#privacy is such an interesting subject to me, because on one hand it's "a basic human right" but practically it's the right to lie and deceive each other.
I don't have a very good memory, and I believe that information wants to be free. So privacy has always seemed like a dangerous thing to me; like fighting thermodynamics.
That said, if I were a competitive person I can see how my attitude might need to change; hard to win when you're giving away all your secrets.
Let's say I have 1000 friends (haha, I know, right?) and I want to send each of them a number. If I put all the numbers into a list and send the list to all my friends, that sort of works, but each friend won't know which number is theirs.
So I'd like some way to tag each number in the list so each friend can quickly tell which number is theirs, but no one else can. ie, something faster than linear time search through the list would be ideal, but I'd settle for something linear if the constants are small. Maybe something like string equality as the match operation, but not a decryption.
And if someone who isn't my friend sees the list with all the tagged numbers, they shouldn't be able to tell who any of my friends are by using the tags somehow.
Me and all my 1000 friends (lol, it's still funny) all have asymmetric keypairs, so we can use those.
Is this a well-studied problem that has a name I don't know about yet? Maybe there are special-purpose tools that are a good fit for this?
Or maybe there's some clever scheme using encryption that solves this? I feel like a deterministic encryption of some well-known message for each friend gets pretty close. Then add a list-level nonce to make it randomized for each list, but not each friend. Then a friend can do the deterministic encryption using the nonce and scan through the list pretty quickly to find their number. But my asymmetric encryption primitive is randomized, so I can't quite make it work that way unless I use a different primitive.
Although, if the message to be encrypted deterministically is well-known, and the goal is not actually to protect the message, that kind of suggests encryption is the wrong tool here. I'm looking for some kind of tag that is only recognizable by the holder of the private key.
🆕 blog! “Lazy way to cause SHA-256 collisions for lazy evaluators”
Humans are lazy. That's why we have computers; to do the boring work for us. I recently downloaded a file. The website said the file should have a SHA-256 hash of: ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb So I ran sha256 filename on my machine. And then lazily compared the h…
have #privacy about health info (think genetic disorders)
be anonymous in terms of DNA-person match (which means ethically working researchers can not include their data in studies, e.g. GWAS etc.)
Sensitive data matters. Biodata is one of the most sensitive types of data you can think of. My advice: Don't use it as a first auth factor. And definitely not as a sole key for crypto.
Just downloading some updates and checking #SHA hashes, like you do. Insofar as people actually bother, I wonder how many people just look at the first few digits and the last few digits and call it a day. Which raises a question: has anyone ever explored the idea of hash "partial" collisions in a crypto context? I.e. if the first and last 8 hex digits are the same, but the middle could differ. Might be a useful thing for some attackers trying to deposit nasty things in public repositories. #Malware#HashCollisions#Cryptography#Software#InfoSec#SupplyChain
1/ 🎉 Big news in the #OpenPGP world! Our team's labor of love, "OpenPGP for Application Developers," is now live! Check it out: https://openpgp.dev/. 🚀📚 Our mission? Make OpenPGP accessible, enjoyable, and a go-to tool for devs! #cryptography#security
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
Without disassembly, there are 43,252,003,274,489,856,000 unique permutations in a 3×3 Rubik's Cube. If sufficiently shuffled, that provides ~65 bits security.
Which means recording the colors of each of the 6 faces after two sufficient shuffles is enough to provide at least 128 bits security.
Why must the #UX of any kind of #cryptography related tooling on our systems suck so much?
Today's task - manage CA certificates on our clusters' base-systems using #Ansible.
The canonical way on #RHEL systems seems to be, to use #p11kit's "trust" CLI.
"--help" says to use "trust list" - that sounds easy. I'll just compare those certificate serials against my desired state and then import the delta into the trust store…
But: the unique identifier of "trust list"'s output is a PKCS11 URI!
Hundreds of RSA SSH private keys were factored by UCSD researchers using an efficient lattice attack from a single PKCS#1 v1.5 padded faulty signature. https://eprint.iacr.org/2023/1711 #cryptography
When Thomas Oliver and Kyu-Hwan Lee used machine learning techniques to predict the ranks of elliptic curves with high accuracy, they noticed hidden oscillations reminiscent of bird murmurations. That pattern was not noticed by mathematicians before, and an explicit formula for those was found by Nina Zubrilina.
I can now say that I completely understand #webauthn server side now.
The full stack, except for verifying #cryptography signatures with crypto.subtle, is available across several tiny-* repositories on github under my account.
Will be writing an article soon to describe the essential necessary mechanisms to safely add webauthn and #passkeys to a service.
Cryptography may offer a solution to the massive AI-labeling problem (www.technologyreview.com)
An internet protocol called C2PA adds a “nutrition label” to images, video, and audio.