[Cryptography] WhatsApp, Curve25519 workspace etc.

Hanno Böck hanno at hboeck.de
Sun May 1 07:16:03 EDT 2016 

Hi,

On Sun, 1 May 2016 10:58:59 +0300
Ismail Kizir <ikizir at gmail.com> wrote:

> I want to state my thought more clearly.
> Curve25519 has 2^128 workspace for brute force attacks. Correct me if
> I am wrong please.
> 
> Also, as far as I remember, -I don't remember where I read-, a
> supercomputer today, is able to break 56 bit DES encryption ~400
> seconds.

Not sure where you're getting with this. 56 bit security is broken, 128
is not (and most likely never will be).
Maybe you're line of thinking is that 128 is "only" a bit more than
twice the size of 56. But that's not the case. You're counting bits
here that exponentially increase the complexity. 128 bit is not (a bit
more than) twice the security of 56, it's another universe of security.

> Moreover, more important: WhatsApp uses AES 256 in CBC mode, which is
> excluded from TLS 1.3 draft. And there are some articles about it:
> http://link.springer.com/chapter/10.1007%2F3-540-45708-9_2

Ok, I must say I was surprised that Whatsapp uses CBC (I had expected
either gcm or chacha20-poly1305), but there is no risk here either.
All the weaknesses of CBC don't affect the mode itself, but a bad
combination of cbc+hmac. Quickly skimming into the whatsapp whitepaper
they use cbc+hmac with encrypt-then-mac. That's safe. What's unsafe is
using the other way round or some wacky encrypt-and-mac constructions.

> I want to repeat my question again: Isn't it highly suspicious to take
> so many risks, instead of simply using a larger key space?

It seems to me that what you classify as "so many risks" are just two
misunderstandings. Neither the 128 bit security of curve25519 nor cbc
in encrypt-then-mac mode are a risk.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160501/73e915c3/attachment.sig>

More information about the cryptography mailing list