tmsr - Search: a

36600+ entries in 0.256s

zx2c4: every time i send you something, i expect to hear back from you. if i dont hear back from you, then something bad has happened,and i should start over with a new handshake. my way of hearing back to you might be in the natural sense -- i send a TCP SYN, you send me back a TCP ACK -- or it might be the case that you actually just have nothing to send back to me. you got my message just fine, but really just cant think of anything to say back to me.

mircea_popescu: "If a packet has been received from a given peer, but we have not sent one back to the given peer in KEEPALIVE ms, we send an empty packet." <<

mircea_popescu: zx2c4 the fundamental problem with "set to empty" is that ciphers can be and many are vulnerable to this, as a particular case of "known plaintext"

zx2c4: also, btw, when you're not using the payload parameter in a message, it's just set to empty, because the authentication tag used by it is still important for the protocol.

asciilifeform: ( alternatively, how many bits do i need to flip in an otherwise correctly configured box, to set a 'noise' cipherer, into null mode ? )

zx2c4: pretty unlikely that somebody would design a protocol inadvertently that way

mircea_popescu: so in no case a dizzy operator could naively set up noise 7.4 so as to send his payloads in plaintext.

zx2c4: one thing to keep in mind is that Noise isn't a single ready-made protocol for every application designer to take. its instead a protocol framework for protocol designers to use. knowing explicitly what the payload param gives you in each message is really important, so that you dont screw up and put your stuff somewhere it shouldnt be. there are legitimate protocol use cases for using the payload parameter early on during the handshake. its

zx2c4: this is not the case of the "null mode" in IPsec, which is obviously a complete disaster with no good justification

zx2c4: there are valid use cases of sending information in the clear in the payload parameter. for example, perhaps you want to use it to advertise which aspects of the protocol are valid for subsequent messages. or you want to send a certificate along to authenticate yourself. the payload parameter certainly shouldnt be confused with transport messages, which are what are allowed after the handshake completes

mircea_popescu: asciilifeform seems to me the case to be, that they defined a matrix, and then implemented all the cells, and fuck you if you pick a dumb cell.

asciilifeform: it appears to be a valid state of the state machine. else why would it be mentioned in the spec.

zx2c4: its not an "unsecured mode" because this isnt a "mode"

asciilifeform: i understand the bare fact, zx2c4 . my question is, why do you think the protocol author permitted an unsecured mode as a valid mode of operation ?

zx2c4: but there's certainly not any "null-ciphering" and this is only a misunderstanding of what the specification says

zx2c4: noise defines several different handshakes. wireguard uses Noise_IKpsk2, which is 1-RTT. But there are other noise handshakes, some of which are 0-RTT, 1-RTT, 2-RTT, 1.5-RTT, and so forth. each handshake message can optionally contain a payload -- to contain things like, say, certificates or other data. the question is at which stage of the handshake do you use the payload parameter? if you do it too early in some, you get zero confidentiality. so

a111: Logged on 2018-04-11 16:11 asciilifeform: mircea_popescu: picture if the selector on kalash had a 'fires backwards' position.

a111: Logged on 2018-04-12 15:36 zx2c4: - minimal state machine, as mentioned above, which means 1-RTT: if something goes wrong with a message being dropped, the solution is always to just "start over the protocol", since it's only 1-RTT. this saves amazing amounts of complexity

zx2c4: a null cipher mode? it doesnt...

asciilifeform: the q , then : why does 'noise' include a null-cipher mode ?

a111: Logged on 2018-04-12 09:42 spyked: http://btcbase.org/log/2018-04-12#1796749 <-- that's probably my thing, I've been playing with it for the last two weeks or so, I have it in a loop grabbing feeds from republican blogs.

a111: Logged on 2018-04-12 08:33 ckang: granted im sure things are progressing, but its hard to outperform something from a billet of aluminum

mircea_popescu: http://btcbase.org/log/2018-04-12#1796974 << yes dood, sintering is a joak in terms of material strength and high performance generally. ☝︎

a111: Logged on 2018-04-12 08:31 ckang: cant get behind all this 3d printer fanboy stuff, its just not a good substrate with the current materials for anything you want to last somewhat longterm

mircea_popescu: so it may need a few.

zx2c4: im guessing deedbot will send me a otp now

mircea_popescu: http://deedbot.org/ << on deedbot you can register any arbitrary item ; it keeps a record that indeed your signature did so ; and it marks the time, through inclusion in the bitcoin blockchain

mircea_popescu: this is a lot more than meets the eye ; because it actually restructures conversations into a tree. things here have a depth not encountered anywhere else.

zx2c4: if you guys wind up using wireguard for part of your infra and want to support wireguard for a year, i'm always looking for large donations, etc. not sure if that's what deedbot is for exactly but that would be quite the nice deed

mircea_popescu: you can click the link and see a website-based story of the log ; the bot also reads the line referenced in conversation.

asciilifeform: zx2c4: he just threw a whole bitcoin into your piggy.

mircea_popescu: !!rate zx2c4 1 j. a. donenfeld, wireguard guy.

mircea_popescu: zx2c4 do me a favour and !!register your key

zx2c4: we've been going at it for a while here

zx2c4: i havent compiled a list of Name+WrittenReview. maybe i should do that ☟︎

zx2c4: then in the acknowledgement of the paper, a few others arementioned who reviewed it while it was being written

asciilifeform: happen to have a link handy ?

zx2c4: its in a much better place than just raw md5

asciilifeform: i don't see 'not publicly smashed to bits of just yet' as a proof of strength, given as it is true of literally every system ever devised, until the moment of public breakage

zx2c4: so it's received quite a bit of scrutiny

zx2c4: blake2 came from blake which went through the sha3 contest as a finalist

zx2c4: but anyway, the world has learned quite a bit since md5

asciilifeform: it's a 1) open problem 2) afaik nobody is publicly working on

asciilifeform: several yrs ago i went in search of ~any~ problem that can be shown to have a ~nphard average case~ . and found none.

zx2c4: seems like there are many places and interesting ways to optimize at this point. lots of neat creative work coming out. but that with aes and whatnot, we're in a pretty good place in terms of symmetric crypto

asciilifeform: sadly enough, there is not, as of my last look, a proof that rsa reduces to hardness-of-Factoring

zx2c4: things like RSA boil down to number theory problems. but that's in a sense scarier than the set of problems that good block ciphers tend to boil down to. because it means that those primitives have lots of _structure_, and generally structure is something that can be exploited. just look at all the amazing and fantastic attacks on things with structure. so just boiling down to a [currently considered] "hard problem" doesn't provide as much solace ☟︎

asciilifeform: ( i.e. a reduction to np-hard or for that matter ANY particular complexity class )

asciilifeform: but i have a somewhat different approach, which i call 'fits in head'

asciilifeform: zx2c4: i've spent the past ~2yrs writing a properly constant-time arithmetic lib. it is being slowly published. ( see earlier link to my www )

jhvh1: stormy with a chance of packeting

zx2c4: found a vuln!

asciilifeform: btw zx2c4 , i must regret to inform you that the code you linked, is in fact NOT constant-time on several common architectures, because it makes use of machine MUL instruction ( gcc will compile a nonconstant-operanded '*' to e.g. IMUL on x86 )

zx2c4: by only using a limited subset of constructs which are known to be constant time

zx2c4: fiat-crypto also has a 64bit one, but the HACL* one was faster

zx2c4: (i've got a project going on right now to rewrite that actually)

asciilifeform: since you mentioned rng : what source of rng does your system use in a typical configuration ?

asciilifeform: ( i grasp the connectionless scheme , having prototyped a similar item )

zx2c4: - wireguard doesnt expose any state to the administrator. there's either an interface or there isnt. theres no concept of "connection". with a very simple timer state machine, we're able to completely hide all details from the sender side

asciilifeform: how's that ? you can encipher a symmetric key in an rsagram , and that's 1 packet. then 1 packet back to ack receipt. neh ?

zx2c4: - the whole cryptokey routing table thing is very important for making things extremely simple. it pairs the identity of a public key with the ip address someone is allowed to be inside the tunnel. no fancy security marks or whatever from ipsec bloat

asciilifeform: zx2c4: don't go away yet plz. i'd like to ask a few q re your crypto design

zx2c4: asciilifeform: oh cool. i havent seen this ill take a look

asciilifeform: no-dynamic-allocation is also a Good Thing, for instance in my FFA crypto lib ( http://www.loper-os.org/?cat=49 ) this property exists

a111: Logged on 2015-01-07 01:22 asciilifeform: with udp, you can make the 'friend or foe?' decision upon receipt of a single (!) packet.

asciilifeform: 'silent to unauthorized packets' is a good thing, and some of the folx here, incl. asciilifeform , are working on systems with this property (e.g. http://btcbase.org/log/2015-01-07#967274 ) ☝︎

zx2c4: - denial of service resistance. as mentioned, you should be able to put this on the outer edge of a network

zx2c4: - minimal state machine, as mentioned above, which means 1-RTT: if something goes wrong with a message being dropped, the solution is always to just "start over the protocol", since it's only 1-RTT. this saves amazing amounts of complexity ☟︎

zx2c4: - silent to unauthorized packets. if you dont know there's a wireguard endpoint there and don't have credentials to talk to it, you can't get it to respond to anything. so, you cant scan for endpoints. this makes it a good thing to put on the outer edge of your network.

zx2c4: then on top of that i wanted a few nice properties:

zx2c4: wireguard is supposed to be implementable using simple algorithms with as small of a state machine as possible, so that the code size and complexity is kept at a minimum. in otherwords, it aims to be easily auditable so that people can actually read it and feel confident that it doesnt have horrible vulnerabilities. with massive codebases and highly complex designs like openvpn or ipsec, this obviously isnt possible. so with wireguard i was trying

zx2c4: it's small, minimal, has the flexibility to be exactly what i needed and nothing larger. makes conservative choices. fits into the security model i was aiming for with the implementation properties i was looking for. i was also involved with noise from very early on, so several concerns and needs i had with wireguard got factored into noise. and since noise is a very interesting framework, it's now receiving much needed academic attention in

asciilifeform: zx2c4: it so happens that i have a few q:

asciilifeform: aaaand a happy cosmonautics day ( http://www.loper-os.org/?p=854 rerun!11 ) to errybody.

spyked: http://btcbase.org/log/2018-04-12#1796749 <-- that's probably my thing, I've been playing with it for the last two weeks or so, I have it in a loop grabbing feeds from republican blogs. ☝︎☟︎

a111: Logged on 2017-08-19 18:25 mircea_popescu: are you aware i think your "formal" model is a piece of shit from paragraph one ?

ckang: granted im sure things are progressing, but its hard to outperform something from a billet of aluminum ☟︎

ckang: cant get behind all this 3d printer fanboy stuff, its just not a good substrate with the current materials for anything you want to last somewhat longterm ☟︎

mircea_popescu: gimme a break.

ben_vulpes: basic principle is to dump the heat from intake into the onboard lh2 supply, boil a bit off to turn the pumps, and then cut over to internal supplies once out of the atmosphere.

ben_vulpes: buncha british poofs have a magical ambient-air-breathing-theoretically-up-to-mach-5 rocket engine system

trinque: somewhere a star printer screeches with the sound of titties.

ben_vulpes: i am still flabbergasted that it takes apache 2.7 seconds to render what nginx can do with the fpm pool in a tenth of a second.

mircea_popescu: britknee so what do you do for a living anyway ?

mircea_popescu: well, it actually WAS a french colony. all of it.

sashahsas: No, Louisiana had a french colony at some point I think.

sashahsas: I need to download a thesaurus or dictionary to understand that sentence I think

mircea_popescu: i mean a nalp not a nap.

mircea_popescu: ben_vulpes it's a NALP not a plan, narf!

mircea_popescu: sashahsas ok, ok, how about this -- amanap : lanac a nalp a nam a

ben_vulpes: trinque: yeah but i doubt you see it in a reasonable timeframe

mircea_popescu: sashahsas : a man, a plan, a canal : panama!

sashahsas: The right keyboard helps a lot with predictive text

mircea_popescu: so are you typing all this on a phone keyboard ?!

sashahsas: Some can navigate the entire city looking at a phone screen lol

sashahsas: Its a pet peeve of mine, talking to someone and them looking at their phone.

sashahsas: Hey sorry, had a coworker come up and had to put my phone down.

mircea_popescu: the whole story is whether it waits for a timeout somewhere.

ben_vulpes: well it successfully redirects me to the index and the admin login page now when using a consumer browser; not that that's much of an indicator that things aren't deeply fucked within

mircea_popescu: i don't even know that it knows what a port is or what to do with the colon.