Blog‎ > ‎

Privacy Paradox, Riffle, Encryption at Rest, 2FA, Databases

posted Sep 11, 2016, 1:34 AM by Sami Lehtinen   [ updated Sep 11, 2016, 1:34 AM ]
  • Studied Privacy Paradox. Well, yes. It's hard to tell people about something which is private and isn't being told to anyone.
  • Read Riffle paper [PDF] - Verifiable shuffle technique, which is supposed to provide bandwidth and computation-efficient anonymous communication. Interesting. Let's see. Riffle requires the servers in Riffle Group to have high bandwidth interconnects. Only client-server communication is 'bandwidth-efficient'.  Of course: "variable-length messages must be subdivided into fixed-length blocks and/or padded to prevent privacy leakage through message size". And as expected: "each client must perform PIR every round to remain resistant to traffic analysis attacks even if the client is not interested in any message". And naturally: "the total grows linearly with the number of clients" Leading to: " the primary limitation is the server to server bandwidth". Summary: Nothing new, just combining old stuff, very nice academic work, tinfoil hat stuff, not practical even in theory. For everyone else except cryptography & anonymization theory geeks this isn't interesting at all. No practical use whatsoever.
    kw: Dining-Cryptographer Networks (DC-Nets), verifiable mixnet, cover traffic, delays, mixnets, mixes, deanonymize, anonymize, anonymity, Aqua, anytrust, Riposte, Dissent, private information retrieval. (PIR), clients, servers, client server, authenticated and encrypted channels, confidentiality, anonymity, authenticity, end-to-end encryption (E2EE), correctness, honest, adversary , power, security critical information, sensitive, sender, recipient, receiver, publisher, architecture, protocol, protocols, cryptographic, ciphertexts, plaintexts, algorithm, broadcast, trap protocols, trap bits, attack surface, rounds, accusation process, misbehaving server / client, accountable, malicious, secret key, zero-knowledge, plaintext, ciphertext, forgery, tamper, nonce, DeDiS Advanced Crypto library, ElGamal, Curve25519, Neff’s shuffle, Chaum-Pederson proof, Secretbox implementation, Salsa20 encryption, Poly1305 authentication, Herbivore, Intersection attacks, correlate, networking, network, internet, privacy.
  • Encryption at Rest in Google Cloud Platform - DEK, KMS, HMAC, GCM, CTR, CBC, AES, HDD, SSD, ACL, plaintext, ciphertext, Keyczar, BoringSSL, NIST, KEK, RNG.
  • Microsofts Partial Two-Factor Authentication (2FA) is just partial security and allows attacker still do a lot. Therefore Microsoft 2FA fails, you can still use IMAP to fetch email and stuff, without 2FA. So it's only partial implementation. Of course it prevents "completely taking over the account", but even if it's enabled you can still do a lot without providing 2FA code.
  • Yet another great post about PostgreSQL, MySQL, Uber and Database design trade-offs. - All that makes sense, and there wasn't anything new out there.
  • Something really different? Cookiecutter Shark - Is it a time to get your optic fibers bitten?