<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 12/17/2013 4:58 PM, SafeChat.IM
wrote:<br>
</div>
<blockquote
cite="mid:5B99F4E5-A069-4375-A61B-DC6BDC79CBE4@safechat.im"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; "><b
id="docs-internal-guid--7464a69-01b7-5e75-8b73-89673e4e1507">
<div style="line-height: 1.15; margin-top: 0pt; margin-bottom:
0pt; "><span style="font-size: 15px; font-family: Arial;
font-weight: normal; vertical-align: baseline;
white-space: pre-wrap; ">Dear mailing list,</span></div>
<p dir="ltr" style="line-height: 1.15; margin-top: 0pt;
margin-bottom: 0pt; "><span style="font-size: 15px;
font-family: Arial; font-weight: normal; vertical-align:
baseline; white-space: pre-wrap; "> </span></p>
<div style="line-height: 1.15; margin-top: 0pt; margin-bottom:
0pt; "><span style="font-size: 15px; font-family: Arial;
font-weight: normal; vertical-align: baseline;
white-space: pre-wrap; ">A friend and me are working on a
plugin that enables encryption on top of Facebook
messaging. The idea is to encrypt messages before they
leave the chat client, sending only the cipher to Facebook
and decrypt the message on the receiver client, before it
is displayed. The plugin automatically realizes which
users have it installed and only encrypts these chats.</span></div>
</b></div>
</blockquote>
<br>
Very cool!<br>
<br>
<blockquote
cite="mid:5B99F4E5-A069-4375-A61B-DC6BDC79CBE4@safechat.im"
type="cite">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; "><b
id="docs-internal-guid--7464a69-01b7-5e75-8b73-89673e4e1507">
<div style="line-height: 1.15; margin-top: 0pt; margin-bottom:
0pt; "><span style="font-size: 15px; font-family: Arial;
font-weight: normal; vertical-align: baseline;
white-space: pre-wrap; "></span></div>
<div style="line-height: 1.15; margin-top: 0pt; margin-bottom:
0pt; "><span style="font-size: 15px; font-family: Arial;
font-weight: normal; vertical-align: baseline;
white-space: pre-wrap; ">Since the reliability of the
cryptographic system is a crucial part of the design, I
would to discuss the protocol here:</span></div>
<p dir="ltr" style="line-height: 1.15; margin-top: 0pt;
margin-bottom: 0pt; "><span style="font-size: 15px;
font-family: Arial; font-weight: normal; vertical-align:
baseline; white-space: pre-wrap; "> </span></p>
<div style="line-height: 1.15; margin-top: 0pt; margin-bottom:
0pt; "><span style="font-size: 15px; font-family: Arial;
font-weight: normal; vertical-align: baseline;
white-space: pre-wrap; ">First, we use PBKDF2 to derive a
256 bit data block from a passphrase the user chooses and
a salt (the username). We advise the user to use a long
and hard-to-guess passphrase. We use Parvez Anandam’s
JavaScript implementation [1].</span></div>
</b><br>
</div>
</blockquote>
PBKDF2, just like TrueCrypt? I hope you decide to have better
password security than those guys. The PBKDF2 key stretching in
TrueCrypt is a joke. You have to find an obscure option to even
enable the 2000-round SHA256 key stretching, which provides close to
no security at all. The kinds of passwords your users on Facebook
will actually use have very few bits of entropy, and can be guessed
by hardware based brute force attacks very quickly.<br>
<br>
To have much better password protection, take a look at the key
stretching used in FreeCoin: scrypt. While it is less effective at
reducing hardware based password guessing attacks than it should be,
it's still many thousands of times more effective than SHA-256 based
key stretching. I wrote some code that is like scrypt but it
understands that we should thrash the on-chip cache while keeping
the DRAM interface at 100% data transfer rates to more effectively
beat hardware based password guessing. Scrypt causes a cache miss
every cycle, enabling hardware that does faster random access to
accelerate it's key stretching by a factor of maybe 100. Scrypt
also has some undesirable properties such as needing to put scrypt
parameters along side the salt, making it clear that the file is an
script based encrypted password rather than random junk, reducing
deniability. My code gets around the weaknesses in scrypt that I
perceived, but please just use scrypt rather than untested code.
Freecoin proved scrypt works, and that's worth a lot. Also, you
guys will naturally do what everyone should be doing: perform the
key stretching in the browser, not on the server. For example,
default Microsoft key stretching is only 1000 rounds of SHA-256
because it's done in ASP.net on the server rather than in the
browser.<br>
<br>
Now for my tin hat conspiracy theories: Why is Microsoft so stupid
about where to perform key stretching? Why wont the TrueCrypt team
adopt decent password security? Why does PGP have 0 key stretching
by default, and why is my SSH private key encrypted with no key
stretching and no option to use it? You want to encrypt Facebook
traffic with real security? I just have to wonder if some tall
suits with dark sunglasses are going to convince you to do
otherwise. My other theory is people are really that stupid,
whether they write SSH encryption code, PGP, or TrueCrypt.<br>
</body>
</html>