"Decrypting a block using the oracle" typo?
dpawson opened this issue · 9 comments
PDF, page 50.
"The attacker starts by sending in a plaintext A that’s just one byte shorter
than the block size."
in the figure below (unnumbered), input appears to show a length 1 byte greater than block length?
The first figure on page 51:
... shows a block A that is b-1 bytes, where b is the block size. This is internally consistent, because it gets s0 added to it (one byte) before it goes into the block cipher (which of course takes b bytes).
Either it's correct; or we're looking at different illustrations :)
Again apologies. I see a graphical block and assume it's a block as sent.
My bad. I shall stop sending comments.
No worries; happy to help.
I'd love to get an example for that one, because that's explicitly what both the book and the video aim to avoid so I have to make sure not to do that in the future.
Just my view
@lvh https://www.crypto101.io/
Sought: items where @lvh explains what/how without a why?
2:20 'nice to understand what's going on'
(my position: programmer, just want a simple (to me / to implement) encryption system
that the professionals think is currently good.
4:38 - no explanation of a limitation (to block length msg etc).
5:50 You say don't use DES, and explain why. That's a plus in my argument.
8:15 Good explanation of why not.
10:51 No mention of CFB/OFB as good or bad?
14:16 key exchange explained well. But not why (4 seconds to do so?)
14:41 It may be obvious why we need to exchange 'secrets' / keys
securely, but you don't say why?
17:00 Mixing colors and secrets in the text?
1750 Explaining man in the middle, but not making the obvious 'why'
point? Why authentication.
20:13 Why do you need to explain hash codes? How / why are they useful?
22:16. No explanationof how the extension 'works' / why it is a problem.
25:30 say why MAC is 'good' / better than others / why used.
27:00 You say don't use CHF for password stores - perhaps suggest what to use instead?
29:29 +ve, says why salts are used. 30:45 very quickly pass over why not to use them today.
31:20 Don't say what a KDF stands for. Nor why it is better than / a replacement for salts?
33:00 Sender auth. Well explained (the why )
35... You explain how PKI works, not why it is used / better than....
37:40 Web of trust, well explained.
41:30 CA not related to web of trust? Surely it is a variation on the same thing?
Assumes it is crypto101, i.e. for newbies.
Emphasis seems to be on message exchange (your sphere of interest?) What of
a password database, which possibly, more people are interested in a small scale?
Thanks for the detailed list! Many of the details (like hash extension attacks) are explained in the book -- the main limitation there is that I have a 45 minute slot, and as you can tell from the video, that was filled to the brim. That includes things like CFB and OFB, which are a little esoteric. The extent to which it's useful to know what they are is that they turn a block cipher into a stream cipher. Having simple encryption that people think is good is what I thought I started the talk out with: (Py)NaCl or GPG for data at rest; TLS for data in motion.
Re: key exchange; in the section prior (at 13:50) I explain why key exchange is needed: stream ciphers let you send messages if you have a key, but where do you get the key from?
Re: MITM requiring auth: I hoped that an attacker being able to intercept and modify all your communication is enough justification.
Re: hash functions: that's important because they're used (among other things) to build MACs (and PRFs, but that's a distinction without a difference at a Crypto 101 level) -- but, also, mistakenly, as MACs -- hence the length extension attack, which is not something you can do with a real MAC or a PRF.
Re: KDF: at 31:04 I say "key derivation function", and I explain why it's better than a CHF/salt beforehand. It's better than a CHF because it's slow to compute, so an attacker can't enumerate passwords. It's orthogonal to salts, because salts solve the wrong problem (an attacker who has compromised the database has presumably also compromised the salt).
Re: PKI: you're right; 35:00 says nothing about PKI. The 37:40 "WoT" explanation works both for PKI and WoT; as you point out in your comment about 41:30.
The focus on message exchange is primarily because TLS is a complex system that has many parts in it that lies at the core of the Internet working; by going through all of the parts in TLS, you understand (hopefully, but apparently I haven't succeeded in that goal) why they are all necessary. Add the detail of the book, for example, and you know MACs are necessary because otherwise you have chosen ciphertext attacks (like CBC bit flipping attacks, for example). Remove any part in an ostensibly complex system (MAC, stream cipher, key exchange, signature algorithm, asymmetric encryption...) and TLS falls over.
Thank you for your feedback.