Channel: LibreCryptography
Forwarded from Librehash Research
Researcher Discovered the NIST Specification on SHA256 Prime Values is Incorrect
"According to the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Publication 180-2, 'These words represent the first thirty-two bits of the fracitonal parts of t he cube roots of the first sixty-four prime numbers.'
No reason was provided as to why these values were selected...
Close examination of the SHA-256 constants reveals that only four of the numbers are actually prime numbers.
Source = https://www.femto-second.com/papers/SHA256LimitedStatisticalAnalysis.pdf
"According to the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Publication 180-2, 'These words represent the first thirty-two bits of the fracitonal parts of t he cube roots of the first sixty-four prime numbers.'
No reason was provided as to why these values were selected...
Close examination of the SHA-256 constants reveals that only four of the numbers are actually prime numbers.
Source = https://www.femto-second.com/papers/SHA256LimitedStatisticalAnalysis.pdf
Standard Notes Updated Their Cryptography
These updates are palpable upgrades to the application itself.
Now they employ Argon2 for the password hashing and XChacha20-Poly1305 for the creation of the nonce (changes for each note that is saved by a user).
That's not to say that the cryptographic primitives that they were using before were weak, but these are obviously considerably stronger (and cryptographically more secure as well).
In many cases it is also estimated that Chacha20-poly1305 is faster than AES256-GCM on hardware (and software as well).
196-bit nonces are used for the chacha20 stream cipher encryption.
More information on the specification for this upgrade / update can be found here = https://docs.standardnotes.org/specification/encryption/
These updates are palpable upgrades to the application itself.
Now they employ Argon2 for the password hashing and XChacha20-Poly1305 for the creation of the nonce (changes for each note that is saved by a user).
That's not to say that the cryptographic primitives that they were using before were weak, but these are obviously considerably stronger (and cryptographically more secure as well).
In many cases it is also estimated that Chacha20-poly1305 is faster than AES256-GCM on hardware (and software as well).
196-bit nonces are used for the chacha20 stream cipher encryption.
More information on the specification for this upgrade / update can be found here = https://docs.standardnotes.org/specification/encryption/
docs.standardnotes.org
Encryption Protocol Specification v004 | Standard Notes Documentation
Specification for the Standard Notes end-to-end encryption.
OASIS Key Management Protocol = https://docs.oasis-open.org/kmip/kmip-spec/v2.1/csprd01/kmip-spec-v2.1-csprd01.pdf
A lot cryptographic repos contained here for you to peruse through (hence the name of the GitHub account, I suppose) = https://github.com/CryptoFanOrg
GitHub
Crypto Fan Org
Crypto Fan's Group. Crypto Fan Org has 137 repositories available. Follow their code on GitHub.
Best Explanation / Breakdown of How TLS Works You'll Ever Find in Life = https://tls.ulfheim.net/
tls12.xargs.org
The Illustrated TLS 1.2 Connection
Every byte of a TLS connection explained and reproduced
OASIS Key Management Protocol = https://docs.oasis-open.org/kmip/kmip-spec/v2.1/csprd01/kmip-spec-v2.1-csprd01.pdf
Merlin (weird ass website that apparently is for people that are trying to run from the law [just kidding]); this is zero knowledge proofs and some other other shit that's related or peripherally related to it.
https://merlin.cool/ (kind of weird actually ; one off website, designed in the fashion of the Rust documentation)
https://merlin.cool/ (kind of weird actually ; one off website, designed in the fashion of the Rust documentation)
Trillian (this one is pretty significant) = https://github.com/google/trillian/
Trillian is an implementation of the concepts described in the Verifiable Data Structures white paper, which in turn is an extension and generalisation of the ideas which underpin Certificate Transparency.
Trillian is an implementation of the concepts described in the Verifiable Data Structures white paper, which in turn is an extension and generalisation of the ideas which underpin Certificate Transparency.
GitHub
GitHub - google/trillian: A transparent, highly scalable and cryptographically verifiable data store.
A transparent, highly scalable and cryptographically verifiable data store. - google/trillian
OpenSK = OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.
https://github.com/google/OpenSK
https://github.com/google/OpenSK
GitHub
GitHub - google/OpenSK: OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and…
OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards. - google/OpenSK
HTTP Signed Exchanges
A signed exchange is a delivery mechanism that makes it possible to authenticate the origin of a resource independently of how it was delivered (this sounds cool but I just need to get more information on what the fuck this actually means)
web.dev = https://web.dev/signed-exchanges/
"Signed Exchanges allow a site to cryptographically sign a request/response pair in a way that makes it possible for the browser to verify the origin and integrity of the content independently of how the content was distributed. As a result, the browser can display the URL of the origin site in the address bar, rather than the URL of the server that delivered the content. Separating content attribution from content distribution advances a variety of use cases such as privacy-preserving prefetching, offline internet experiences, and serving content from third-party caches."
A signed exchange is a delivery mechanism that makes it possible to authenticate the origin of a resource independently of how it was delivered (this sounds cool but I just need to get more information on what the fuck this actually means)
web.dev = https://web.dev/signed-exchanges/
"Signed Exchanges allow a site to cryptographically sign a request/response pair in a way that makes it possible for the browser to verify the origin and integrity of the content independently of how the content was distributed. As a result, the browser can display the URL of the origin site in the address bar, rather than the URL of the server that delivered the content. Separating content attribution from content distribution advances a variety of use cases such as privacy-preserving prefetching, offline internet experiences, and serving content from third-party caches."
web.dev
Signed Exchanges (SXGs)
An SXG is a delivery mechanism that makes it possible to authenticate the origin of a resource independently of how it was delivered.
Asylo Dev = asylo.dev
Encrypted enclave applications
1. Integrates with gRPC for easy and secure inter-enclave and external communication
2. Use attestation to verify your enclave's integrity, and cryptographically bind your secrets to identity ACLs for safe storage.
Code for piping this all through Docker can be found here = https://asylo.dev/docs/guides/quickstart.html#what-is-an-enclave
Encrypted enclave applications
1. Integrates with gRPC for easy and secure inter-enclave and external communication
2. Use attestation to verify your enclave's integrity, and cryptographically bind your secrets to identity ACLs for safe storage.
Code for piping this all through Docker can be found here = https://asylo.dev/docs/guides/quickstart.html#what-is-an-enclave
asylo.dev
Quickstart Guide
Install Asylo, build, and run your first enclave!
HTML Embed Code: