Hacker News new | ask | show | jobs
by dmurdoch 2541 days ago
From my understanding and maybe I'm wrong here, he means that they tend to not roll their own ECC implementations.

From the video, one of his major complaints is that people learn RSA in their first year of university, understand the math, then roll their own. How hard can it be, its modulo and exponents. People don't tend to do this with ECC. They just pick a library.

You are right in saying that the same roll your own problems that occur with RSA would occur with ECC.
1 comments
djsumdog 2541 days ago
This article doesn't mention openssl or ssh-keygen. Are the standard commands we see in most articles for creating keys via these two popular tools compromised in any way?

I never roll my own encryption, and most developers don't (unless they're just playing with stuff and learning how to understand it; and not use it in production). I stick to standard tools and libraries like Legion of the Bouncy Castle and pypi RSA.

I wish this article covered the way most developers interact with RSA libraries and showing us those specific problems.

link
lvh 2541 days ago
Some keygen is busted, but openssl RSA (as well as ssh-keygen) are probably fine. Part of the problem there is "probably": turns out RSA keygen is a lot harder than ECC keygen. (Since ROCA broke a bunch of RSA keygen, our confidence in e.g. openssl's keygen is increased.)

Using standard tools like PyPI RSA, however, does not necessarily save you. Not only will openssl's RSA happily generate a bad key for you if you ask it nicely, Because it's pure Python, there's a good chance it's vulnerable to side channel attacks. Also, it uses PKCSv15 padding for encryption, and is therefore definitely vulnerable to the Bleichenbacher attack mentioned in the article, for example.

Just use libsodium's box.

link
tabletopneedle 2541 days ago
If you're on Python and you for some weird reason absolutely have to use RSA, make sure to use RSA-OAEP and the pyca/cryptography library: https://cryptography.io/en/latest/hazmat/primitives/asymmetr...

sybrenstuvel/python-rsa/ is PKCSv1.5 which like lvh said, is not secure.

RSA is fundamentally less secure than Diffie-Hellman as it lacks forward secrecy. So even a perfect implementation is still less secure.

link