0:11

Are you starting or am I starting?

0:13

Ah, that's a great question. Welcome

0:15

to security, cryptography, whatever.

0:18

My name is David I'm here

0:20

with Deirdre. Who's, uh,

0:24

who's been having a rough day. We'll put it at that.

0:29

Um, we are unfortunately, uh,

0:31

Thomas free this week. So

0:34

you're stuck with just the two of us, and

0:37

we're gonna do our usual game where

0:40

Deirdre understands math and then

0:42

I ask questions and

0:45

we will be playing the Hertzbleed

0:48

version of that game

0:49

yeah. Uh,

0:51

talking about some other stuff too. So

0:54

yes,

0:55

what is Hertz

0:56

Hertzbleed is a new, uh,

0:58

side channel attack. a

1:00

physical side channel attack paper against

1:03

one of my favorite things. Uh, an

1:05

implementation of SIKE, which is super

1:08

singular, isogeny key encapsulation,

1:11

um, and TLDR.

1:15

If you have turbo mode activated

1:17

on your processor, AKA

1:20

frequency scaling, depending on

1:22

how much power it's using it

1:24

can cause, uh, variation,

1:27

uh, in the processing time

1:30

of your crypto. Uh, and it varies

1:32

according to the value of your secret. Therefore,

1:35

if you can measure this, uh, you

1:37

can extract your secret and

1:39

they were able to, uh, leverage this against,

1:42

um, my favorite isogeny based

1:44

crypto system, which is not making

1:46

it to the, uh, final round of

1:48

the NIST post quantum competition. But

1:50

it is still, uh, you know,

1:53

a everyone's favorite redheaded stepchild

1:56

of the post crypto world. Um,

1:58

uh, I feel like this is like a targeted

2:00

Deirdre bug because

2:02

a little,

2:03

SIKE and then it's an architecture,

2:06

uh, side channel. Um,

2:08

so your partner who works in architecture,

2:12

um,

2:12

Oh God.

2:13

it's not as problem.

2:14

Yeah. And I literally was like,

2:17

there's a new paper. It has to do

2:19

with turbo scaling. And he's like, I already

2:21

know what the attack is. Stop talking to

2:23

me about it. um,

2:26

and so there is already

2:28

a known attack. Uh,

2:30

so the way that SIKE basically

2:32

works is that instead of doing this ephemeral

2:35

key exchange, kind of like elliptic

2:37

curve diffie Hellman, but with, instead

2:39

of exchanging points on curves, you exchange curves,

2:42

but also some points on those curves so that you

2:44

can do the final thingy and get to a shared

2:46

secret. Uh, it's kind of doing,

2:49

um, it's almost,

2:51

it's, it's solving the answer before

2:54

and then encrypting with it

2:56

and then giving you your key.

2:59

And then this is the whole KEM,

3:01

this key encapsulation mechanism.

3:03

So it's

3:04

So they, they tweaked the API to fit

3:06

into the N chem D uh,

3:09

uh, format,

3:09

yeah. And so,

3:11

addressed if I, if I recall correctly addressed

3:13

some of the, oh no, it's a static key. And

3:15

therefore the out of group attack supply.

3:17

Yes. Uh, the S

3:19

I D H uh, you should not use

3:22

it in a static, uh, ephemeral

3:24

setting. There is a, uh, you know,

3:26

active, adaptive attack that you can use

3:28

against that, but SIKE

3:30

turns it from, uh,

3:33

Basically would allow you to do,

3:35

uh, in theory, do use it

3:37

for static, um,

3:39

settings. So for example, if you have a

3:41

long term identity key, like in the signal protocol

3:44

or classic signal protocol, um,

3:47

you, that would live for a long time,

3:49

um, you would not want to use pure

3:51

S I D H to replace that because you

3:53

could just run this attack against that static key

3:55

over and over again, and you would get,

3:57

uh, you would be able to get the secret out. In

3:59

theory, you should have been able to do

4:01

this with SIKE instead, the

4:03

API would be different and not as

4:06

pretty, but you could in theory, do it, this

4:08

attack, uh, would,

4:11

if it works, does a thing

4:13

that would let you extract, the key,

4:15

the secret key from your SIKE key pair,

4:17

but it's a side channel

4:20

power analysis attack.

4:22

the other thing that was you

4:24

know, novel about it is that you can do it remotely.

4:27

So you would make queries either

4:29

like over some, you know, web

4:31

app request on your local

4:34

network. Um

4:36

than like break out the multi-meter

4:38

and pluck it into the processor

4:40

and

4:40

Yeah.

4:41

going on.

4:41

And I think, I think the way that they

4:43

actually leverage that is they are able,

4:46

so we'll, we'll get into to my

4:48

quibbles about this paper, uh,

4:51

next, uh, they're able to measure

4:53

it in the timing. So, so

4:55

kind of, I won't get super detailed

4:57

into the, the physical thing, but basically for

4:59

certain processors, if you're

5:01

compute and— out of the box,

5:04

they're configured to, uh, turn

5:06

on like turbo mode. Sometimes if your

5:08

compute is taking too long or taking too much

5:10

power, the processor can decide

5:12

to just go into like another gear and

5:14

tweak with the processor cycle

5:17

rate, the frequency. Um,

5:20

and this attack is leveraging

5:23

that change in signal, uh,

5:26

to extract information about the secret

5:28

and they get enough information— and they're able

5:30

to, they're able to measure

5:33

that in the timing of

5:35

the computation. So in

5:37

theory, you could also measure this by like slapping

5:39

a, like a multi-meter on the machine

5:41

and measure the power or slapping

5:44

an em, uh, radio, uh,

5:46

on the wall next to the computer. But

5:48

if you can measure this stuff over

5:51

like network latency, if

5:53

it's large enough, and this is in the milliseconds,

5:56

not microseconds, but milliseconds,

5:59

um, that's something you can measure over the network

6:02

to a degree. So that's why that's remote

6:04

and that's, that's kind of scary for people and stuff

6:06

like that.

6:07

That's one of the reasons that they're they're targeting,

6:10

uh, SIKE right, is because all the

6:12

post quantum stuff is bigger and slower

6:14

than where we've gotten elliptic

6:16

curves to these days by virtue of

6:19

constantly redesigning them for performance,

6:22

and then applying the Bitcoin

6:24

community at performance improvements

6:26

in exchange for money.

6:27

yes. This is where I get into

6:30

sort of like, cool. This is interesting

6:32

and novel, you know, this is a cool,

6:34

interesting thing. Uh,

6:37

good, good job. You're able to Mount this attack.

6:39

However, your target

6:42

is the slowest computation

6:45

in all of the post quantum crypto systems.

6:48

The one of the largest parameter

6:50

sets of that crypto system that

6:52

is available. This is using the P

6:54

7 51 parameter set that is a 751

6:58

bit prime field, uh,

7:01

over an extension field. So it's not

7:03

just all the, the SIDH's

7:05

and the SIKEs are not just doing a,

7:07

you know, finite field arithmetic, from

7:10

zero to a 751

7:12

bit number they're doing quadratic

7:14

arithmetic. So they're doing, you

7:16

know, whatever the scaling number

7:18

of computations that you have to do, you're doing,

7:21

more. Um, that

7:24

used to be a good middle of

7:26

the road parameter set... eh,

7:28

let's say, six years ago for

7:31

S I DH and SIKE since

7:34

then the security analysis,

7:36

cryptanalysis, uh, and,

7:38

and everything else about S I D H and SIKE,

7:41

um, at like the fundamental computational

7:43

level, not like this kind of protocol level,

7:45

like, you know, whatever vulnerability

7:48

stuff, has brought the

7:50

like security level up

7:52

of the protocol. And that lets us bring the

7:54

parameter sets down and make

7:56

the protocol faster without losing

7:59

security. So they should—

8:01

I asked the, oh, the co-author or one

8:03

of the co-authors online. Did you try this against

8:05

the parameter set 434.

8:08

So that's a 434 bit

8:10

base prime field. And that

8:12

parameter set is, I

8:14

don't know, like a hundred percent

8:17

faster, usually just to do computation

8:19

than the one that they targeted. Um,

8:22

in theory being, this

8:25

would go fast enough that

8:28

this turbo mode that's on by default on

8:30

these processors would not kick in as

8:32

quickly. And you would not be able

8:34

to get as good of a signal out

8:37

of the target that you're trying to attack

8:39

as you do for the 7 51 that they did

8:41

in their paper. They

8:44

said, they're gonna go try it. They haven't done

8:46

it yet. They haven't done it for elliptic curves

8:48

yet just pure classical elliptic curves yet;

8:50

I look forward to their results.

8:54

Well for, for elliptic curves, it's still,

8:56

I think, seems to be an open question as

8:58

to like, if it's even possible because of the speed,

9:01

but, um, the turbo scaling. Do

9:03

you, uh, how does that, when

9:05

does that kick in and why

9:07

does making something faster or

9:10

shorter, make

9:10

oh, so the idea being,

9:13

um, like how would you mitigate this?

9:15

Basically, if your compute

9:17

is faster and more efficient,

9:20

it's less likely that your processor is

9:22

going to think, uh, or learn

9:24

or use a heuristic, or whatever, like,

9:27

oh shit, you're using a ton of power. You're taking

9:29

a long time. I gotta like tweak my

9:31

clock cycles and, you know, change

9:33

how I'm allocating my compute

9:35

in order to like, switch it over

9:38

here or, you know, reallocate it from

9:40

this process over there or whatever it's doing.

9:42

If you're faster and more efficient,

9:45

it's less likely to get into this

9:47

side channel eliciting

9:50

behavior. That's the theory.

9:52

Versus the usual state of a processor,

9:54

which is just blocked on IO or blocked

9:56

on memory, um, or both,

9:59

uh, blocked on JavaScript.

10:01

Oh God damn JavaScript. Unless

10:03

it's, unless you're doing this CR

10:06

like God, if people are doing 7

10:08

50, 1 bit SIKE in JavaScript,

10:10

I'm not gonna give anyone ideas. Someone's probably done

10:12

it already. Uh, yeah. It's interesting.

10:15

It's interesting. But I would like to see them try

10:17

to Mount it against a less vulnerable

10:20

target. How about that? Hmm, love

10:22

that side

10:22

I've been thinking about, you know,

10:24

Spectre a little bit recently,

10:27

um, because, in

10:29

my day job at Chrome, which

10:32

I'm not speaking on behalf of, um,

10:35

you know, Site Isolation feature

10:38

was a big deal. Um,

10:40

and the basic idea behind Site

10:42

Isolation is when Chrome launched. It was one process

10:45

per tab, and everyone thought that was cool because

10:47

websites and browsers used to crash all the time.

10:50

And now just the tab would crash

10:52

and not the whole browser. And you would get the

10:54

sad tab, uh, little face. And

10:57

that was cool and that had security benefits as well.

10:59

Um, and that, you know, the stuff in one tab

11:01

couldn't leak into another. but

11:05

the fact of the matter remained that like, if you somehow

11:07

got code execution in a tab

11:09

in the renderer process, you could then just be

11:11

like, let me load up Facebook. And then

11:13

suddenly Facebook and all of its data is in

11:15

that tab. And, uh, you

11:18

can get data out that way. And so

11:20

Site Isolation was developed

11:22

as an idea of like, you know, let's actually do one process

11:24

per site rather than one process per tab to

11:27

mitigate some of those things. And it

11:29

had the side effect of— Spectre

11:32

gave you basically, if

11:34

you have like JavaScript

11:37

access because of the timing side

11:39

channels you have, um, can

11:42

read any other memory in the process

11:45

without a bug simply,

11:47

uh, by virtue of controlling the JavaScript,

11:50

even if like by normal course of execution,

11:53

Like that data was guarded by like,

11:55

if statements and so on, like you aren't supposed to be

11:57

able to read it. Um, and so you

11:59

could leak data out. And so that kind of like

12:01

accelerated some of the deployment of Site

12:03

Isolation, but without doing

12:05

a whole history of that, of which many other people are

12:07

more qualified to discuss, like

12:09

the big fear with Spectre

12:11

in terms of the web was like that you

12:13

would take one of these side channel based exploits

12:16

that gives you some form of memory

12:18

read and then like, uh,

12:21

weaponize and, or, you know,

12:24

like one click the exploit so that it

12:26

works in more situations. And

12:28

so at the time,

12:31

like there's a chance that like

12:33

this could have been really existential, uh,

12:35

to the web and then, you know,

12:37

Site Isolation more or less mitigated

12:39

it, uh, that took some time. But

12:41

also on the flip side, Um,

12:44

like that just didn't happen. Like

12:46

it turned like, I don't know of anybody

12:48

that used Spectre to actually exploit anything.

12:51

It's not like something in your standard Metasploit

12:53

toolkit and so on. You don't

12:55

see like N-day Spectre exploits

12:58

it's like so targeted. Uh,

13:01

it's like hard to have a generic

13:03

exploit using that.

13:06

I think.

13:06

And so, as a result,

13:08

like, uh, not

13:11

to say, like, it was, it was overblown

13:13

or anything, but just like it didn't, um,

13:16

it could have been much, much worse and

13:19

you know, every time you see one of these, there's

13:21

like the spectrum of like, you. This

13:23

is cool, but then I see like, oh,

13:25

reading out secrets then like the real

13:28

trick for these is the closer you can get to just

13:30

like arbitrary memory read, um,

13:33

the like higher and higher and higher the

13:35

impact is. Um, and

13:37

if you're like writing or finding

13:39

these exploits, the like goal

13:41

for the mega exploit is more

13:44

or less arbitrary memory read.

13:45

yeah, but like Spectre

13:48

Meltdown had a lot of vendor

13:52

coordination to deploy stuff to

13:54

like retpolines and

13:56

all that stuff before

13:58

was disclosed in 2017. Right.

14:01

Yeah. Some of the retpolines

14:03

are gone. And now, like for example,

14:06

V8 and Chrome, the JavaScript compiler

14:08

had some of those types of mitigations in

14:10

its code generation that have since

14:12

been removed, um, because

14:15

of Site Isolation.

14:16

Awesome.

14:17

now, like what your operating system chooses to

14:19

do about this, you know, that's a different question. That's like Spectre

14:22

in the web. Um, versus,

14:24

uh,

14:25

the

14:25

you know, Spectre and your hypervisor, uh,

14:27

which is like the same problem, different shape. Um,

14:31

I'm not sure what they're doing there.

14:32

yeah. I wonder I,

14:35

I would ask this to Thomas, but what do you think, do

14:37

you think, like enough

14:39

mitigations getting deployed

14:41

at announcement time kind of blunted

14:44

the, the drive to

14:46

try to exploit this? Or is it

14:48

just too hard for a 'sploit

14:50

kit to leverage.

14:52

I don't know. I suspect

14:55

the, uh, the

14:57

mitigation stopped some of the like

15:01

HeartBleed-esque exploitation

15:04

in the sense of just like, let's see, who can read

15:06

what type of things that happened after

15:09

HeartBleed happened. Um, but

15:12

I, I don't know, uh, I

15:15

mean, you know, uh, hindsight

15:18

is 2020. Um, I don't, I

15:20

don't know how much we were. Um,

15:22

I, I think in retrospect, and

15:25

I've heard even other people say that like Site

15:27

Isolation wasn't worth it relative to Spectre. Well,

15:30

you know, in my personal opinion Site Isolation

15:32

worth it just for the UXSS improvements.

15:34

Yes.

15:35

but, um, and Site Isolation's

15:37

definitely worth it, you know? Um, right.

15:40

Like had you been wrong? Had we been wrong about,

15:42

uh, Spectre, had it been mass exploited like

15:44

that would've been really bad, um,

15:47

an extinction level event, if you

15:49

will

15:50

Yeah, Jesus Christ. Um, that

15:52

was another vague annoyance. When

15:54

I, when I saw the, the name and

15:57

branding of this, uh, exploit

15:59

this paper as Hertz bleed. And I

16:01

was like, what? It's not

16:03

related to HeartBleed. HeartBleed was like

16:05

memory safety, right. It was a, it

16:07

was a bug, but also memory safety

16:10

that resulted in HeartBleed. This is

16:13

were memory reads

16:15

there were memory reads, but like in

16:17

a very different way. And so, yeah, that's the

16:19

bleed of like, you're leaking

16:21

some information that you're not supposed

16:23

to, but like in a very different manner

16:25

in, and it very, and it

16:27

was like HeartBleed was just like, you

16:29

ask it to do something. And it's like, here,

16:32

I'm gonna read these

16:33

I would— hi, I'd like 65 K of memory,

16:35

please

16:36

yeah. like, and it's like, here you go. Here's the

16:38

private key of this RSA

16:41

cert, or whatever the fuck. Um,

16:44

but, uh, yeah, I. God

16:47

like HeartBleed was my

16:50

running theory is that there's enough

16:53

just dumb bugs

16:55

in memory, unsafe code

16:58

in the world that the

17:00

exploit kits, and even

17:02

a lot of adversaries

17:04

that are trying to exploit you don't

17:07

need to turn to attacks like this.

17:09

Like there are probably people out,

17:11

out there in the world who are like, I'm keeping this

17:14

proof of concept in my back pocket

17:16

just for funsies, but

17:19

I think there's enough low hanging fruit

17:21

that they can get a lot of bang for their buck

17:23

for, without turning to

17:26

micro architectural attacks like Spectre

17:28

and meltdown for, uh,

17:30

side channel attacks that leverage

17:33

physical things like Hertz bleed

17:35

or, or any of these other things. They're

17:38

interesting whiz bang and

17:40

cool proofs of concept. But

17:42

I. People

17:44

who work with those sorts of people

17:46

could probably tell me otherwise,

17:49

but I have a feeling that it's like a, you know, return

17:51

on investment sort of thing. There's plenty of other software

17:54

bugs that they could leverage instead of these

17:57

mean, I think that's even broadly true of software

17:59

bugs. Um, my, my role on this

18:01

podcast is to basically recapitulate other people's

18:03

opinions that I've talked to recently. Um,

18:06

and so I'll say I was talking to,

18:08

uh, uh, someone else recently

18:10

and he was like, look, my priorities

18:12

are like single sign on, malware,

18:16

bunch of other stuff. Like

18:19

zero days in memory, safety, bugs, and

18:21

use after free's in that I'm using.

18:24

Right. Um, and then, you

18:26

know, you probably have another giant gap

18:28

and then like hard, hard

18:30

to exploit side channels. And

18:33

if you're, if you're a platform, um,

18:35

right. These matter a lot more, um,

18:38

if you're a cloud platform or an operating

18:40

system, right, you need, you need to be thinking about

18:42

these things cause you're responsible for like everybody.

18:46

Um, but uh,

18:49

if you are simply, you know, using

18:51

elliptic curves or, or running

18:54

a, a, a TLS, you probably,

18:57

um, have other things to worry

18:59

about.

18:59

yeah. Um, I

19:01

think Mike Hamburg was talking

19:04

about this on a mailing list and he

19:06

basically, he works on

19:08

stuff, I think crypto

19:10

co-processor or something like that. And

19:12

so he, he both has a,

19:15

a vested interest, but also domain expertise

19:17

and basically being like. If you

19:19

can, and you care, just have

19:21

a crypto processing unit,

19:24

like a, you know, trusted enclave sort

19:26

of dealie, or, you know, a crypto chip

19:28

in your, you know, your iPhone

19:31

or your server cloud server

19:33

rack. If that's what you do. And

19:36

it's just very well constrained,

19:39

very well specified,

19:41

you know, performance characteristics. It does

19:43

not do variable scaling.

19:46

It does not do you know,

19:48

all these like side channels that you

19:50

really, really care about. It does not do

19:52

Spectre. It does not do speculative execution.

19:54

It doesn't do all this stuff. And then you

19:57

can just trust it to either

19:59

execute a very narrow set of cryptographic

20:01

operations. Or you can just trust it to compute

20:03

over secret data. And it's not gonna leak

20:05

its ass out and then you're

20:07

done ish, or at

20:10

a, that's a great way for,

20:12

for doing the actual crypto operations.

20:14

I would caveat it a little bit with like, um,

20:17

like last year I was doing some

20:20

work with like the key chain

20:22

and secure enclave APIs on iOS,

20:24

um, for an app, um,

20:26

in the course of my day job, you know, we had some keys in

20:28

there and they were elliptic curves and we were signing

20:31

stuff. And let me tell you those

20:33

APIs are like, the

20:35

device might be very well specified the

20:37

software APIs for interacting with it are not.

20:40

Um, and, uh, they're also

20:43

like in my experience, haven't been particularly reliable

20:45

and I've heard this from other people where just like you,

20:48

when you make a key chain call and sometimes it just doesn't

20:50

work. Um, it doesn't necessarily return

20:53

to an error code. It just like doesn't work. You get

20:55

like a 4 0 4, you don't have a key or something,

20:57

even though you do, or you have like.

20:59

Multiple seconds of,

21:01

uh, of delay, like

21:03

asking, you know, what are the root certificates,

21:06

like key chain, that type of stuff. Um,

21:09

like. Just doesn't return

21:11

you know, you just have to try again or like

21:14

you know, um, so

21:17

fun.

21:18

all that to not to like specifically knock

21:20

on apple or anything, but just to say that, like the

21:22

there's two aspects of that there's well, specifying

21:25

the hardwares that it doesn't. So does these crypto

21:27

things well in hardware, which I think we're pretty good at you

21:29

don't see that many, like attacks

21:31

against the hardware and Yubikeys and so on.

21:34

Um, but what you do see is like,

21:37

oh, this HSM has an API that

21:39

like, lets you do something dumb or like

21:42

is hard to use or. I

21:44

HSMs someone

21:46

needs to disrupt that market. They

21:48

suck. Their APIs suck. I'm gonna

21:50

blame FIPs for a lot

21:52

of that trouble. Like, it's

21:55

it, uh, like there's, there's iOS

21:57

APIs in one bucket and HSMs

22:00

and what they, how they behave and their

22:02

APIs and using them in

22:04

a whole other bucket on the other side of the

22:06

ocean, uh, they

22:08

can be so much better.

22:10

think the, the market for like, you know, secure enclaves

22:12

and phones and so on is clearly very large.

22:15

However, I would posit that the market

22:17

for actual like HSMs that you would

22:19

put in a rack is roughly what you would call

22:21

a zero billion dollar market.

22:23

yeah.

22:24

so you might not, you might

22:26

be waiting a while on that

22:27

There's like two companies. And like the people who need them are

22:29

like, they need it to be FIPS certified. They need

22:31

this, they need that, whatever. Like this was part

22:33

of the reason that, uh, Z cash,

22:36

uh, shielded transaction adoption was so

22:38

difficult is that the places that we

22:40

wanted to deploy these things are like, cool.

22:42

Uh, we do all this things to

22:44

be like conformant with these regulations of

22:46

storing stuff. Like give

22:48

me an HSM that supports your weirdo

22:51

bespoke elliptic curve so that I can

22:53

do elliptic curve signatures

22:55

for these shielded transactions. Like let alone the proofs.

22:58

And we're like, ah, here's a

23:00

smart card software. Like just getting

23:02

it there is like there's

23:04

enough friction of getting stuff like

23:06

that deployed that it was definitely

23:08

like, uh, like slowed

23:11

the adoption of shielded Z cash

23:13

for ages. And it's just like

23:15

the things that you don't think about until like

23:17

the rubber meets the road of like, yeah, I need

23:19

a, a box. That can call

23:21

an API. That's like sign this and

23:24

it needs to like, do you have box?

23:26

And you're just like, no. And they're like,

23:28

do you have to do custom thing to support it? And they're

23:30

like, uh, I don't care

23:33

enough. and

23:35

I blame the HSMs.

23:37

Mm-hmm right.

23:39

don't really

23:40

right. It's like a databases

23:42

for scientists and researchers. It's a zero

23:44

billion dollar market.

23:45

yeah. Yeah. Unless

23:47

Andy Pavlo disrupts the databases. he's

23:50

a database researcher, guy

23:53

I, I believe it was Stonebreaker that first called

23:56

scientific databases, a zero billion

23:58

dollar market, or at least that's where I first heard

24:00

the term.

24:01

Was that before or after he won the Turing

24:03

award?

24:04

uh, around that time, I believe I

24:07

saw him actually give, he gave a talk at, uh, at

24:09

Michigan somewhere around

24:10

cool.

24:11

and that was when I first heard the term zero billion

24:13

dollar market. And I'm like, I'm gonna store

24:15

that one for the future. So

24:18

you were in galavanting around Europe,

24:20

doing cryptography in the past two months

24:22

is my understanding,

24:23

I

24:23

um, living the dream and

24:26

twice, um, twice

24:28

in no COVID either time.

24:29

twice in no, COVID, uh,

24:32

you know, crossing myself, um,

24:34

was there for real world crypto and Amsterdam.

24:37

Super awesome. We did our episode live from

24:40

Amsterdam. Um, you got

24:42

the gist from, from that. And

24:44

then I went back to Europe a

24:46

couple weeks ago to go to Eurocrypt

24:48

in Norway, which was very much

24:50

like I finally got to go to like a, you

24:53

know, IA, R flagship.

24:55

Academic crypto conference, cuz real world

24:57

crypto is like a symposium. They do a lot of talks. There's

25:00

a lot of industry folks, Eurocrypt is

25:02

like proper. Like, do you

25:04

want three hours on universal

25:07

composability of security

25:09

proof simulation. here's

25:12

the conference for you? Um,

25:14

do you care about the Fiat Shamir

25:16

transform? I'll talk to you for, you

25:19

know, three talks in a row about it today,

25:21

tomorrow and the day after. Uh, no, it was good.

25:23

Um, we were, it was in Tron

25:25

time. Norway, if you have a,

25:27

a good excuse to go to Norway

25:29

in the spring or the summertime highly

25:31

recommend it's lovely, uh, beautiful weather.

25:34

The sun rises at two 30 and sets at 10

25:36

30 at night. It's weird. Um,

25:38

but it was beautiful. Um,

25:41

yeah. Lots of universal

25:44

composability, lots of

25:46

multiparty protocols, which

25:48

is, uh, fun for someone who's doing

25:50

a, a very small scale multiparty

25:53

protocol in, in terms of threshold signatures,

25:55

which is frost, shout out to Chelsea

25:58

Komlo who came up with frost. Um,

26:00

I, I implement everything that she tells

26:03

me is, is secure because based on all these

26:05

security proofs that she comes up with,

26:07

um, and yeah,

26:10

Fiat Jamir stuff, uh, zero

26:13

knowledge proof stuff. Um,

26:15

A little bit of isogeny stuff.

26:18

There was at least, I think I, I missed

26:20

the last day, but there was a nice

26:22

talk about like, okay, how

26:24

do all of these super singular isogeny

26:27

assumptions relate to each other stuff

26:29

about endomorphism rings and

26:32

stuff about computing, um,

26:34

you know, ideals and Aqua and algebra

26:37

and crap like that. But I only barely

26:39

understand, from Benjamin

26:42

Wesolowski I think, um,

26:45

cool stuff like that. yes,

26:49

this is, uh, one of those conferences where

26:51

the submissions are all peer reviewed papers,

26:54

right. With the program committee and then,

26:56

you know, academic papers and so on where.

26:58

That is, you know, not gonna be the case at, uh,

27:01

at, uh RWC, which does,

27:04

which is like people submitting talks or,

27:06

or, or a black hat of

27:08

which you and I have both reviewed for,

27:10

which does, you know, these still have review boards

27:13

that pick what's coming in, but it's not the same

27:15

type of peer review that you

27:17

might see at an academic.

27:19

Yes. Uh, RYP other, uh,

27:21

academic cryptography conferences are very much,

27:24

you submit a paper, the program

27:27

committee figures out multiple people

27:29

to blind review your paper.

27:32

Um, and then they will either,

27:34

uh, tell you just flat

27:36

out. No. Or we

27:38

want you to make some changes, uh,

27:41

or just straight up. Yes, we

27:43

accept. Um, and usually you

27:45

will go back and if they, if

27:47

you make changes, uh, you, you

27:49

get like a camera ready. Um,

27:52

and then you make the very fancy paper show up. Also

27:55

on a website, it used to be published

27:57

in a BA in a, in a volume called the proceedings.

27:59

And you can still get, you know, pay $20

28:02

to get the proceedings of a conference.

28:04

But it's mostly to, just to like, get the final version

28:07

of the thing. And it gets posted on the conference website and

28:09

that is the one that got published at the

28:11

conference. And then they pick a best paper

28:13

and they pick, you know, you know, test of

28:15

time awards. There were some cool test of time awards

28:18

at, uh, Euro Crip this year. I think

28:20

one of them was literally the

28:23

curve25519

28:25

paper from, uh

28:28

DJB. Uh, and I don't remember

28:30

if it was co-authored, but with Tanja Langa, um,

28:33

it I'm pretty sure it was that paper. It was

28:35

basically how to do fast elliptic

28:37

curve math, um, from

28:39

DJB and it kind of like kickstarted the

28:41

like, not just, uh,

28:43

incomplete, short WeierStrass, uh, prime

28:46

order curve rage, or

28:48

that we've been on for at least, uh,

28:50

12 years or 15 years, or now.

28:52

just an absolute bender

28:54

Just an absolute bender of co-factor

28:56

curves that are fast as hell, but they just

28:58

bite you in the ass. Yes

29:02

um, yeah, DJB uh,

29:04

got, got one of those test of time awards,

29:06

which I, I think, you know, uh, that,

29:09

that definitely has stood the test of time. And I don't

29:11

remember what the other two were. There were two other test time

29:13

awards. Um,

29:15

I would say the big difference between like those

29:17

academic conferences and other conferences is like

29:19

the point of like point number one

29:21

is to like publish the papers. Like, and then the

29:23

conference is like a side effect of

29:25

Yes. Um, the conference

29:27

is very much an opportunity

29:29

for the grad student

29:32

who helped work on the paper, but

29:34

it's not like the big

29:36

name, the advisor, the professor, the first

29:38

author, whatever, to go to the

29:40

conference and present their work

29:43

and get their face out there and

29:45

explain it, you know, present it to colleagues

29:48

and people in, in their area, um,

29:50

and get their face out there so that they can get known as

29:53

they come up through, you know, research

29:55

and academia. And then if they want

29:57

to go on and become a professor or go tenure track

30:00

or do research, like that's the start

30:02

of them getting their face out there. Um,

30:04

there's been a lot of debate, especially around COVID

30:06

of like Especially

30:08

for the big one, which is called

30:10

crypto and has been, always held

30:13

in Santa Barbara, California for like 25

30:15

years or something like that. There's crypto Ry,

30:18

Asia crypto. Those are like the big three. Um,

30:20

and they are held approximately where

30:22

they're named for. Um, you

30:24

are often required to send

30:27

someone to go present

30:29

your paper for a, like a

30:31

20 minute, half hour presentation,

30:34

uh, as like terms

30:36

of being accepted of your paper,

30:38

getting accepted. And this

30:40

has been a point of contention because like, if

30:42

you're from the other side of the world and

30:45

to get your paper accepted at

30:47

the top tier cryptography academic

30:49

journal, uh, conference they're, they're not

30:51

big on journals. They're big on conferences. You

30:54

have to pay for a round trip,

30:56

international ticket. You have to pay

30:58

for them to stay. You have to deal with visas.

31:00

You have to deal with room board. You have to deal with meals.

31:02

You have to deal with all that stuff. that

31:04

can be exclusive to very good

31:06

research and very good students. Um,

31:09

and this is one of the reasons that kind of like

31:12

the remote, uh, the

31:14

conferences has been like appealing to

31:16

a lot of people because they can present remotely.

31:18

They can present online, they can be present

31:20

online, uh, in a way that they might have

31:22

been excluded before. So now there's been a bit

31:25

of debate about like, can we

31:27

change this up a little bit? And like

31:29

there's old guard that don't wanna change things

31:31

they want, you know, like they there's, there's

31:35

decent reasons for this

31:37

sort of stuff has been in the past, but also

31:39

like, yeah. Anyway, um,

31:43

part of this is also brought in

31:45

a proposal that was brought up

31:47

at real world crypto to introduce a new

31:50

proceedings of crypto papers.

31:52

There's the three major conferences. There's some other

31:54

IAC conferences. Um,

31:56

there's role crypto as a symposium. Um,

31:59

and there's like a journal for sort of like

32:01

best of the best papers. They kind of get

32:03

elevated and elected to like this journal.

32:06

Um, but this other thing is basically

32:08

trying to be, something

32:10

to give more access and more of

32:12

a venue than just like

32:16

the big three or some other conferences

32:19

or like nothing, or just a, just a

32:21

PDF on eprint. They're trying to have something

32:23

that's a little bit more accessible and

32:25

that's also been, uh, an area debate. It

32:28

seems like it's going forward, but, uh,

32:30

we'll see how it goes.

32:32

The rest of like the academic world

32:34

is the journal model instead of the conference model,

32:36

which is, um, as

32:39

its pros and cons, but the,

32:41

as the conferences have grown, they're all kind

32:43

of starting to approach journals. As you

32:45

can, like the idea behind journals, as you submit

32:47

over time and slowly, then eventually

32:50

you get in versus the strict deadline

32:52

associated conferences. And now

32:55

more and more conferences are having 2, 3, 4 submission

32:58

periods per year. And it's like, well,

33:01

yeah.

33:01

um, as, as you approach

33:03

the limit there, the, the sums turn

33:06

into the integral, like.

33:09

oh God, uh, algebra jokes,

33:11

um, security

33:14

and Oakland and these other things. They're still conferences,

33:16

right?

33:17

Correct. So the, the big four in

33:19

like computer security, like non

33:21

cryptography or, uh, or

33:23

maybe closer to the applied side of cryptography

33:26

are Usenix security, IEEE

33:29

security and privacy, which is also called Oakland,

33:32

um, CCS, uh,

33:34

which is the ACMs conference on

33:37

communication security, I think, I don't know.

33:40

Um, and

33:41

dunno. Mm-hmm

33:42

always in San Diego and ran by the internet

33:45

society.

33:46

Hmm.

33:46

Um,

33:47

And there they're conference conferences,

33:49

yes. Um, but at least,

33:52

uh, Usenix and CCS,

33:55

um, CS, um, have multiple submission

33:57

deadlines in Oakland, I think might as well.

33:59

right. Cool. Yeah.

34:02

so o historically

34:04

Oakland had been like, The one that

34:06

everybody wanted to stop going to, because

34:08

for years I E E wasn't open access

34:11

and I E is still not open access,

34:14

but S and P is, um,

34:16

and so, uh, people have started

34:19

going to that again. And now, like, I

34:21

think CCS is kind of starting to go out

34:23

of phase just cuz it has gotten very, very

34:25

large and

34:27

uh, for lack of a better term,

34:29

some of the cool kids have been

34:31

like, well, if I can now submit to yous NS, when

34:33

I previously at the time of year that I had to submit

34:36

to CCS, I may as well just submit

34:38

to yous NS. Um, depending on

34:40

your thoughts on like how quickly do you want

34:42

the conference to be after the submission?

34:44

Yeah,

34:45

Um,

34:46

for, for people. So the, the

34:48

crypto conferences I was talking about, they are very,

34:51

uh, besides robo crypto, which is talks,

34:53

uh, those are very academic,

34:56

the, a lot of theoretical cryptography stuff.

34:58

If you're more interested in applied cryptography,

35:01

computer security, implementation

35:03

stuff, attack stuff, uh, all

35:06

those conferences David mentioned are much more

35:08

likely to publish that sort of stuff. So like

35:10

attacks on signal protocol or,

35:13

or things like that. Those things tend to show

35:15

up in conferences like that. So those

35:17

have some cool publications

35:19

as well.

35:21

I've always enjoyed, like use NS the,

35:23

the most. Um, but there's

35:25

definitely a level of personal preference. Use

35:27

NS is usually the week, like after black

35:29

hat, it's like the second or third week

35:31

in August. And it moves around where it

35:33

is. It's usually in the us, or at least in north

35:35

America. And.

35:37

no. Um, so

35:39

recently we had, Apple's worldwide

35:41

developer thingy. And we

35:43

had, I, I don't remember if it was before

35:46

or after that. I think it was before that, uh, Google's

35:48

Google IO, whatever their equivalent

35:50

of worldwide developer thingy that apple does.

35:54

And I'm pretty sure both of them announced

35:56

that they are supporting and working

35:59

on the industry interoperable

36:02

collaboration of passwordless

36:05

authentication. And

36:07

for those of us nerds

36:09

who love, uh, unphishable,

36:13

uh, authentication mechanisms

36:15

are all of our ears perked up. And if you,

36:17

if you could see me, I've been, I'm making big ears

36:19

right now. Um, because

36:22

we're all pretty sure that this

36:24

is, uh, apple and Google,

36:27

the, you know, two biggest

36:30

maintainers and developers of

36:32

browsers, of devices, of

36:35

authentication things period

36:37

saying they're going to interoperably

36:40

support, um, a

36:42

new kind of Fido credential.

36:46

Uh, that's very similar to,

36:48

U2F the kind of old thing

36:51

where, uh, and, and now is

36:53

supported in the web API called WebAuthN.

36:56

That's apple has branded PAs

36:58

keys, uh, but it

37:00

has a much more convoluted, official

37:02

kind of generic non apple branded name,

37:05

but it's basically instead of

37:07

a password, which is just a character

37:09

string that you type into just a random

37:11

fucking field, or, you know, a query

37:14

param in a URL. Um,

37:16

you have a key pair and usually

37:19

what it is is, uh, for WebAuthN or

37:21

for, uh, FIDO2 or whatever,

37:23

uh, or old school UTF, um,

37:26

You have a key pair and it lives on your Yubikey

37:28

or it lives on your authenticator device.

37:30

Like the, you know, the trusted enclave

37:33

in my MacBook or something like that. The

37:35

private key stays there. You, the

37:37

website issues, you a challenge

37:39

when you're trying to log in, uh,

37:41

you do like basically

37:43

what amounts to a signature with your

37:46

private key that you previously registered

37:48

on. The thing that you're challenging and you send

37:50

it back and it verifies you. And part

37:52

of the thing that's happening in

37:54

this protocol is you're

37:56

bound to the website origin

38:00

that the technical term, the origin from

38:02

the request is coming from. It has

38:04

to be, uh, you know, you have to verify

38:08

the response, uh, against

38:10

your previously registered credential,

38:12

which means you can't phish it.

38:15

Um, you, and like it comes back

38:17

with all of these things bound together,

38:20

and this was great. Uh,

38:22

for second factor, um,

38:25

so that you cannot just copy paste

38:27

this thing into a, you know,

38:29

a field or a query param

38:32

because it wouldn't work. It has to, if

38:34

it was a phishing website, it wouldn't

38:36

work against google.com.

38:39

If someone is at, you know, like

38:42

g00gl3.com, but with all the OS or

38:44

zeros and the E or threes and

38:46

things like that, it just wouldn't work because

38:48

it would not compute correctly. That

38:51

was great when you just had it on your Yubikey

38:54

or your phone or whatever, but what if you need

38:56

to back them up and the answer has

38:58

been for a long time that you

39:01

just register a ton of keys.

39:03

So like I have six Yubikeys

39:05

and I have, you know, multiple devices and

39:07

things like that. And the answer is you

39:09

don't migrate the key pair.

39:12

You just have lots of key pairs and they all work

39:14

and okay, fine binders

39:17

full of Yuba

39:19

I, uh, I wanna, I, I wanna

39:21

make one kind of comment about the phishing,

39:23

because I think there's, there's a subtle point

39:25

that people miss that also makes the like

39:28

whole phone thing a lot more complicated.

39:30

So if you think about, uh,

39:33

right, the Yubikey and when you're signing in with WebAuthn,

39:36

right, you're more or less signing over the website

39:38

that you're trying to, um, log into

39:40

and the challenge that they give you on your computer.

39:42

And then it gets sent back up and everything is great, but

39:45

there's like another component that we're,

39:47

that happens auto automatically

39:50

when you're using say the Yubikey or

39:52

using the, uh, touch bar,

39:55

um, on your MacBook, which is that

39:57

like, the thing that you are using to authenticate

39:59

to is physically connected

40:02

to the same computer that is running

40:04

the web browser. And this is like enforced

40:06

by virtue of like the browser only knows

40:08

how to talk to the Yubikey that's currently plugged into

40:10

it or, or the enclave

40:13

or whatever. Um, when you take

40:15

that. And you're like, okay,

40:17

you know, my phone has a secure enclave and

40:19

it can sign things or like I

40:21

have a go program and I implemented the same spec,

40:23

whatever. Right. Um, like it's just a signature.

40:26

It doesn't need to be in a hardware. Um,

40:28

as soon as you move that to a different device

40:31

or like the communications channel

40:33

to something that isn't obviously directly

40:35

connected, um, you end up with this problem

40:38

where when you go to like, approve

40:41

on your device in some way to click, yes.

40:43

I wanna log in on your phone. Like,

40:46

let's imagine a crypto game, you've got two laptops.

40:49

Um, you can't see the screen on either.

40:51

Um, and you win the game and,

40:53

and you have a phone and you get a login

40:55

prompt and you win the game. If you can have

40:57

an over 50% accuracy

41:00

when saying which laptop is logging in,

41:02

right. You don't actually know that the laptop

41:04

or the computer that you're next to is the one that

41:06

you're logging into. So while it prevents

41:08

you from being phished on like, you know,

41:11

G zero, zero gle.com

41:13

or. Um, it doesn't prevent

41:16

you from being fished in the case where the

41:18

attacker is trying to log in at the same time

41:20

as you and sends you a prompt,

41:21

Yeah, yeah. Um, and, uh,

41:22

unless you go through the effort

41:25

of doing a preregistration

41:27

step between the browser that you're using.

41:30

Um, and, uh, and

41:33

then like the phone, you need some sort of out of band

41:35

thing to pair them together. And there's a whole

41:37

host of ways to do this. People have proof of concepted

41:40

it with like relay servers, a QR code,

41:42

and a Chrome extension. Um,

41:44

you could do it through, uh, like

41:47

Chrome sync, um, you

41:49

or iCloud sync, which is more or

41:51

less, I think what these proposals are doing.

41:54

Um, you can do stuff over Bluetooth,

41:56

combined, usually with a sync mechanism

41:59

as well to add even more. Um,

42:01

uh, but the,

42:04

it, the world gets a lot Gnar,

42:06

um, and the user experience gets slightly

42:08

worse when you, um, For

42:11

some definition of a worse, when you switch

42:13

from a Yubikey to a phone, the benefit

42:15

is you don't need to, to, to

42:17

like, uh, explain to somebody,

42:19

um, uh, or buy

42:21

them a Yubikey, right? feasible for an enterprise

42:23

to buy all their employees, Yubikeys. It's

42:26

not feasible for like the IRS to buy

42:28

everybody that needs to file taxes at Yubikey

42:30

and expect them not to lose it.

42:32

And all of this is for, uh,

42:35

using phyto credentials

42:37

as second factor or

42:39

multifactor, not your quote

42:42

unquote primary factor, which has

42:44

been, and probably will be for a long time,

42:47

passwords. Right.

42:49

Yeah, but I mean, fundamentally like these

42:51

end up being the same thing.

42:53

Right. So the new thing

42:55

is the. Passwordless

43:00

authentication stuff is

43:02

taking the same challenge,

43:06

response sort of protocol. And

43:08

using that in addition

43:10

to these, uh, device

43:13

bound credentials, the classic

43:15

FIDO2 UTF, um,

43:18

WebAuthn multifactor,

43:20

uh, thing. And instead

43:22

of a password, you have this

43:25

key pair that can

43:27

be synced because it's not device

43:30

bound such as through iCloud

43:32

key chain. And that that's like the

43:35

big proposal, is that apple

43:38

has kind of like created

43:40

this end to end implementation

43:43

of how you do this. And

43:45

everyone else is like, oh yeah, we were

43:47

thinking that. And then like, you've basically.

43:50

Done the proof of concept. And they're trying

43:52

to, they're, they're trying to get

43:54

everyone on board because if just safari

43:56

supports this and just iOS supports

43:58

this, it's gonna be it's. You need

44:01

websites to support this

44:03

API for it to work at all.

44:06

It doesn't matter if you're apple and you own the

44:08

entire stack top to bottom.

44:10

If you go to google.com

44:13

and it doesn't work, if apple PAs

44:15

keys don't work. Yeah. You're supposed to be magic.

44:17

So there app Google's on

44:19

board, uh, Apple's on board.

44:21

This is a W3C,

44:24

WebAuthN update

44:26

that's coming. but, uh, apple

44:29

Apple's kind of gotten out of the gate and, and

44:31

started with the great branding. Like they there's

44:33

like a four word name for these

44:35

things. And instead apples, like let's just call

44:37

instead of passwords, they're past keys. It's

44:39

We're just calling him pass

44:40

it's like, that's great. Damnit, apple, like,

44:43

so.

44:45

and I think in the future, we'll, we'll try and get

44:47

one of the authors onto like go

44:49

in more depth on this, but we just wanted to, to

44:52

call out that this was in fact happening.

44:55

Um, the authors know who they are

44:57

and may or may not be surprised by me

44:59

saying this without emailing them first.

45:02

uh, yes. Uh, we want to go

45:04

into a lot of depth about

45:07

this because I have more like very

45:09

specific questions. Like I was looking on the Fido,

45:11

like website and I was trying to get very specific

45:13

technical details about this. And then people were

45:15

like, ah, they're not there. They're like over in

45:17

this other place. And also these

45:19

people have their names all over it, so we should go

45:21

talk to them. So that's a thing that's happening.

45:23

That's very exciting for security. It's

45:26

we really hope to see this

45:29

getting rolled out well

45:31

and nicely, and in a way that,

45:33

you know, human users can understand

45:35

the benefits to their security. Um,

45:38

so early days, very exciting.

45:41

Uh, God speed.

45:43

Um, and then one last thing we wanted to touch,

45:46

um, or mostly I just wanted to touch.

45:48

And then for steer here to talk about was,

45:50

uh, uh, the discourse

45:53

from like, uh, a month ago or so

45:56

when, when,

45:58

um, Elon Musk

46:00

in the process of buying Twitter,

46:03

um, which will just move past that. Um,

46:06

but, uh, was like Twitter, DMS

46:09

should be E to E end to end encrypted.

46:12

Um, and then the end

46:15

to end encryption on the web discourse

46:17

started again, um, of

46:19

like, is this even PO, is it even possible

46:22

to have a web app that does end to end encryption

46:24

and has the same like threat model? Um,

46:28

good.

46:29

Uh, and so, uh,

46:32

Deirdre, you've thought about this a lot, I think.

46:34

And so maybe you could explain some of,

46:36

uh, why this is a little harder than it's

46:38

just like generate a key and, you know, call

46:40

uncrypt and like signal

46:42

does this, we know how to do this. We know a lot about like

46:45

messaging protocols, just do it in

46:47

a web browser. JavaScript's turn

46:49

complete.

46:50

oh God. Unfortunately just

46:52

slap a signal protocol on it

46:54

does not necessarily give you the

46:57

same, uh, security guarantees

47:00

in every deployed software

47:03

environment. Um, and

47:05

by every, I mean, there's the

47:07

web and there's everything else or there's

47:09

everything else. And then the, then there's the web,

47:12

um, I'm being pulled into this

47:14

because people are like, yeah, they should

47:16

totally do that. They should end to end crypt

47:18

Twitter, DMS. And if Twitter

47:21

was only supported on. Um,

47:25

iOS, Android, and,

47:27

you know, a desktop application

47:29

that could be very doable. Unfortunately,

47:32

twitter.com is a web app. That's

47:34

what the.com stands for. Right?

47:37

Um, it is primarily,

47:39

yeah, the guy who works on

47:42

the, the web browser tells me that I, I got

47:44

that one. Right. Awesome. Um, it

47:46

has, it was primarily a web

47:49

service for a very long time. And then

47:51

it got mobile apps and then it got,

47:53

you know, like tweak deck or, you know, tweaky

47:55

bot or, you know, whatever the fuck it had an API,

47:58

and then it shut it down. Um, for

48:00

a long time. It like the reason it used to be

48:02

only 160 characters is because it was like

48:04

you could SMS a,

48:07

a, a code and it would tweet it on the internet.

48:09

So it was like an SMS based plus

48:11

web service for most of its lifetime.

48:14

And then it slapped on a bunch of mobile clients.

48:17

Um, End to end encrypting

48:19

anything where you have to support that

48:21

end to end encryption with a web client

48:24

is a fundamentally harder thing to

48:26

do than if you just

48:28

have mobile clients and I'll, and I'll the,

48:30

the primary, uh, comparison is

48:32

WhatsApp. Uh, WhatsApp

48:36

started as mobile only and

48:39

eventually added a, uh,

48:42

a mirror of a web

48:45

client to a mobile

48:47

app that it was paired to. And now it has

48:49

a more evolved kind of web

48:51

service to go along with it. But web

48:54

WhatsApp. Deployment

48:56

for almost all its history was

48:58

iOS and, and Android clients. It

49:01

was Ava. It was able to slap on

49:03

signal protocol onto that service

49:05

because all of its clients were mobile

49:07

clients and they were compiled

49:11

apps in very constrained environments

49:13

that didn't auto load, uh,

49:15

content and scripting

49:17

from the internet. Every time that

49:19

you open the app.

49:21

that, that's the thing that makes it hard, right. Is

49:23

the fact that like you have,

49:25

uh, you have the security boundary

49:28

of an app store,

49:30

which like

49:31

Yeah.

49:31

the security boundary of, or even if you take

49:34

away the app store, you have like, you know, a

49:36

piece of software. And if you make the assumption

49:39

that like, people are able to get the piece of

49:41

software right. Once, and then it more, less

49:43

stays, stays like that. Um,

49:45

now you're talking about like a malicious update

49:48

through the store, whereas on the web,

49:50

it's like, you know, you can just load

49:52

resources from other sites. That's like

49:54

the whole value proposition of web.

49:57

Um, that's why it's a web and not like

50:00

an app, right. Connected

50:02

like a web

50:04

Like you can pull in images and they get

50:06

rendered and you hope that your browser render is,

50:08

uh, you know, decoder is great

50:10

or you just literally pull in a whole nother

50:12

website. Uh, and you can either

50:15

do that in an iframe and you hope that the,

50:17

the isolation is good or you just literally

50:19

do an HTTP get

50:21

and you get a blob and then you could

50:23

do whatever the fuck you want with it to a blob. Like

50:25

the dynamic nature of

50:28

the web, a web page,

50:30

a web app is like the point.

50:33

And it's just fundamentally different

50:35

in terms of the security application

50:38

platform that you write software for

50:40

than a mobile app than a

50:43

desktop app, even. Um,

50:45

and it, and therefore makes the

50:48

traditional. design

50:51

of end to end encrypted protocols,

50:53

especially signal which relies

50:55

on long term identity, keys being stored

50:57

and secure, and that you, uh,

51:01

tie all of

51:03

your, um, security back

51:05

to in this like, you know, double ratchet

51:08

way, um, fundamentally

51:11

harder and just a different

51:13

difficult proposition.

51:16

If Twitter only had mobile

51:18

clients and, you know,

51:20

pieces of software that they signed and released

51:23

and only changed when they pushed a new update

51:25

and didn't get reloaded

51:28

from the server every single time that you,

51:30

you loaded the app, like you

51:32

basically do on twitter.com or tweet deck

51:35

or whatever it

51:37

would be. And, and this is not even touching.

51:39

Like the APIs that you get from

51:42

iOS or the, the, the hardware back credentials

51:44

that you get from an Android device or, or any

51:46

of that stuff. It's just the fact that like

51:48

you could just store your long-term

51:50

keys in your app memory with

51:53

the guarantee that like, it's

51:55

just me, it's just me and my, you

51:57

know, sandbox name, space,

52:01

memory space for my, you know,

52:03

end to end encrypted twitter.com or, you

52:05

know, Twitter app. You it's

52:07

just so fundamentally different for the web

52:10

hell is other people's JavaScript.

52:12

apps. The fucking, so, you know,

52:14

my, my basic argument is like, people

52:17

are like, you should end, end crypt, Twitter, DMS. I'm

52:19

like, okay, you're probably

52:21

going to achieve that for

52:24

all these mobile clients and

52:26

web clients would not get end, end encryption.

52:30

and those secure

52:32

way to make sure that everybody

52:34

who gets, who can log in

52:37

to a Twitter service is twitter.com.

52:40

Web web users don't get DMS

52:42

at all because otherwise you could,

52:44

you, you open yourself up to downgrade attacks.

52:46

Yeah. Yes,

52:47

Yeah. Now, if you back up

52:49

the threat model, some, so like, what you're describing

52:52

is like what you would need to be close to signal

52:54

in, in a world where you really don't want to trust

52:56

the provider at all. If you weaken the

52:58

threat model to something like, I

53:01

don't want the engineers or the ops team,

53:03

or whoever to just be able to

53:05

like, run select star from

53:08

DMS in their SQL database,

53:11

um, you can do pretty well right now. Um,

53:14

but then you run the risk of,

53:16

you know, all the code could just be swapped out or they

53:18

could leak it in other ways. Um, they could, and,

53:21

um, you can have healthy

53:23

and vigorous debate about how different that

53:25

is from, from native apps that could also just

53:27

post, you know, signal or WhatsApp could just

53:29

post the plain text, um,

53:32

over HTTP to a server. But as

53:34

far as we know, they don't, and we have no reason to

53:36

believe that they do. And presumably

53:38

somewhat would notice if that happened.

53:40

Yeah, you can watch, uh, all the connections

53:42

that your app makes out and

53:45

you can measure how

53:47

much space there's in there and, and frequency

53:50

and see if there's anything going on. And if they're, you

53:52

know, You can inspect both

53:54

the decompile binary

53:56

and the behavior of a compiled

53:58

binary, um, to see

54:01

if it's doing something funny. Um,

54:03

and we have no evidence that any of these apps

54:05

are doing anything funny. Although, you

54:07

know, apple and, and iOS

54:09

was saying, oh, we're going to, we're gonna run

54:12

these like image detection, models on

54:14

your phone, and we're gonna snitch on you when

54:16

you upload them to iCloud. Um,

54:18

so that we could say that we deployed end to encryption

54:20

on iCloud, but we're gonna detect

54:22

if you're, uh, if you have child porn in your computer.

54:25

Um, but

54:26

for more context. See our episode

54:28

with Matt green.

54:29

Yes. Uh, but they say they haven't rolled that

54:31

out. And I believe that they haven't rolled that out because everyone

54:34

was very mad at them when they said they were gonna roll that out.

54:36

Um, you can detect

54:38

if, if these apps are. Doing

54:41

something that you think they shouldn't be doing? We have

54:43

no evidence that signal WhatsApp

54:46

end to encrypted Facebook messenger. Any

54:48

of these other end to encrypted messengers, uh,

54:50

are doing anything like that. Um, much

54:52

more likely to literally have a report

54:54

button like WhatsApp

54:57

or, uh, you know, using Facebook message

54:59

franking or whatever it is, um,

55:02

to explicitly get information

55:05

willingly ActionAlly from

55:07

users, um, which is a whole nother

55:09

discussion about like how

55:11

do you deploy end to encryption on

55:14

systems and still

55:16

run those systems and run those.

55:19

Communities that are made up of humans

55:21

that may or may not treat each other well or may

55:23

or may not abuse these report

55:25

capabilities. Um, how

55:27

do you do that in an end to crypto context?

55:29

And like it's not necessarily harder.

55:32

It's just different and see Riana

55:34

Pfefferkorn's paper about content

55:36

oblivious, moderation tools, uh,

55:38

for more on that. Um,

55:42

I think that's about all we got for today. Um,

55:47

I think we've got a few plugs. Um,

55:49

the first one is we continue

55:51

to have merch available

55:54

at merch security, cryptography,

55:56

whatever.com.

55:57

Mm-hmm we

55:58

and we now have merch that

56:00

isn't even all black.

56:02

Yes.

56:03

so we think that's.

56:05

You're welcome. It's got these cute little guys

56:08

that you might have seen on some of our, you know,

56:10

headers and images and stuff. Um,

56:13

if you like things that aren't all black, we have

56:15

them, um, and also mugs

56:17

and stickers with cool stuff. We

56:19

just like, we wanted merch.

56:21

We have merch. Now you can have merch too.

56:23

So that's what that is.

56:26

Um, several or maybe

56:28

even all of us, uh, will be

56:30

around black hat and we are tossing

56:32

around the idea of doing some sort of event.

56:35

So if that sounds appealing, please let

56:37

us know because that will motivate us to actually

56:39

think about it. Um,

56:42

and you can figure out the best channel

56:44

with which to do so.

56:46

I will be in Vegas for Z con,

56:49

which is a Z cash foundation event

56:51

about privacy. Uh, so

56:53

I'll be there for that. I probably will

56:55

be around black hat,

56:57

but not at a lot of black hat. And

57:00

then I will be trying to go to DEFCON,

57:02

but I'll be there that whole week of Vegas.

57:05

Let us know if you wanna come more thing

57:09

and now Deirdre, I'm gonna make us a real podcast

57:12

by doing something that, um, all

57:14

podcasts much do eventually, which

57:17

is plug another podcast.

57:19

oh my God.

57:20

uh, on, on, uh,

57:23

behalf of my partner, I have to plug the

57:25

podcast, A Star is Trek Becca

57:28

Lynch, who has never seen any star

57:30

Trek is taken on a tour through every

57:32

single series with two handpick

57:34

episodes by her friend, Jess,

57:37

who has seen all of them. And

57:39

they are doing a whirlwind tour of

57:42

all of star Trek. Um, I'll correct

57:44

myself.

57:45

were doing this.

57:46

I'll correct myself slightly. For some reason, she'd

57:48

seen this season one finale

57:50

of Picard. That was the first star Trek

57:53

that she saw.

57:54

Oh no. God help her.

57:55

um, a star is trek available

57:58

wherever you get your podcasts.

58:00

I'm subscribing right now, actually.

58:03

Um, I watched

58:06

a ton of TNG reruns

58:08

back in the day when I would get home from school.

58:10

So I'm looking forward to this

58:14

subscribed. Cool.

58:15

right. And find us on Twitter at SC w

58:18

pod. And I think

58:20

that's it.