and complex discussion that require few hours to analyze each scenarios details. let's stick with the webcrypto aspect, and the fact that both governments control their own CA in the browsers. the dutch CA being even historically shared with some other parties. PubLeaks in the Netherland has been deployed with Tails as Leaktops for the journalists for end-point security, with GlobaLeaks being hosted by a well-known third party within the activists community (GreenHost), with servers deployed in a geo-political smart way, with service contract done with the PubLeaks Foundation (a legal entity created on purpose) to be resilient against certain kind of legal threats. how does that protect against active covert attacks? luckily parallel constructions will save your conscience from feeling responsible. OCCRPLeaks do require instead, in Bosnia and balkan-area, to leverage plausible deniability by embedding GlobaLeaks within existing HTTPS site (https://occrp.org) because plausible deniability has been considered, after threat-modelling with the stakeholders, more relevant than just saying Hey, use Tor to access this .onion site . how is using stuff over ssl in the country where the adversary controls a local CA plausible deniability? When you work supporting the many initiatives you'll just realize that many time, the cryptographic/technical implementation side of a Whistleblowing initiative's security, is a minor part and shall be considered in a broader Security threat model. absolutely. Given that the picture is complex and variegate enough, we are providing such a differentiated set of security levels, from a technical and procedural point of view. so you allow your clients to shoot themselves in the foot. The way you work in a place where The rule of law is effective, it's that's a quite bold assumption even in europe today :/ -- otr fp: https://www.ctrlc.hu/~stef/otr.txt ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Javascript Password Hashing: Scrypt with WebCrypto API?
On Wed, Mar 11, 2015 at 10:53 AM, Fabio Pietrosanti (naif) - lists li...@infosecurity.ch wrote: Hi all, at GlobaLeaks we're undergoing implementation of client-side encryption with server-side storage of PGP Private keys. Obviously the hashing to be used for storing such PGP private keys has to be strong enough, with valuable key-stretching approach. We're now considering using Scrypt with some finely tuned parameters, but we've concern regarding it's performance in the browser as a JS implementation. PBKDF2 is available from WebCrypto API and, as far as i read and understand but i'm not that low-level-crypto expert, is used internally to scrypt. Sure, scrypt uses PBKDF2 with HMAC-SHA-256 as its PRF of choice in the state expansion and compression steps [1]. Does anyone know of any scrypt implementation that try to leverage the WebCrypto API? AFAICT, there is no such implementation yet. While PBKDF2 is included in the WebCrypto API specifications, to date its support is pretty limited. PBKDF2 works with Chrome Canary (Windows and OSX) and Opera Developer (Windows); it also works with Firefox, but only with SHA-1 --- as such, it is not relevant for scrypt applications. Until more browsers start supporting PBKDF2 with HMAC-SHA-256, you might be better of reverting to a JavaScript library, to be plugged in your scrypt implementation. I never took the chance to look at it, but I heard that asmcrypto.js provides the fastest PBKDF2-HMAC-SHA-256 implementation in town [2]. Good luck. [1] http://tools.ietf.org/id/draft-josefsson-scrypt-kdf-02.txt [2] https://github.com/vibornoff/asmcrypto.js -- Alfonso tweets @secYOUre ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography