logo

blog

My little blog can’t be this cute! git clone https://hacktivis.me/git/blog.git
commit: beb9214dfe1c435575f9d9e3c4e575f449732c33
parent 17d834ee39c074b0636b4953565670184cd6f6b3
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Thu,  7 Mar 2019 06:59:43 +0100

articles/Pretty Bad Privacy: fix EFF DES cracker, mention Sweet32


Diffstat:


Marticles/Pretty Bad Privacy.xhtml3++-


1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/articles/Pretty Bad Privacy.xhtml b/articles/Pretty Bad Privacy.xhtml
@@ -78,7 +78,7 @@ ID           Algorithm                             Text Name
 Implementations MUST implement SHA-1.  Implementations MAY implement
 other algorithms.  MD5 is deprecated.</pre></blockquote>
 <cite><a href="https://tools.ietf.org/html/rfc4880">RFC4880</a>, November 2007</cite>
-<p>Some additionnal ciphers got added later on, but this basically mean that you cannot be sure that a OpenPGP message you sent wasn’t done in more-or-less plaintext. 3DES was broken by the EFF in 199x, SHA1 was probably still known as okay but could be better (as SHA2 was already a thing), DSA was probably not now enough as good to be hardcoded, no idea for Elgamal.</p><!-- FIXME -->
+<p>Some additionnal ciphers got added later on, but this basically mean that you cannot be sure that a OpenPGP message you sent wasn’t done in more-or-less plaintext. DES was broken by the EFF in 199x, 3DES is basically now on about the same size (NIST: 80 bits of security) but computing power got much better, SHA1 was probably still known as okay but could be better (as SHA2 was already a thing), DSA was probably not now enough as good to be hardcoded, no idea for Elgamal.</p><!-- FIXME -->
 <blockquote><pre>
 13.4.  Plaintext
 
@@ -141,6 +141,7 @@ Compression: Uncompressed, ZIP, ZLIB, BZIP2
 	<li><a href="http://www.netpgp.com/">NetPGP</a>, an implementation of OpenPGP by NetBSD, seems quite unmaintained to me</li>
 	<li><a href="https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/">What’s the matter with PGP? - A Few Thoughts on Cryptographic Engineering</a></li>
 	<li><a href="https://lists.torproject.org/pipermail/tor-talk/2013-September/030235.html">[tor-talk] Why the Web of Trust Sucks</a></li>
+	<li><a href="https://sweet32.info">Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN</a>, which Triple-DES and Blowfish are vulnerable to</li>
 </ul>
 <p><a href="https://queer.hacktivis.me/notice/9gVn61L9VGPosmXRQG">Fediverse post for comments</a></p>
 </article>