Snake Oil
Nationalism
Conclusion
Cryptography for Software and Web Developers
Part 5: Don’t believe the crypto hype
Hanno ...
Snake Oil
Nationalism
Conclusion
New fancy crypto tool
Example Telegram
Example Threema
The problem
What’s good?
The NSA s...
Snake Oil
Nationalism
Conclusion
New fancy crypto tool
Example Telegram
Example Threema
The problem
What’s good?
At the mo...
Snake Oil
Nationalism
Conclusion
New fancy crypto tool
Example Telegram
Example Threema
The problem
What’s good?
Telegram ...
Snake Oil
Nationalism
Conclusion
New fancy crypto tool
Example Telegram
Example Threema
The problem
What’s good?
Threema i...
Snake Oil
Nationalism
Conclusion
New fancy crypto tool
Example Telegram
Example Threema
The problem
What’s good?
We really...
Snake Oil
Nationalism
Conclusion
New fancy crypto tool
Example Telegram
Example Threema
The problem
What’s good?
From ever...
Snake Oil
Nationalism
Conclusion
I find it hard to believe, but this is a real problem
”E-Mail Made in Germany”,”SecurITy m...
Snake Oil
Nationalism
Conclusion
Crypto is good when it has been created in a trustworthy
process
It doesn’t matter what k...
Snake Oil
Nationalism
Conclusion
Some reasonable questions you may ask:
”Crypto is hard. Do you have a crypto expert in yo...
Snake Oil
Nationalism
Conclusion
TextSecure https://whispersystems.org/
Pond https://pond.imperialviolet.org/
11 / 10
Upcoming SlideShare
Loading in...5
×

Crypto workshop 5 - Don't believe the crypto hype

416

Published on

Slides from a workshop I held on cryptography for web developers.
Part 5 is about the recent post-Snowden-hype around a large number of new crypto applications from which most are probably not trustworthy.
https://blog.hboeck.de/archives/849-Slides-from-cryptography-workshop-for-web-developers.html

Published in: Internet, Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
416
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Crypto workshop 5 - Don't believe the crypto hype

  1. 1. Snake Oil Nationalism Conclusion Cryptography for Software and Web Developers Part 5: Don’t believe the crypto hype Hanno B¨ock 2014-05-28 1 / 10
  2. 2. Snake Oil Nationalism Conclusion New fancy crypto tool Example Telegram Example Threema The problem What’s good? The NSA scandal was the biggest boost for snake oil crypto of all time Threema, Telegram, Cryptocat, whistle.im, chiffry, tutanota, myEnigma, Hike, Kontalk, ... 2 / 10
  3. 3. Snake Oil Nationalism Conclusion New fancy crypto tool Example Telegram Example Threema The problem What’s good? At the moment a lot of people will try to sell you the latest easy-to-use super-secure crypto solution In most cases these should not be considered trustworthy 3 / 10
  4. 4. Snake Oil Nationalism Conclusion New fancy crypto tool Example Telegram Example Threema The problem What’s good? Telegram has a contest: They’ll pay you $ 200.000 if you can decrypt their sample messages Sounds good, right? But it only applies to passive attacks. No sidechannels, authentication issues, software bugs like buffer overflows, known-plaintext-attacks, ... Moxie Marlinspike challenged the Telegram developers with a similar contest by defining a completely insecure protocol. They haven’t responded. 4 / 10
  5. 5. Snake Oil Nationalism Conclusion New fancy crypto tool Example Telegram Example Threema The problem What’s good? Threema is proprietary But they provide a ”validation” feature: App can log data packages and a small tool that’s available in source form can verify if that’s really the message encrypted with the corresponding private key How do you know if the logged package is the same that was sent? How do you know they don’t embed secret data in the nonce? You just don’t. The whole Threema validation is a scam. 5 / 10
  6. 6. Snake Oil Nationalism Conclusion New fancy crypto tool Example Telegram Example Threema The problem What’s good? We really could need some better crypto message systems Some people will tell you: ”What’s the matter, we have PGP and Jabber with OTR, that’s all you need” Except that they’re mostly unusable for normal users and have tons of strange properties PGP doesn’t encrypt the Subject, has two modes where only one protects certain metadata, doesn’t provide forward secrecy OTR only works if your communication partner is online, else it will be unencrypted 6 / 10
  7. 7. Snake Oil Nationalism Conclusion New fancy crypto tool Example Telegram Example Threema The problem What’s good? From everything I’ve seen lately there are only two systems I find interesting: Pond and Textsecure Free software, source available Well documented strong crypto technologies that seem to make sense Created by people who know a lot about crypto 7 / 10
  8. 8. Snake Oil Nationalism Conclusion I find it hard to believe, but this is a real problem ”E-Mail Made in Germany”,”SecurITy made in Germany / TeleTrusT” etc. Peter Tauber (member of german parliament, CDU) wants german encryption Recently got a mail proposing a secure chat and phone system that uses ”german elliptic curves with 512 bit”. (I assume they mean the Brainpool curves, however Brainpool has no curve with 512 bit) ”Don’t use AES, it’s a US-standard from the NSA” - except that it has been created by researchers from Belgium 8 / 10
  9. 9. Snake Oil Nationalism Conclusion Crypto is good when it has been created in a trustworthy process It doesn’t matter what kind of passport the researcher / developer creating the system has And finally: Be aware that Germany does not have a lot of high profile cryptographers. 9 / 10
  10. 10. Snake Oil Nationalism Conclusion Some reasonable questions you may ask: ”Crypto is hard. Do you have a crypto expert in your development team or has your software been reviewed by a crypto expert?” ”Can I see the tecchnical details of the protocol?” ”Can I see the source code?” If the answer to any of these is ”No” just ignore it 10 / 10
  11. 11. Snake Oil Nationalism Conclusion TextSecure https://whispersystems.org/ Pond https://pond.imperialviolet.org/ 11 / 10
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×