[Cryptography] WhatsApp, Curve25519 workspace etc.

Antonio Sanso asanso at adobe.com
Tue May 3 01:44:33 EDT 2016 

hi

On May 1, 2016, at 1:16 PM, Hanno Böck <hanno at hboeck.de> wrote:

> Hi,
> 
> On Sun, 1 May 2016 10:58:59 +0300
> Ismail Kizir <ikizir at gmail.com> wrote:
> 
>> I want to state my thought more clearly.
>> Curve25519 has 2^128 workspace for brute force attacks. Correct me if
>> I am wrong please.
>> 
>> Also, as far as I remember, -I don't remember where I read-, a
>> supercomputer today, is able to break 56 bit DES encryption ~400
>> seconds.
> 
> Not sure where you're getting with this. 56 bit security is broken, 128
> is not (and most likely never will be).
> Maybe you're line of thinking is that 128 is "only" a bit more than
> twice the size of 56. But that's not the case. You're counting bits
> here that exponentially increase the complexity. 128 bit is not (a bit
> more than) twice the security of 56, it's another universe of security.
> 
>> Moreover, more important: WhatsApp uses AES 256 in CBC mode, which is
>> excluded from TLS 1.3 draft. And there are some articles about it:
>> http://link.springer.com/chapter/10.1007%2F3-540-45708-9_2
> 
> Ok, I must say I was surprised that Whatsapp uses CBC (I had expected
> either gcm or chacha20-poly1305),

FWIW I am not :)
both vcm and chacha20-poly1305 are not nonce resistant and standard AES-GCM (with 92 bits nonce) can be safely be used “only” for 2^32 times :)

regards

antonio 

> but there is no risk here either.
> All the weaknesses of CBC don't affect the mode itself, but a bad
> combination of cbc+hmac. Quickly skimming into the whatsapp whitepaper
> they use cbc+hmac with encrypt-then-mac. That's safe. What's unsafe is
> using the other way round or some wacky encrypt-and-mac constructions.
> 
>> I want to repeat my question again: Isn't it highly suspicious to take
>> so many risks, instead of simply using a larger key space?
> 
> It seems to me that what you classify as "so many risks" are just two
> misunderstandings. Neither the 128 bit security of curve25519 nor cbc
> in encrypt-then-mac mode are a risk.
> 
> -- 
> Hanno Böck
> https://hboeck.de/
> 
> mail/jabber: hanno at hboeck.de
> GPG: BBB51E42
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography

More information about the cryptography mailing list