#qi-hardware IRC log for Monday, 2016-04-18

whitequarkTIL gerber and gcode are both RS27411:37
kyaki have two files both encrypted with the same key (AES-256). I also have a plain-text version of one of the files. Does it help me recover another file?12:30
wpwrak_as long as the encrypted version of the 3rd file is identical to the encrypted version of the file for which you have the unencrypted version, too, then yes, it helps a lot12:37
wpwrak_in all other cases, probably not in any way you'd consider significant. see also: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Known_attacks12:40
whitequarkkyak: yes it does13:01
whitequarkknowing ciphertext and plaintext generally speaking gives you some sort of key13:01
whitequarkwhat AES mode is it?13:01
DocScrutinizer05hmm, is it salted?13:20
whitequarkyes. and also what is the KDF.13:22
wpwrakhoping for an incompetent implementation ? :) well, it may be worth a try ...13:34
DocScrutinizer05hmm?13:50
DocScrutinizer05aah, well. Too tired to really wrap my head around asym crypt13:51
DocScrutinizer05if AES is even asym13:51
whitequarkDocScrutinizer05: what13:53
whitequarkAES is symmetric13:53
DocScrutinizer05thought as much13:53
whitequarkwpwrak: if KDF is sha256(password), which is surprisingly common, then recovery is trivial13:53
DocScrutinizer05so you try first byte with all 2^256 possible keys13:54
whitequarkbecause for every file, the actual encryption key is the same13:54
whitequarkno, just xor plaintext and ciphertext13:54
whitequarkthis gives you the key for the first block13:54
DocScrutinizer05hehe13:54
whitequarkif it's AES-ECB, then you just xor all other ciphertext blocks13:54
whitequarkif it's AES-CTR, then you need to do some manipulation to spin a counter in the key13:54
whitequarkif it's AES-CBC, you need to unmix the IV and then mix the another one back13:55
whitequarksimilar for CFB and OFB13:55
whitequarkso really the key here is the KDF13:56
whitequarkif they used a KDF with a large stretch factor *and* a salt unique for each file, then you are screwed13:57
DocScrutinizer05yup, that's what I thought13:58
DocScrutinizer05salt would make seemingly similar text be different in encrypted form13:58
whitequark"fortunately", most people writing crypto suck really badly at it13:58
whitequarkyou still see ECB mode used in the wild13:58
larscand we all know ECB is bad because you can see the penguin14:04
wpwrakor the girl. grmbl, no where is the original from this one ? i think i saw it first in some ccc presentation. http://www.turbocrypt.com/vpics/9a8f098c615a425eab6d17c804dd67ae/allpics/original_and_encrypted_image.jpg14:20
DocScrutinizer05,oO(???)15:13
wpwrakthis image was also used to show the xor problem of ECB15:20
kyakwhitequark: thanks! that's way beyond my comprehension, but at least i have something to think about now :)15:37
kyakthat question is quite practical. I'd like to store encrypted files in cloud, which is owned by not me15:38
kyakso i was thinking about how to encrypt individual files15:39
kyakhaving a separate encrypted image or "volume" seems like too much of a hassle15:39
kyakbut being able to recover key by simply xor'ing.. that's scary15:41
larscsalt it15:42
whitequarkyeah15:42
whitequarkand don't use anything with AES15:42
whitequarkgenerally speaking, bare AES is too hard to get right to easily ascertain whether a particular implementation contains glaring holes15:42
kyakif not AES, then what?15:45
whitequarkxsalsa20poly130515:45
kyakwait, what? that's my password!15:46
whitequarkAES-GCM also works if implemented correctly (but there were some high-profile failures, IIRC)15:46
wpwrakwhitequark: btw, you wouldn't happen to know of a stream version of crypto_box ? i.e., instead of working on the whole message, be able to extract N bytes at a time ? (plus validation, i.e., after a read to position X, have an optional read plus decrypting and hashing to the end, to ensure that the chunk just delivered is correct)15:52
wpwrak(though that could also be implemented on top of a simpler read N + check at EOF implementation)15:52
whitequarkhttps://nacl.cr.yp.to/stream.html15:55
whitequarkliterally crypto_stream15:55
whitequarknote that 'validation', by which you mean 'authentication', has to be done separately15:56
whitequarkyou can calculate a checksum using any strong hash in any way you would like, and then use crypto_auth15:56
wpwrak(link) oh wow. doesn't get any more obvious, does it ? :) thanks !15:58
wpwrakhmm, but no, that isn't actually what i was looking for16:00
whitequarkhow so?16:00
wpwrakfirst, i want to be compatible with crypto_box. alas, the usual implementations don't export some of the building blocks. so it would be nice to be able to redoing that.16:01
whitequarkno, you cannot be compatible with crypto_box.16:02
wpwraksecond, these functions just give me the encryption/decryption part of crypto_box but don't let me start at arbitrary positions16:02
wpwrakwhy not ?16:03
whitequarkcrypto_box is an authenticated encryption primitive16:03
whitequarkas for arbitrary positions, sure you can16:03
whitequarkuse the _xorstream version, then junk X bytes to start at position X16:03
wpwrakbut then i still have to store these X bytes16:04
whitequarkno16:04
whitequarkthey're generated on the fly16:04
whitequark_xorstream is basically a wrapper around a CSPRNG16:04
wpwrakhmm, where is _xorstream ? all i see is _stream_xor16:05
wpwrakand that one doesn't expose the "on the fly" part16:05
whitequarkyeah, _stream_xor16:05
wpwrakof course, inside it exists16:05
whitequarkah16:05
whitequarkwhy can't you use crypto_box, anyway?16:06
whitequarkderive the nonce from the stream position16:06
whitequarkdone16:06
wpwraki don't want to have to keep everything in memory16:06
wpwrakand the box format is nice in half my use cases, so i don't want to tweak that16:07
wpwrakso if i'm on a pc, i just use crypto_box. on anelok, i use the streaming variant16:07
whitequarkwell, one thing you shouldn't do is make your own primitives16:07
wpwrakthat's why i'm looking for an existing implementation :)16:08
whitequarkso again16:08
whitequarkwhy can't you use crypto_box?16:08
whitequarkmake many small messages (<<memory size)16:08
wpwrakmessy. and i the ideal read size may be very small16:09
wpwrak(plus, the ideal read size may vary)16:10
whitequarkwell, if you want random authenticated reads, that's what you get16:10
whitequarkopening the box of _stream_xor and saving/restoring state should be fine16:11
whitequarkso if you can use that and a separate authentication step, it should be doable16:11
wpwrakyes, i basically need, at the "bottom": open(), read(), dup() (to copy the current generator and hash state), check_hash_at_eof()16:12
wpwrakread() would be an unauthenticated read16:12
wpwrakthe authenticated read is then read(state), state2 = dup(state), while (read(state2)); check_hash_at_eof(state2);16:13
wpwrakthe idea is to let anelok store small blobs in addition to passwords. for example, private keys. they're small enough that encryption/etc. is fast, but easily big enough that it hurts on the memory size.16:16
kyakwhitequark: it says here https://en.wikipedia.org/wiki/Known-plaintext_attack that "Modern ciphers such as Advanced Encryption Standard are not currently known to be susceptible to known-plaintext attacks.". So it not as simple as just xor'ing?17:13
wpwrakkyak: this refers to AES as a building block. AES itself isn't vulnerable. however, if you use the AES building block improperly, then you may create a vulnerability.17:22
wpwrakso the real question seems to be "which cloud-compatible encryption tools use AES (or better) correctly"17:23
wpwrakand that would imply the question "what sort of cloud interface are we talking about ?" :)17:24
kyakbut it's me who will be encrypting :)17:27
kyaki will encrypt files and put them on e.g. dropbox17:27
wpwrakokay, so all you need is a standalone encryption tool that takes a file and a key, and produces a properly encrypted file, or vice versa ?17:30
kyakregarding salt.. i understood that both gpg and openssl salt automatically. This somehow adds with my key (a password). But where is the salt being saved? In the encrypted file? I should probably go and read about how symmetric encryption works17:30
kyakyeah, that's basically what i need. I read that gpg does the job, but i now want to know details :)17:31
wpwrakyes, the salt / IV should be attached to your file. else, you'd have to rememember it "offline", too. hardly convenient.17:37
larsca salt IV can safe lives17:52
wpwrakyeah, and expert use NaCl :)18:28
wpwrakhmm. server still down :( how hard can it be to set up a new box to distribution defaults and copy over the old disk ?18:29
wpwraki guess soon at least i won't have to worry anymore about losing mails when is bring up a dodgy configuration ...18:30
--- Tue Apr 19 201600:00

Generated by irclog2html.py 2.9.2 by Marius Gedminas - find it at mg.pov.lt!