Hacker News new | ask | show | jobs
by ultramancool 3848 days ago
Chacha20 is nice, but I think the key exchange is a bigger problem right now. What's the situation with Curve25519 in here?

Weak DH and ECDHE using NIST curves concerns me far more than AES-GCM which is readily available for example. Configuring DH properly requires extra effort for administrators and ECDHE relies on NIST curves which are prone to implementation error and some have even called into question the NSA-NIST relationship behind the "random" curves.
2 comments
tptacek 3848 days ago
Curve25519 is what's going to happen. The IETF/IRTF process is a clusterfuck of monumental proportions, and has slowed adoption down, but Chrome and Firefox will support Curve25519.

The NIST P- curves in TLS ECDHE have sound implementations in Chromium and Firefox. Nobody should be using conventional DH in preference to ECDHE; if you can't trust a browser's P-curves, you can't trust their GCM either.

link
ultramancool 3848 days ago
> if you can't trust a browser's P-curves, you can't trust their GCM either.

Is that true though? I mean, from what I've read GCM seems much easier to implement than a full ECDH. I mean, have a look at some of the things published by Bernstein and Lange, https://www.hyperelliptic.org/tanja/vortraege/20130531.pdf

They do certainly have a horse in the race, but it's still interesting. They and others have also raised concerns about potential backdoors in the NIST curves, which is, while still unproven another reason why one might avoid them. They failed to do things as basic in the cryptographic community as using "nothing up my sleeve" numbers, it just seems sketchy at best to me. The random curves at least. The others are probably still just fine but the random ones are the most popular in TLS.

link
tptacek 3848 days ago
GCM is extremely tricky to implement safely.

ECDH itself is very easy to implement; it's just DH (which is probably the simplest algorithm in cryptography), but in a different group.

ECC (the group) is hard to implement safely. The NIST P-curves are tricky to implement relative to Curve25519.

But there's also a lot more study of how to safely implement the NIST P- curves than there is for how to make a constant-time GCM.

I don't know. They seem like comparably difficult tasks.

link
wolf550e 3848 days ago
No cryptographers believe the NIST curves are backdoored. OpenSSL's and NSS's implementations of P-256 have been reviewed and are considered secure. My conclusion is that if your CSPRNG is good, P-256 ECDHE with openssl should be fine.

Better ECDHE is ready to be rolled out though: https://tools.ietf.org/html/draft-irtf-cfrg-curves-11

Too bad how long CFRG take to get EdDSA ready.

link
ultramancool 3848 days ago
> No cryptographers believe the NIST curves are backdoored.

That's not true. For an example, see Schneier's comment here:

https://www.schneier.com/blog/archives/2013/09/the_nsa_is_br...

Or Bernstein and Lange's comments here:

https://www.hyperelliptic.org/tanja/vortraege/20130531.pdf

(specifically the: Jerry Solinas at NSA used this to generate the NIST curves (or so he says))

I believe Matthew Green may have also made a similar statement, though I can't find it, so perhaps I'm not recalling correctly. In any case, I don't think you can outright say "No cryptographers believe the NIST curves are backdoored". You can at best say "No cryptographers have proven the NIST curves are backdoored", which is true.

However, those cryptographers have also raised concerns (including concerns about backdoors) and I just hope we move to safer alternatives quicker.

link
tptacek 3848 days ago
Schneier's comment is misinformed, and Schneier has had a bias against ECC going back over a decade, which has, I think, kept him from learning as much about it as he's picked up about RSA. Schneier has published no research about ECC, and details of curve crypto are absent from his books.

It's worth keeping in mind that Schneier is also not an academic cryptographer, or really a serious practicing cryptography researcher of any sort. He's a great popularizer and he works with some very credible other researchers, but "Schneier said so" is never going to win a debate among cryptographers.

Bernstein makes the same kinds of comments about the Brainpool curves (the whole point of BADA55 was that the Brainpool curves aren't that much more trustworthy than the Solinas curves), and nobody, including Bernstein, will with a straight face say that the Brainpool curves are backdoored.

It's a valid process critique that has been interpreted by laypeople as an accusation, which is something Bernstein has taken flak for.

link
tedunangst 3848 days ago
Curious that Schneier recommends discrete log crypto in response to a report that the NSA was breaking most crypto. In hindsight, there's a very good chance that the NSA attack in question was the logjam attack against discrete log DH. But, sure, stick with plain DH if it makes you feel safer.
link
tptacek 3848 days ago
Yes, I think that recommendation was pretty irresponsible, and not just because of Logjam. You are probably safer using NIST P-curve crypto than you are with RSA, and not just because virtually all RSA applications use insecure RSA constructions, but also because RSA includes the huge footgun of having a direct and easy to (unsafely) use Encrypt/Decrypt primitive.
link
ultramancool 3848 days ago
I assume he meant long 2048+ bit DH with user generated primes, which would arguably be safer, just due to sheer simplicity if nothing else.
link