[codysc]

>Perhaps surprisingly, implementing cryptographic primitives & protocols requires little cryptographic knowledge.

That's a dangerous statement on it's own. Making proper use of primitives is not at all a simple concept. Developers can absolutely undermine their systems with poor choices/mistakes.

Self promotion: I wrote a blog up on a very high level screw up with type conversions to show just the very surface of how to screw up using solid crypto primitives. Time allowing I want to do more entries on topics within the crypto realm itself. IV reuse, etc.

https://pritact.com/blog/posts/crypto-mistakes-part-1.html

[loup-vaillant]

> That's a dangerous statement on it's own.

I'm not sure how best to say it.

Implementing primitives & protocols requires little cryptographic knowledge. It does however require significant knowledge about program correctness: testing methods, proofs, and if side channels are important, the characteristics of your platform, and an accurate enough idea how your compiler or interpreter works.

Likewise, to implement an energy constant implementation of Chacah20 in silicon, you don't need a cryptographer, you need a hardware designer. The only thing you need a cryptographer for, is telling the hardware designer to make it constant energy — or convincing the higher ups why the extra cost is justified.

The blog post you link (which I love by the way) seems to confirm my view: many problems are ones of correctness. I believe most such bugs would be caught by corrupting the inputs, as I alluded to. Here, corrupting the password would fail to abort, and you'd catch the bug.

[codysc]

I don't think I exactly understand your points.

Using an example of IV reuse in AES-GCM:

The weaknesses resulting from this wouldn't be discoverable with a test like corrupting the password from the first example. If the developer wasn't aware that IV reuse introduced that weakness then they would be using strong primitives but in a way that dramatically undermines the actual encryption.

Not to put words in your mouth, but I assume your answer would be to say that this would be a matter of correctness. If yes, then where I'm coming from is that the majority of devs don't have the skillset to be correct and sometimes wouldn't dive deep enough to discover these kinds of pitfalls.

[loup-vaillant]

> Using an example of IV reuse in AES-GCM:

Yes, that one wouldn't be caught by corrupting inputs. You need to make sure you don't reuse the IV in the first place. And that's indeed a cryptography related bug.

> I assume your answer would be to say this would be a matter of correctness

It would be.

> where I'm coming from is that the majority of devs don't have the skillset to be correct

Unfortunately, I can believe that. Correctness is hard. Or expensive. Let's try with this example.

If you're designing an AEAD yourself, you can notice the error by trying (and failing) to prove IND-CCA2. If you're implementing or using AEAD, code review should the problem… unless this is a bug like you've shown before. Tough one to spot.

One way to avoid the IV bug with a reasonable degree of certainty would be to use a counter or a ratchet. Don't send the IV over the network, let it be implicit. Then write two implementations in two very different languages. It is very unlikely that both happen to repeat the same hard coded IV.

If we still want to use random IVs, we probably need to mitigate replay attacks: have the receiver store the last few IVs of the messages it received this session, and have it compare any new IVs with this set. Won't stop all replay attacks (the attacker could wait until old IVs are forgotten), but it will at least catch the accidental reuse.

[na85]

Is that really a crypto-specific problem, though? It seems like it's just yet another reason not to use JavaScript for anything serious.

Wouldn't a more strongly-typed language have prevented that bug at compile time?

[codysc]

Yes, the goal was/is to start with a very high level example then get more into crypto specific concerns.

The audience is for devs without any real experience/knowledge of using crypto that might go into it too casually.