INTERACT FORUM

Please login or register.

Login with username, password and session length
Advanced search  
Pages: 1 [2]   Go Down

Author Topic: IMPORTANT -- OpenSSL Security Flaw -- This could affect you  (Read 18490 times)

Hendrik

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 10923
Re: IMPORTANT -- OpenSSL Security Flaw -- This could affect you
« Reply #50 on: April 22, 2014, 02:29:56 pm »

ECC is only insecure if the curves it uses are flawed.

ECC itself is a really great encryption system, because it encrypts much stronger than classic algorithms at a much higher speed/throughput, which means you get much better encryption at no loss of CPU time.
There are a lot of variants of ECC, and you just gotta pick one that is considered secure.

Here is some information on secure curves:
http://safecurves.cr.yp.to/

I usually visit the C3 congress in december (since it moved to my city at the very least), which typically has at least a couple of talks about encryption security, where these issues were brought up last year.
Logged
~ nevcairiel
~ Author of LAV Filters

bob

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 13813
Re: IMPORTANT -- OpenSSL Security Flaw -- This could affect you
« Reply #51 on: April 22, 2014, 03:13:56 pm »

ECC is only insecure if the curves it uses are flawed.

ECC itself is a really great encryption system, because it encrypts much stronger than classic algorithms at a much higher speed/throughput, which means you get much better encryption at no loss of CPU time.
There are a lot of variants of ECC, and you just gotta pick one that is considered secure.

Here is some information on secure curves:
http://safecurves.cr.yp.to/

I usually visit the C3 congress in december (since it moved to my city at the very least), which typically has at least a couple of talks about encryption security, where these issues were brought up last year.
Watched the Jacob Appelbaum talk, it was cool!
Logged

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: IMPORTANT -- OpenSSL Security Flaw -- This could affect you
« Reply #52 on: April 22, 2014, 03:33:02 pm »

ECC is only insecure if the curves it uses are flawed.

Well... P256 is one of those:



But in any case, Bruce Schneier said regarding them:

Quote
I strongly believe that the NSA has a significant advantage in breaking ECC. This doesn't mean it's bad, but I think we need to 1) make sure we know where our curves come from, and 2) build in a hefty security margin.

He's also said that he basically doesn't trust any of the curves in current use .
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: IMPORTANT -- OpenSSL Security Flaw -- This could affect you
« Reply #53 on: April 22, 2014, 04:35:01 pm »

ECC itself is a really great encryption system, because it encrypts much stronger than classic algorithms at a much higher speed/throughput, which means you get much better encryption at no loss of CPU time.

Incidentally, one of the other (previous to the more recent revelations) criticisms of NIST P-256 was also that it was unusually slow.  Far slower than traditional log-style system with similar security levels, in fact.  I'm too busy to look up quotes on that right now, but...

I'm overall somewhat dubious about ECC itself right now.  I wouldn't say the whole system is flawed, but I'd basically echo what Bruce said above... Hidden curves aren't good, as you can unravel the whole stack.  And, they're extremely susceptible to problems with pseudo-random number generators, so... Caution is warranted.

I mostly just found it interesting that iOS in general and the iPhone 5S in particular has such an exquisitely designed security system (just one example, every single file on the NAND is encrypted with a separate and distinct key)... But then over here is this brand-new cloud system and it is using NIST P-256?  Really?  Now?

If it was last year, I'd say... Okay.  But to launch it now?

Just odd.  It could certainly be, however, because hardware/OS guys are on one side, and Apple keeps their server-side guys in a basement on the side and doesn't let them play with the cool people (which explains their aptitude with online services generally as well).  But... It is a bit odd, to say the least.  And I would NOT use iCloud Keychain.

I usually visit the C3 congress in december (since it moved to my city at the very least), which typically has at least a couple of talks about encryption security, where these issues were brought up last year.

I'd love to go sometime.  Jealous.
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

6233638

  • Regular Member
  • Citizen of the Universe
  • *****
  • Posts: 5353
Re: IMPORTANT -- OpenSSL Security Flaw -- This could affect you
« Reply #54 on: April 22, 2014, 07:03:40 pm »

If they were going after you, it would be much easier to attack YOU

http://xkcd.com/538/
Logged

pcstockton

  • Citizen of the Universe
  • *****
  • Posts: 1261
Re: IMPORTANT -- OpenSSL Security Flaw -- This could affect you
« Reply #55 on: April 22, 2014, 07:16:58 pm »

They don't have my passwords, which is why I don't have any threat on this from them.

They have an AES 256-bit encrypted blob for which I have the only key.

You would be well served to learn about how it works before you make assumptions on things you didn't research.

Glynor,

What is your take on Dashlane?  I have been using it for a while now and love it.  It apparently only keeps your master key on the local computer, not sent to them.  If that matters.  But I would use something else when my year premium subscription runs out, if you think there are safe options.

Thanks!
Patrick
Logged
HTPC (ASRock Mini PC 252B: i5 2520M Sandy Bridge/HD3000 - 2.5 GHz - 8GB RAM - 256GB Intel SSD - Win7 Home) > MF V-Link 192 > Wireworld Ultraviolet > Naim DAC > Naim NAC 102/NAPSC/HiCap (PSU) > Naim NAP 180 Amp > Naim NACA-5 Speaker Cables > Naim Ariva

JimH

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 72367
  • Where did I put my teeth?
Logged

pcstockton

  • Citizen of the Universe
  • *****
  • Posts: 1261
Re: IMPORTANT -- OpenSSL Security Flaw -- This could affect you
« Reply #57 on: April 26, 2014, 02:07:47 am »

Glynor,

What is your take on Dashlane?  I have been using it for a while now and love it.  It apparently only keeps your master key on the local computer, not sent to them.  If that matters.  But I would use something else when my year premium subscription runs out, if you think there are safe options.

Thanks!
Patrick
Logged
HTPC (ASRock Mini PC 252B: i5 2520M Sandy Bridge/HD3000 - 2.5 GHz - 8GB RAM - 256GB Intel SSD - Win7 Home) > MF V-Link 192 > Wireworld Ultraviolet > Naim DAC > Naim NAC 102/NAPSC/HiCap (PSU) > Naim NAP 180 Amp > Naim NACA-5 Speaker Cables > Naim Ariva

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: IMPORTANT -- OpenSSL Security Flaw -- This could affect you
« Reply #58 on: April 26, 2014, 08:57:48 am »

I don't know much about it, and haven't read any detailed reviews from trusted experts.  Sorry, can't say.
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

pcstockton

  • Citizen of the Universe
  • *****
  • Posts: 1261
Re: IMPORTANT -- OpenSSL Security Flaw -- This could affect you
« Reply #59 on: April 26, 2014, 02:23:13 pm »

thanks bud!
Logged
HTPC (ASRock Mini PC 252B: i5 2520M Sandy Bridge/HD3000 - 2.5 GHz - 8GB RAM - 256GB Intel SSD - Win7 Home) > MF V-Link 192 > Wireworld Ultraviolet > Naim DAC > Naim NAC 102/NAPSC/HiCap (PSU) > Naim NAP 180 Amp > Naim NACA-5 Speaker Cables > Naim Ariva
Pages: 1 [2]   Go Up