dorkusmcgavin's comments

Diabolical plot? You are insane to believe I think that.

Spreading misinformation isn't a conspiracy, everyone does it. Hell I just did it. That doesn't mean it should be left unchecked.

There's nothing embarassing about what I posted. I also have no reputation on an anonymous account.

> This is a lot of text responding to some pretty simple facts. The only value judgement I've made here is that you might want to look up who people are before you decide to tell them they're spreading false statements (that's with respect to Colm, not me; you can say whatever you'd like about me.)

You are correct that I was wrong with what my statements were, but I don't care if it's Jonathan Katz who's spreading misinformation, if I believe someone is spreading misinformation I'm going to call them out on it. I was WRONG this time (again have to admit that?), but am trying to address the original question. Half of that "large text" was new information that you've distracted the topic away from.

And you've done it yet again, changed the topic.

My offtopic sub-point here is that you are taking large quantities of information out of context for no reason other than to change the subject away from actual information search.

> But CBC+HMAC != CBC

Here's what Colm said:

> I know that I'm going to be thought a heretical fool for saying this, but overall I would consider CBC mode "more secure" than GCM.

OMG he said CBC mode (NOT CBC-HMAC!) is "more secure" than GCM! Go call him out on that one sentence taken out of context!

Obviously we are talking about CBC-HMAC because that's the topic. Colm started it on that topic, and if you look at his entire post, the context makes that clear. If you instead focused on the fact that I'm talking in the same context, you wouldn't get off on a tangent that somehow I think that Colm believes CBC mode without an HMAC is somehow more secure (he doesn't, obviously). You are creating a strawman for no reason. You are right, you aren't attacking me. You are conducting half of a strawman argument. You've created a strawman, and just left it there. It's weird. It changes the topic. It serves no purpose except to derail the conversation.

Colm is arguing that CBC with a MAC is more secure than GCM, but if you take the strict way you are interpreting my statements, you would not believe that because you are applying a double standard to me. Colm apparently is allowed to make contextual statements but I am not.

Again, back to the original topic I'm trying to figure out why the encryption experts believe the opposite, which he also says is the overwhelming majority of opinion, and why we are even conversing in the first place. I doubt I can keep this on topic anymore because you keep drifting it off for quite literally no reason.

Screw it. I'm going back to reading the book. I will not share my findings with you because you have already ignored my other findings and theories and it will just fall on deaf ears.

You seem hell bent on making me look bad based on a statement I made which I've already conceded was incorrect. I have no ties to this account to my actual identity and no intention of doing so, so I have no idea why you'd care about anonymous dorkusmcgavin's reputation which will never take off by definition anyway.

This is sort of why I don't like tying my identity to any accounts on the internet and don't engage in academia. When you do, you have to dig in deep on your statements and then end up with meaningless ad-hominem attacks on identity rather than seeking truth to the discussion. This is increasingly happening all over the internet, too, so I might just drop off of it entirely and just go back to reading for my own sake.

> You did not exploit a CBC padding oracle in CTR mode, because CTR mode isn't padded.

Correct, I have never done that nor have I claimed to. I said the class focused on CBC padding oracles and I exploited CBC mode in that way. I also stated that I've used CTR mode before. These were two different statements. This is so far off-topic that I don't understand why you care.

> GCM is built on top of CTR; CTR is literally in the name. Like CTR, GCM is a stream cipher mode. There is no GCM padding.

You are literally responding to a comment where I show there is no padding and concede you are correct here.

> The output of the code you pasted should be 26, 27, and 27, not 28 (as it is on my system). "test12" and "test13" have the same length, and consume the same amount of CTR keystream.

It was supposed to be testbytes123, and I copied from an IPython window where I had typed both out. I apparently not only typed it in incorrectly the first time when entering it in and corrected it, but then copied and pasted the wrong line when going back to this window.

Look, I'm trying to get to the bottom of the original debate here, I don't really care too much about my copy paste errors or stating for a ninth time that my original comment was incorrect because it's been awhile since I went through these courses. I want to learn things, not have an ego fight. Let's move on.

The original topic being, why exactly is AES-GCM considered more secure than CBC by expert cryptographers?

I've been re-reading parts of Katz' book and I think I can come up with my interpretation, but I'm trying to find a section where he mentions this (because he comes very close in a few sections when discussing the classes of proofs themselves and also of his old-timey stories). I also think he could word it better and his reasoning might be different than my theory.

I think the point is that if you can choose the length of the attack, it doesn't matter if it's grouped into clusters of X-bits or not as long as the message is at least of a certain length (obviously encrypting the string "true" and "false" you'll be able to tell the difference if you know the context). If you can choose the length of the attack, then you'll most likely always be able to determine the length of various other encrypted information in the resulting ciphertext, it just becomes slightly more work.

So say I have X-bits of plaintext that I control of a plaintext that includes other text before being encrypted (HTTP as the example here). If it's padded, it might output Y-bits of ciphertext. If you then do (X+1)-bits of plaintext, you could again get Y-bits of ciphertext again. This can be perceived as an advantage, but if the attacker then pads the plaintext with zeroes at the beginning and incrementally passes it to the server, the (X+2)-bit, up until (X+Z)-bit output will eventually tick over to the next block, and then you have (Y+blocksize)-bit ciphertext. At that point, they can hang there at that specific plaintext length and then use that to perform the same length-based attack as without padding.

I'm going to keep digging because this question is really fascinating to me right now. Katz does have sections where he mentions fixed-length encryption mechanisms where the ciphertext is defined at a certain length, so I'm looking around there right now because I have a feeling he might probably somewhere state that any stream-cipher (which he includes CBC-mode as a stream cipher) is default less secure period. He might even have a proof somewhere on that.

The point of the padding in CBC mode is simply because it's necessary based on the way the plaintext moves into the encryption function. Padding oracles are dangerous because they exploit the type of padding, not because they exploit the length. They also do so in a way that allows you to decrypt entire blocks. IV-reuse can bump into a similar block border issue as I was describing above, too.

I will keep reading.

I opened up my book of cryptography from Jonathan Katz, and found this in regards to CTR mode:

> As with OFB mode, another "stream-cipher" mode, the generated stream can be truncated to exactly the plaintext length

This is contrary to what Jonathan Katz told a class taught from the University of Maryland which I took, which is odd. I've used CTR mode before and exploited CBC padding oracles, I don't recall being able to use CTR mode this way but I rarely used it since we focused on CBC exploitation and a bit too much on CPA/CCA proofs. After looking at the diagrams shown, it's clear that since the message is XOR'd on the output of the generative random of the encryption function, CTR mode can indeed be truncated since the remaining generative output can be ignored. So I had a misunderstanding in my head on CTR mode.

Now on to GCM. Unfortunately my edition of Katz' book doesn't include GCM so I have to default to Wikipedia. The last XOR is more than likely where a truncation can occur, so I was wrong about GCM mode as well.

As for Python tests (package already installed, no need to use PIP when it's in the various Linux repos):

    from cryptography.hazmat.primitives.ciphers.aead import AESGCM
    import os
    key = AESGCM.generate_key(256)
    gcmtest = AESGCM(key)
    nonce = os.urandom(16)
    len(gcmtest.encrypt(nonce, b"testbytes1", b"ASD"))
    len(gcmtest.encrypt(nonce, b"testbytes12", b"ASD"))
    len(gcmtest.encrypt(nonce, b"testbytes13", b"ASD"))

This outputs 26, 27, 28 respectively.

While this proves your point, I want to make clear that ignoring the reason and just trusting the output of an implementation isn't really a good way of learning things (although complimentary). I was using the Wikipedia and text references so I could understand why it allowed variable length, and at my first look the construction didn't appear like you could truncate.

Despite all of this, the CTR-mode section of the book includes a CPA-security proof and the CBC section says it is vulnerable to CPA. I'm going to try to dig through that to see why. If they are cognizant of the fact that same length attacks are something that makes you vulnerable, there must be a reason why they believe CTR/GCM are not.

AES is a block cipher that operates on 128-bit blocks exclusively. If you look at the implementation of AES-GCM, it also operates on 128-bit blocks. AES-GCM is basically just counter mode with built in correct MAC handling.

Your claim that AES-GCM is length preserving is completely false, other than the obvious multiples of the block size which is the same as CBC mode or any other mode.

Your statement isn't heretical, it's just based on a false statement. If the premise of your statement were true, your extra analysis would be correct.

I would read up on the details of the mode itself, this graph is a good place to start then move on to the mathematical section which talks about the 128-bit blocks:

https://en.wikipedia.org/wiki/Galois/Counter_Mode

> Returning to the point, this attack would be unaffected by Microsoft purchasing anything.

I was agreeing with you :)

> You need to enable JavaScript to run this app.

Sigh.

Your intention is correct, but your details are not (as are the OPs). Microsoft share's it's SSL certs with the entire planet. Microsoft protects it's private keys and does not share them with the NSA.

The NSA forges Microsoft's SSL keys, they do not need to ask for them.

https://en.wikipedia.org/wiki/Flame_(malware)

Even with the mitigations provided by moving away from MD5, simple integration with a CA would be much more strategically beneficial.

> The same people calling for everyone to always remember what Microsoft did 20 years ago log out of HN and go work on their Facebook React app with no apparent sense of irony.

Speak for yourself, that's a lot of false assumptions and gross over judging. I have no social media accounts (and this account on THN will likely last less than 6 months). The only thing above is that I do have an Android phone, which is using LineageOS with most of my apps coming from the F-Droid appstore. The only remaining non-FDroid app is Spotify which I'm migrating away from.

I use Linux exclusively. I do not do App development or any other FarmVille based development, I do open-source development. My organization is very pro open-source.

My only hypocracy comes from using Google Voice. I do not even use Google Search, Mail, etc and haven't for 5 years. If I want to use Javascript, I use Javascript (these frameworks are stupid and more complicated than plain-jane JS... every time I roll out a web application people don't understand how it's so "fast" and want to look at the code, then can't understand how I'm not using a framework... it's silly).

> even if you are willfully ignoring the same and worse behavior by many, many companies today.

Regardless of what people want to believe, the whataboutism here is ridiculous. It is 100% possible to dislike all of these corporations and their anti-competitive, anti-capitalistic mindsets.

I'll just dump my own here.

This is mostly anti-corporate, anti-monopolistic, anti-cloud, and anti-surveillance ideas. Windows, the development environments, etc is a monolithic platform that has very little in terms of customization due to it's structure and prevents competitive integrations. Think of all of the WMs for Linux, or any other modular component in Linux. Linux provides extensive competition, and Microsoft is seemingly attempting to drag people into an all inclusive "developer" network that prevents anyone from doing anything outside the walled garden of their systems in a meaningful way. LinkedIn accounts are going to become Office365 accounts by their own admission when it was acquired. Governments, small businesses, etc are moving to Office365.

Between LinkedIn, GitHub, Skype, and Xbox, their focus on developers is increasingly looking more like a "we want to see what developers do, how they spend their time, and data-mine them so we can tailor our experience better towards them, and assimilate them into our Borg hivemind". If you're fine with data-mining for these purposes, we're going to have to agree to disagree.

WSL is mostly just a means of getting more Linux users to convert to the Big Brother Borg by providing them useful tools so they don't have to install Cygwin.

For those asking why it's bad for a company to make money, you are missing the point. You can monetize GitHub (and it is), without selling over to another company. Even if GitHub is not profitable, that's just bad business management and pricing that needs to be fixed. You can monetize software while making a competitive platform. This goes to the MBAs approach of "blue ocean strategy" over a "red ocean strategy". People are afraid of competition, and want the comfort of knowing someone else has made those decisions for them. I do not, I want competition in technology otherwise we'll get to a stagnant technology development system. It's already theorized by WSJ analysts and defectors from Google, etc, that Silicon Valley is devoid of all ability to innovate, and they are investing and going elsewhere.

Microsoft went from selling a product (Windows), to selling a product (Windows 10) that serves mountains of advertisements. Xbox is guilty of this as well. Telemetry, despite people's claims of the privacy screen, has an upper bound on the amount you can opt-out of (some telemetry, even in Windows 10 Enterprise, is not opt-out).

From a security perspective, even if the data is silo'd off, this also provides many issues as individuals who are highly skilled in cybersecurity will end up needing access across services (especially incident responders), and they become targets for massive troves of data access and breaches.

Microsoft is still attacking Android device handset manufacturers with lawsuits (but not Google), for Android's uses of FAT file systems, etc. Microsoft is inherently still acting as patent troll against open source.

There are accusations of open source plagiarism (not certain the credibility):

https://twitter.com/jamiebuilds/status/1002696931527700481

GitHub already has issues with pseudo-accounts. You can create a profile that showcases forked repositories that you have not contributed anything to and throw up a neat avatar and it looks like you are a coding god. Not to a skilled developer who understands Git, but to an HR recruiting representative who knows very little in a small business it takes about 5 minutes to create the equivalent of an Instagram fake coding lifestyle.

And I'm really getting sick of the "Google, Apple, Amazon, and Facebook are just as bad, get over it" whataboutisms. Yes they are. It's possible to oppose all of the above.

For Skype, the real complaints (maybe not here) are the structure and ways Skype works.

Originally, Skype was a P2P communications platform, even for calls. After Microsoft acquired it, it was pushed into a centralized model. This goes against some fundamental concepts of how the internet is supposed to work, and the main benefits are mostly for Microsoft and not necessarily for users. Data acquisition of random call monitoring (for "quality"), government snooping (PRISM), and to integrate Skype into things like Xbox.

We should be moving more in the direction of federated protocols, but instead we are moving towards more and more centralization in tech and as well as in our society. This also has security implications with data consolidation, data sharing, etc.

That's an interesting statute. The problem is it can be interpreted in many ways. Your interpretation is how some may see it, however there are others as well.

For instance:

> by a natural person in the course of a purely personal or household activity

First off, this isn't purely personal nor household activity. I serve others, not myself.

> and thus with no connection to a professional or commercial activity.

If the goal of the community is to help people develop professional skills (writing, for instance), couldn't that have a connection to professional activity? Also, I use this website as an example on my resume to bolster my own professional competence as a coder. That could qualify.

As always, laws are words that generally end up with the best paid lawyer's interpretations winning in court. It's a roll of the dice, that statute is not clear at all.

We're still debating the meaning of nearly all statutes in the US constitution 242 years later. Some in the legal community have declared "consensus" by case law, but even those end up getting changed and overturned all the time.

I personally am not hysterical about any of this, I just am concerned for the citizens of the EU while living under this law. My main issue with the GDPR is that articles and supporters are constantly thinking in terms of "business" and not in terms of other services, and also not thinking in terms of long term impact.

For instance, I run a small community website (~30 people). I receive no income, and I know everyone involved. Everyone is in the United States. Is it open to the world? Yes, technically. What happens when an EU resident signs up? Well, I'll continue to do exactly the way things are currently set up.

How does this situation play out long term? First, I'll tell whomever contacts me that I am in compliance with US law, and I'm a US citizen. I do not have to follow their laws because it's not within my jurisdiction. Second, they will order me to block EU citizens from my site, which I will not do because it's a mandate of work on me for no reason by a foreign country.

So what happens in this situation? The only recourse for the EU is the internet version of "sanctions", to block my website from the EU.

Now they've set a really interesting precedent. How do they now enforce these blocks? Technical issues aside, are they going to do a whitelist or a blacklist? Regardless, they are setting up the equivalent of the Great Firewall for the purposes of maintaining the GDPR.

So why does this matter? It's only an isolated incident that will likely never occur, right?

Wrong. One community website like mine with one EU citizen that decides to file a GDPR complaint means that somehow this situation occurs. It can even be an intentional, "sign up, file complaint" immediately to trigger this legal situation. Think there aren't any foreign governments that wouldn't flood a system like this to censor the EU citizens in various mild ways? Think some random anarchist activist will not decide to monkey with the system by finding and reporting all the small violators?

The end product is a curation of the internet for EU citizens by EU government. Hopefully your leaders are benevolent, and nothing crazy happens in the democratic process. I remember being told during the Bush and Obama administrations that my views against government surveillance due to potential for abuse were unjustified because we could never have a horrible president and that our presidents will always be benevolent, so the policy would never change toward the worse. How did that play out? How do people think democracy functions, honestly?

Again, I really don't care too much. They can self censor if they want, but it really seems like GDPR is a win for Russian and Chinese meddling.

> then went on define net neutrality as the exact opposite of the commonly accepted meaning.

[Regarding Obama Administration]

"Then there was the 'fairness doctrine,' designed to limit opposing voices in radio and on television; 'net neutrality,' which promised to regulate the Internet so as to prevent, ultimately, individuals from frequenting Web sites that might disagree with an administration;"

- Larry Schweikart (What Would the Founders Say?)

[Endorsed by Glenn Beck and read by Tea Party supporters all over.]

I think if you just give them the correct definition of Net Neutrality and explain how it works and why they would be for it. But people frequently leave out the "how it works and why" part of an argument so it just defaults to polarized scream matches. If people took the time to explain things to people, IE: "speak truth to stupid", we would be much better off.

To be fair, Larry Schweikart is incredibly intelligent and well read on history.

"Mr 'Buckley' - well-spoken, intelligent, curious - had heard virtually nothing of modern science. He had a natural appetite for the wonders of the Universe. He wanted to know about science. It’s just that all the science had gotten filtered out before it reached him. Our cultural motifs, our educational system, our communications media had failed this man. What society permitted to trickle through was mainly pretence and confusion. It had never taught him how to distinguish real science from the cheap imitation. He knew nothing about how science works."

- Carl Sagan (Demon Haunted World)