Security Cryptography Whatever-logo

Security Cryptography Whatever

Technology Podcasts

Some cryptography & security people talk about security, cryptography, and whatever else is happening.

Location:

United States

Description:

Some cryptography & security people talk about security, cryptography, and whatever else is happening.

Language:

English


Episodes

Cruel Summer: hybrid signatures, Downfall, Zenbleed, 2G downgrades

9/13/2023
We're back from our summer vacation! We're covering a bunch of stuff we saw and did: Transcript: https://securitycryptographywhatever.com/2023/09/13/cruel-summer/ Links: - Zenbleed: https://lock.cmpxchg8b.com/zenbleed.html - Downfall: https://downfall.page - Post-quantum Yubikeys: https://security.googleblog.com/2023/08/toward-quantum-resilient-security-keys.html "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:00:58:35

Why do we think anything is secure, with Steve Weis

6/29/2023
What does P vs NP have to do with cryptography? Why do people love and laugh about the random oracle model? What's an oracle? What do you mean factoring and discrete log don't have proofs of hardness? How does any of this cryptography stuff work, anyway? We trapped Steve Weis into answering our many questions. Transcript: https://securitycryptographywhatever.com/2023/06/29/why-do-we-think-anything-is-secure-with-steve-weis/ Links: - The Random Oracle Methodology, Revisited: https://eprint.iacr.org/1998/011.pdf - Factoring integers with CADO-NFS: https://www.ens-lyon.fr/LIP/AriC/wp-content/uploads/2015/03/JDetrey-tutorial.pdf - On One-way Functions from NP-Complete Problems: https://eprint.iacr.org/2021/513.pdf - Seny Kamara's lecture notes on provable security: https://cs.brown.edu/~seny/2950-v/2-provablesecurity.pdf - How To Simulate It – A Tutorial on the Simulation Proof Technique: https://eprint.iacr.org/2016/046.pdf - A Survey of Leakage-Resilient Cryptography: https://eprint.iacr.org/2019/302 - A Decade of Lattice Cryptography: https://eprint.iacr.org/2015/939.pdf "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:00:46:17

Elon's Encrypted DMs with Matthew Garrett

5/29/2023
Are Twitter’s new encrypted DMs unreadable even if you put a gun to Elon’s head? We invited Matthew Garrett on to do a deep decompiled dive into what kind of cryptography actually shipped. Transcript: https://securitycryptographywhatever.com/2023/05/29/elons-encrypted-dms-with-matthew-garrett/ Links: https://mjg59.dreamwidth.org/66791.html https://help.twitter.com/en/using-twitter/encrypted-direct-messages https://www.techdirt.com/2023/05/11/twitter-launches-not-actually-encrypted-encrypted-dms/ BrokenKDF2BytesGenerator: https://github.com/bcgit/bc-java/blob/master/prov/src/main/java/org/bouncycastle/jce/provider/BrokenKDF2BytesGenerator.java#L70 Analysis from sweis: https://twitter.com/sweis/status/1657082478727933954?s=20 https://signal.org/docs/specifications/x3dh/ https://signal.org/docs/specifications/doubleratchet/ https://support.signal.org/hc/en-us/articles/360007059752-Backup-and-Restore-Messages Trail of Bits has not audited nor signed a contract yet, per Platformer: https://www.platformer.news/p/why-you-cant-trust-twitters-encrypted "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:00:52:28

WhatsApp Key Transparency with Jasleen Malvai and Kevin Lewi

5/6/2023
WhatsApp has announced they’re rolling out key transparency! Doing this at WhatsApp-scale (aka billions and biiillions of keys) is a significant task, so we talked to Jasleen Malvai and Kevin Lewi about how it works. Transcript: https://securitycryptographywhatever.com/2023/05/06/whatsapp-key-transparency Links: https://engineering.fb.com/2023/04/13/security/whatsapp-key-transparency/ https://github.com/facebook/akd Parkeet: https://eprint.iacr.org/2023/081.pdf CONIKS: https://eprint.iacr.org/2014/1004.pdf SEEMless: https://eprint.iacr.org/2018/607.pdf WhatsApp Security Whitepaper: https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf Keybase key transparency: https://book.keybase.io/docs/server "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:00:55:43

Messaging Layer Security (MLS) with Raphael Robert

4/22/2023
Messaging Layer Security (MLS) 1.0 is (basically) here! We invited Raphael Robert, coauthor of the MLS specification to explain it to us and answer our annoying questions (read: why does this exist?) Transcript: https://securitycryptographywhatever.com/2023/04/22/mls/ Links: - https://messaginglayersecurity.rocks/ - https://messaginglayersecurity.rocks/mls-protocol/draft-ietf-mls-protocol.html - https://messaginglayersecurity.rocks/mls-architecture/draft-ietf-mls-architecture.html - https://github.com/openmls/openmls - https://eprint.iacr.org/2022/1533.pdf - https://eprint.iacr.org/2020/1327.pdf - https://eprint.iacr.org/2022/559.pdf - https://signal.org/docs/ - https://en.wikipedia.org/wiki/Key_encapsulation_mechanism - https://twitter.com/beurdouche/status/1220617962182389760 - https://messaginglayersecurity.rocks/mls-protocol/draft-ietf-mls-protocol.html#mls-ciphersuites - https://www.ietf.org/archive/id/draft-ietf-mls-federation-02.html - https://datatracker.ietf.org/wg/mimi/documents/ - https://competition-policy.ec.europa.eu/dma/dma-workshops/interoperability-workshop_en - Yes in the protocol document this is 1.0: https://messaginglayersecurity.rocks/mls-protocol/draft-ietf-mls-protocol.html#section-6 "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:00:55:02

Real World: Crypto (2023)

3/24/2023
Real World Cryptography 2023 is happening any moment now in Tokyo. Also, some phone basebands are broken. Links Transcript: https://securitycryptographywhatever.com/2023/03/24/rwc-2023/ "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:00:54:51

Threema with Kenny Paterson, Matteo Scarlata, & Kien Tuong Truong

1/27/2023
Another day, another ostensibly secure messenger that quails under the gaze of some intrepid cryptographers. This time, it's Threema, and the gaze belongs to Kenny Paterson, Matteo Scarlata, and Kien Tuong Truong from ETH Zurich. Get ready for some stunt cryptography, like 2 Fast 2 Furious stunts. Transcript: https://securitycryptographywhatever.com/2023/01/27/threema/ Links: https://breakingthe3ma.app/ https://threema.ch/press-files/2_documentation/cryptography_whitepaper.pdf https://threema.ch/en/blog/posts/ibex "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:01:03:55

Has RSA been destroyed by a quantum computer???

1/6/2023
There's a paper that claims one can factor a RSA-2048 modulus with the help of a 372-qubit quantum computer. Are we all gonna die? Also some musings about Bruce Schneier. Errata: Schneier's honorary PhD is from the University of Westminster, not UW. Transcript: https://securitycryptographywhatever.com/2023/01/06/has-rsa-been-destroyed-by-a-quantum-computer/ Links: https://arxiv.org/pdf/2212.12372.pdf https://eprint.iacr.org/2021/232.pdf https://github.com/lducas/SchnorrGate https://sweis.medium.com/did-schnorr-destroy-rsa-show-me-the-factors-dcb1bb980ab0 https://www.schneier.com/blog/archives/2023/01/breaking-rsa-with-a-quantum-computer.html https://scottaaronson.blog/?p=6957 "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:00:41:12

End of Year Wrap Up

1/4/2023
David and Deirdre gab about some stuff we didn't get to or just recently happened, like Tailscale's new Tailnet Lock, the Okta breach, what the fuck CISOs are for anyway, Rust in Android and Chrome, passkeys support, and of course, SBF. Transcript: https://securitycryptographywhatever.com/2023/01/04/end-of-year-wrap-up/ Links: https://tailscale.com/blog/tailnet-lock/ https://security.googleblog.com/2022/12/memory-safe-languages-in-android-13.html https://groups.google.com/a/chromium.org/g/chromium-dev/c/0z-6VJ9ZpVU "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:00:59:27

Software Safety and Twitter with Kevin Riggle

11/24/2022
We talk to Kevin Riggle (@kevinriggle) about complexity and safety. We also talk about the Twitter acquisition. While recording, we discovered a new failure mode where Kevin couldn't hear Thomas, but David and Deirdre could, so there's not much Thomas this episode. If you ever need to get Thomas to voluntarily stop talking, simply mute him to half the audience! https://twitter.com/kevinriggle Transcript: https://securitycryptographywhatever.com/2022/11/24/software-safety-and-twitter-with-kevin-riggle/ Errata Links https://free-dissociation.com/blog/posts/2018/08/why-is-it-so-hard-to-build-safe-software/https://complexsystems.group/https://how.complexsystems.fail/https://noncombatant.org/2016/06/20/get-into-security-engineering/https://blog.nelhage.com/2010/03/security-doesnt-respect-abstraction/http://sunnyday.mit.edu/safer-world.pdfhttps://www.adaptivecapacitylabs.com/john-allspaw/https://www.etsy.com/codeascraft/blameless-postmortemshttps://increment.com/security/approachable-threat-modeling/https://www.nytimes.com/2022/11/17/arts/music/taylor-swift-tickets-ticketmaster.htmlhttps://www.hillelwayne.com/post/are-we-really-engineers/https://www.hillelwayne.com/post/we-are-not-special/https://www.hillelwayne.com/post/what-we-can-learn/https://lotr.fandom.com/wiki/Denethor_IIhttps://twitter.com/sarahjeong/status/1587597972136546304 "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:00:58:36

Matrix with Martin Albrecht & Dan Jones

11/2/2022
No not the movie: the secure group messaging protocol! Or rather all the bugs and vulns that a team of researchers found when trying to formalize said protocol. Martin Albrecht and Dan Jones joined us to walk us through "Practically-exploitable Cryptographic Vulnerabilities in Matrix". Transcript: https://securitycryptographywhatever.com/2022/11/02/Matrix-with-Martin-Albrecht-Dan-Jones/ Links: "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:01:06:24

SOC2 with Sarah Harvey

10/16/2022
We have Sarah Harvey (@worldwise001 on Twitter) to talk about SOC2, what it means, how to get it, and if it's important or not. The discussion centers around two blog posts written by Thomas: Transcript: https://securitycryptographywhatever.com/2022/10/16/SOC2-with-Sarah-Harvey/ Links: https://tailscale.com/blog/soc2-type2/https://sso.taxhttps://getnametag.comhttps://censys.iohttps://fly.io "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:01:01:37

Nate Lawson II

9/29/2022
This episode got delayed because David got COVID. Anyway, here's Nate Lawson: The Two Towers. https://en.wikipedia.org/wiki/Steven_Chuhttps://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_feedback_(CFB)https://link.springer.com/chapter/10.1007/11502760_19https://en.wikipedia.org/wiki/XXTEAhttps://cseweb.ucsd.edu/~dstefan/cse227-spring20/papers/watson:cheri.pdf Transcript: https://securitycryptographywhatever.com/2022/09/29/nate-lawson-ii/ Errata: "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:01:23:19

Nate Lawson: Part 1

9/9/2022
We bring on Nate Lawson of Root Labs to talk about a little bit of everything, starting with cryptography in the 1990s. Transcript: https://securitycryptographywhatever.com/2022/09/09/nate-lawson-part-1/ References Errata "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:01:19:56

Hot Cryptanalytic Summer with Steven Galbraith

8/11/2022
Are the isogenies kaput?! There's a new attack that breaks all the known parameter sets for SIDH/SIKE, so Steven Galbraith helps explain where the hell this came from, and where isogeny crypto goes from here. Transcript: https://securitycryptographywhatever.com/2022/08/11/hot-cryptanalytic-summer-with-steven-galbraith/ Merch: https://merch.scwpodcast.com Links: https://eprint.iacr.org/2022/975.pdfhttps://eprint.iacr.org/2022/1026.pdfhttps://ellipticnews.wordpress.com/2022/07/31/breaking-supersingular-isogeny-diffie-hellman-sidh/https://eprint.iacr.org/2016/859.pdfhttps://eprint.iacr.org/2022/518.pdfhttps://research.nccgroup.com/2022/08/08/implementing-the-castryck-decru-sidh-key-recovery-attack-in-sagemath/https://eprint.iacr.org/2019/725https://eprint.iacr.org/2020/1240.pdf https://eprint.iacr.org/2022/1038.pdf "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:00:52:35

Passkeys with Adam Langley

8/11/2022
Adam Langley (Google) comes on the podcast to talk about the evolution of WebAuthN and Passkeys! David's audio was a little finicky in this one. Believe us, it sounded worse before we edited it. Also, we occasionally accidentally refer to U2F as UTF. That's because we just really love strings. Transcript: https://securitycryptographywhatever.com/2022/08/11/passkeys-with-adam-langley/ Links: GoogleIO PresentationWWDC PresentationW3C WebAuthNpasskeysCABLECable / Hybrid PRCTAP spec NKPSKDERP Don't forget about merch! https://merch.securitycryptographywhatever.com/ "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:01:03:01

Hertzbleed

6/17/2022
Side channels! Frequency scaling! Key encapsulation, oh my! We're talking about the new Hertzbleed paper, but also cryptography conferences, 'passkeys', and end-to-end encrypting yer twitter.com DMs. Transcript: https://securitycryptographywhatever.com/2022/06/17/hertzbleed/ Links: Hertzbleed Attack | ellipticnews (wordpress.com)https://www.hertzbleed.com/hertzbleed.pdfhttps://papers.ssrn.com/sol3/papers.cfm?abstract_id=3920031Merch: https://merch.scwpodcast.com "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:00:58:39

OMB Zero Trust Memo with Eric Mill

6/10/2022
The US government released a memo about moving to a zero-trust network architecture. What does this mean? We have one of the authors, Eric Mill, on to explain it to us. As always, your @SCWPod hosts are Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian). Transcript: https://securitycryptographywhatever.com/2022/06/10/omb-zero-trust-memo-with-eric-mill/ Links: OMB MemoExecutive order on cybersecurityPIV cardDerived PIVBeyondCorpHSTS Preloading.gov preloadingNeither Rain, Nor Snow, Nor MITMEDR memoTechnology Transformation Services (TTS)Is it Christmas? "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:01:00:33

Tink with Sophie Schmieg

5/28/2022
We talk about Tink with Sophie Schmieg, cryptographer and algebraic geometer at Google. Transcript: https://securitycryptographywhatever.com/2022/05/28/tink-with-sophie-schmieg/ Links: https://twitter.com/SchmiegSophiehttps://github.com/google/tinkhttps://youtube.com/watch?t=1028&v=CiH6iqjWpt8https://twitter.com/SchmiegSophie/status/1413502566797778948https://en.wikipedia.org/wiki/EAX_modehttps://en.wikipedia.org/wiki/AES-GCM-SIVhttps://github.com/google/tink/blob/master/docs/PRIMITIVES.md#deterministic-authenticated-encryption-with-associated-datahttps://twitter.com/XorNinjahttps://twitter.com/XorNinja/status/1310587707605659649 "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:01:07:23

Cancellable Crypto Takes, and Real World Crypto

4/12/2022
Live from Amsterdam, it's cancellable crypto hot takes! A fun little meme, plus a preview of the Real World Crypto program! Transcript: https://securitycryptographywhatever.com/2022/04/12/cancellable-crypto-takes-and-real-world-crypto/ Links: Tony's twete: https://twitter.com/bascule/status/1512539700220805124 Real World Crypto 2022: https://rwc.iacr.org/2022 Merch! https://merch.scwpodcast.com Find us at: https://twitter.com/scwpod https://twitter.com/durumcrustulum https://twitter.com/tqbf https://twitter.com/davidcadrian "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Duration:01:11:04