SlideShare a Scribd company logo
1 of 11
Download to read offline
Snake Oil
Nationalism
Conclusion
Cryptography for Software and Web Developers
Part 5: Don’t believe the crypto hype
Hanno B¨ock
2014-05-28
1 / 10
Snake Oil
Nationalism
Conclusion
New fancy crypto tool
Example Telegram
Example Threema
The problem
What’s good?
The NSA scandal was the biggest boost for snake oil crypto of
all time
Threema, Telegram, Cryptocat, whistle.im, chiffry, tutanota,
myEnigma, Hike, Kontalk, ...
2 / 10
Snake Oil
Nationalism
Conclusion
New fancy crypto tool
Example Telegram
Example Threema
The problem
What’s good?
At the moment a lot of people will try to sell you the latest
easy-to-use super-secure crypto solution
In most cases these should not be considered trustworthy
3 / 10
Snake Oil
Nationalism
Conclusion
New fancy crypto tool
Example Telegram
Example Threema
The problem
What’s good?
Telegram has a contest: They’ll pay you $ 200.000 if you can
decrypt their sample messages
Sounds good, right?
But it only applies to passive attacks. No sidechannels,
authentication issues, software bugs like buffer overflows,
known-plaintext-attacks, ...
Moxie Marlinspike challenged the Telegram developers with a
similar contest by defining a completely insecure protocol.
They haven’t responded.
4 / 10
Snake Oil
Nationalism
Conclusion
New fancy crypto tool
Example Telegram
Example Threema
The problem
What’s good?
Threema is proprietary
But they provide a ”validation” feature: App can log data
packages and a small tool that’s available in source form can
verify if that’s really the message encrypted with the
corresponding private key
How do you know if the logged package is the same that was
sent?
How do you know they don’t embed secret data in the nonce?
You just don’t. The whole Threema validation is a scam.
5 / 10
Snake Oil
Nationalism
Conclusion
New fancy crypto tool
Example Telegram
Example Threema
The problem
What’s good?
We really could need some better crypto message systems
Some people will tell you: ”What’s the matter, we have PGP
and Jabber with OTR, that’s all you need”
Except that they’re mostly unusable for normal users and have
tons of strange properties
PGP doesn’t encrypt the Subject, has two modes where only
one protects certain metadata, doesn’t provide forward secrecy
OTR only works if your communication partner is online, else
it will be unencrypted
6 / 10
Snake Oil
Nationalism
Conclusion
New fancy crypto tool
Example Telegram
Example Threema
The problem
What’s good?
From everything I’ve seen lately there are only two systems I
find interesting: Pond and Textsecure
Free software, source available
Well documented strong crypto technologies that seem to
make sense
Created by people who know a lot about crypto
7 / 10
Snake Oil
Nationalism
Conclusion
I find it hard to believe, but this is a real problem
”E-Mail Made in Germany”,”SecurITy made in Germany /
TeleTrusT” etc.
Peter Tauber (member of german parliament, CDU) wants
german encryption
Recently got a mail proposing a secure chat and phone system
that uses ”german elliptic curves with 512 bit”. (I assume
they mean the Brainpool curves, however Brainpool has no
curve with 512 bit)
”Don’t use AES, it’s a US-standard from the NSA” - except
that it has been created by researchers from Belgium
8 / 10
Snake Oil
Nationalism
Conclusion
Crypto is good when it has been created in a trustworthy
process
It doesn’t matter what kind of passport the researcher /
developer creating the system has
And finally: Be aware that Germany does not have a lot of
high profile cryptographers.
9 / 10
Snake Oil
Nationalism
Conclusion
Some reasonable questions you may ask:
”Crypto is hard. Do you have a crypto expert in your
development team or has your software been reviewed by a
crypto expert?”
”Can I see the tecchnical details of the protocol?”
”Can I see the source code?”
If the answer to any of these is ”No” just ignore it
10 / 10
Snake Oil
Nationalism
Conclusion
TextSecure https://whispersystems.org/
Pond https://pond.imperialviolet.org/
11 / 10

More Related Content

More from hannob

How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?hannob
 
Papierlos
PapierlosPapierlos
Papierloshannob
 
Gehackte Webapplikationen und Malware
Gehackte Webapplikationen und MalwareGehackte Webapplikationen und Malware
Gehackte Webapplikationen und Malwarehannob
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverhannob
 
Stromsparen
StromsparenStromsparen
Stromsparenhannob
 
Wirtschaftswachstum, klimawandel und Peak Oil
Wirtschaftswachstum, klimawandel und Peak OilWirtschaftswachstum, klimawandel und Peak Oil
Wirtschaftswachstum, klimawandel und Peak Oilhannob
 

More from hannob (6)

How broken is TLS?
How broken is TLS?How broken is TLS?
How broken is TLS?
 
Papierlos
PapierlosPapierlos
Papierlos
 
Gehackte Webapplikationen und Malware
Gehackte Webapplikationen und MalwareGehackte Webapplikationen und Malware
Gehackte Webapplikationen und Malware
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS server
 
Stromsparen
StromsparenStromsparen
Stromsparen
 
Wirtschaftswachstum, klimawandel und Peak Oil
Wirtschaftswachstum, klimawandel und Peak OilWirtschaftswachstum, klimawandel und Peak Oil
Wirtschaftswachstum, klimawandel und Peak Oil
 

Recently uploaded

Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Internet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptxInternet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptxErYashwantJagtap
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 

Recently uploaded (17)

Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in  Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in  Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Internet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptxInternet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptx
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 

Crypto workshop 5 - Don't believe the crypto hype

  • 1. Snake Oil Nationalism Conclusion Cryptography for Software and Web Developers Part 5: Don’t believe the crypto hype Hanno B¨ock 2014-05-28 1 / 10
  • 2. Snake Oil Nationalism Conclusion New fancy crypto tool Example Telegram Example Threema The problem What’s good? The NSA scandal was the biggest boost for snake oil crypto of all time Threema, Telegram, Cryptocat, whistle.im, chiffry, tutanota, myEnigma, Hike, Kontalk, ... 2 / 10
  • 3. Snake Oil Nationalism Conclusion New fancy crypto tool Example Telegram Example Threema The problem What’s good? At the moment a lot of people will try to sell you the latest easy-to-use super-secure crypto solution In most cases these should not be considered trustworthy 3 / 10
  • 4. Snake Oil Nationalism Conclusion New fancy crypto tool Example Telegram Example Threema The problem What’s good? Telegram has a contest: They’ll pay you $ 200.000 if you can decrypt their sample messages Sounds good, right? But it only applies to passive attacks. No sidechannels, authentication issues, software bugs like buffer overflows, known-plaintext-attacks, ... Moxie Marlinspike challenged the Telegram developers with a similar contest by defining a completely insecure protocol. They haven’t responded. 4 / 10
  • 5. Snake Oil Nationalism Conclusion New fancy crypto tool Example Telegram Example Threema The problem What’s good? Threema is proprietary But they provide a ”validation” feature: App can log data packages and a small tool that’s available in source form can verify if that’s really the message encrypted with the corresponding private key How do you know if the logged package is the same that was sent? How do you know they don’t embed secret data in the nonce? You just don’t. The whole Threema validation is a scam. 5 / 10
  • 6. Snake Oil Nationalism Conclusion New fancy crypto tool Example Telegram Example Threema The problem What’s good? We really could need some better crypto message systems Some people will tell you: ”What’s the matter, we have PGP and Jabber with OTR, that’s all you need” Except that they’re mostly unusable for normal users and have tons of strange properties PGP doesn’t encrypt the Subject, has two modes where only one protects certain metadata, doesn’t provide forward secrecy OTR only works if your communication partner is online, else it will be unencrypted 6 / 10
  • 7. Snake Oil Nationalism Conclusion New fancy crypto tool Example Telegram Example Threema The problem What’s good? From everything I’ve seen lately there are only two systems I find interesting: Pond and Textsecure Free software, source available Well documented strong crypto technologies that seem to make sense Created by people who know a lot about crypto 7 / 10
  • 8. Snake Oil Nationalism Conclusion I find it hard to believe, but this is a real problem ”E-Mail Made in Germany”,”SecurITy made in Germany / TeleTrusT” etc. Peter Tauber (member of german parliament, CDU) wants german encryption Recently got a mail proposing a secure chat and phone system that uses ”german elliptic curves with 512 bit”. (I assume they mean the Brainpool curves, however Brainpool has no curve with 512 bit) ”Don’t use AES, it’s a US-standard from the NSA” - except that it has been created by researchers from Belgium 8 / 10
  • 9. Snake Oil Nationalism Conclusion Crypto is good when it has been created in a trustworthy process It doesn’t matter what kind of passport the researcher / developer creating the system has And finally: Be aware that Germany does not have a lot of high profile cryptographers. 9 / 10
  • 10. Snake Oil Nationalism Conclusion Some reasonable questions you may ask: ”Crypto is hard. Do you have a crypto expert in your development team or has your software been reviewed by a crypto expert?” ”Can I see the tecchnical details of the protocol?” ”Can I see the source code?” If the answer to any of these is ”No” just ignore it 10 / 10