[Cryptography] Encryption opinion

[ianG]

On 14/08/2014 20:38 pm, Jorge Perdomo wrote:
> Hello cryptography experts,
> 
> I am the co-founder of goTenna, a small startup in Brooklyn that is
> developing a product that is intended to allow resilient decentralized
> and /encrypted/ communications for people using smartphones regardless
> of central connectivity.

What sort of people?  What sort of communications?

Reason for q is:  you said encrypted by which we guess you mean secure.
 But secure is not a binary concept, it is really a defence against an
attacker against your business.  In short, without a context that tells
us how much everyone cares (you, user, attacker) there is no way to
judge how much security is 'good enough'.

> We launched publicly a few weeks ago with the plans of using 1024-bit
> RSA for our encryption, but have received a lot of complaints from
> people telling us that RSA wasn't safe and whatnot.  I'm not an expert,
> but through our research we felt like 1024RSA for a 160 character text
> message was plenty strong, but we could be wrong.


a.  Are you using RSA to directly encrypt the messages?  This is
typically frowned upon as RSA is tricky to use and many uses leads to
weaknesses.  The preferred classical method is to use RSA once to share
a secret with your counterparty and then use that to encrypt using a
block or stream cipher (etc).  Latter are less vulnerable.

b.  RSA 1024 is considered a weak length these days.  But it still
depends on "against whom?"  NIST recommends 2048, but the little known
open secret is that NIST has a mandate only to protect USG agencies.  So
2048 is recommended for USG agencies.  As they are currently targetted
by aggressive foreign spies, this makes some sense.  It makes less sense
for anyone else to pay attention to them, absent clear disclosures and
mandates.

Nobody has any evidence of a 1024 RSA keylength being crunched.  And if
it happens, it won't happen to you, rather someone else more important.
 HOWEVER, public opinion will be against you.  So if you rely on your
claims of security as a big part of your marketing message, it's going
to be tough.

c.  The biggest danger in more ordinary usage of security systems is
your counterparty.  E.g., your spouse who's about to divorce you.  As
these messages are generally in cleartext on your future court
antagonist's phone, the encryption used isn't really a big concern.


> Our team has started looking into other options, and we found some kind
> of elliptic curve cryptography that seems like it would be stronger,
> while also keeping our packet sizes as small as possible (critical!). 
> Before we start building any of this custom though, I was hoping we
> might be able to get the opinion of some of your in the cryptography
> community.


EC has much smaller key sizes for the same strength.  Which helps... but
it also prefers to to do a key exchange, see a. above. although there
are some brave efforts to do EC only packet exchanges (read
http://curvecp.org/ ).


> If anyone would be willing to chat with us, please shoot me a note at
> jp at gotenna.com <mailto:jp at gotenna.com> - it would also be helpful if you
> could give me a brief description of your background/expertise.  We're
> not looking for massive involvement, but maybe just a brief phone call
> to make sure that what we end up implementing will indeed keep people safe.


You do understand that this is not a hobby, right?  People earn the big
bucks by spending a decade learning this stuff.  They don't just hand it
off to anyone as if it were an open source project, and it's their duty
to society to share their hard work...

You might get lucky and someone will throw you a few pointers, but you
should be prepared to pay for the decade or so of experience that you
need here.  If you don't respect the people who do the work to secure
your customers, how will customers respect you?



iang