Security Cryptography Whatever

We've trashed JWTs, discussed PASETO, Macaroons, and now, Biscuits! Actually, multiple iterations of Biscuits! Pairings and gamma signatures and Datalog, oh my! 🍪 Transcript:https://securitycryptographywhatever.com/2022/01/29/biscuits-with-geoffroy-couprie/Links:Biscuits V2: https://www.biscuitsec.orgExperiments iterating on  Biscuits: https://github.com/biscuit-auth/biscuit/tree/master/experimentationsApache Pulsar: https://pulsar.apache.orgSpec: https://github.com/biscuit-auth/biscuit/blob/master/SPECIFICATIONS.mdFind us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrian"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)

“Can I Tailscale my Chromecast?” You love Tailscale, I love Tailscale, we loved talking to Avery Pennarun and Brad Fitzpatrick from Tailscale about, I dunno, Go generics. Oh, and TAILSCALE! And DNS. And WASM.Transcript:https://securitycryptographywhatever.com/2022/01/15/tailscale-with-avery-pennarun-brad-fitzpatrick/People:Avery Pennarun (@apenwarr)Brad Fitzpatrick (@bradfitz)Deirdre Connolly (@durumcrustulum)Thomas Ptacek (@tqbf)David Adrian (@davidcadrian)@SCWPodLinks:DERP server: https://github.com/tailscale/tailscale/tree/main/derphttps://xtermjs.org/The Tail at Scale : https://research.google/pubs/pub40801/Raft: https://raft.github.io/Litestream: https://litestream.io/MagicDNS: https://tailscale.com/kb/1081/magicdns/Netstack: https://github.com/google/netstack"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)

We recorded this months ago, and now it's finally up! Colm MacCárthaigh joined us to chat about all things TLS, S2N, MTLS, SSH, fuzzing, formal verification, implementing state machines, and of course, DNSSEC.Transcript: https://securitycryptographywhatever.com/2021/12/29/the-feeling-s-mutual-mtls-with-colm-maccarthaigh/Find us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrian"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)

Happy New Year! Feliz Navidad! Merry Yule! Happy Hannukah! Pour one out for the log4j incident responders!We did a call-in episode on Twitter Spaces and recorded it, so that's why the audio sounds different. We talked about BLOCKCHAIN/Web3 (blech), testing, post-quantum crypto, client certificates, ssh client certificates, threshold cryptography, U2F/WebAuthn, car fob attacks, geese, and more!Transcript: https://securitycryptographywhatever.com/2021/12/21/holiday-call-in-spectacular/Find us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrian "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)

Hey, a new episode! We had a fantastic conversation with Jason Donenfeld, creator of our favorite modern VPN protocol: WireGuard! We touched on kernel hacking, formal verification, post-quantum cryptography, developing with disassemblers, and more!Transcript: https://securitycryptographywhatever.com/2021/12/05/wireguard-with-jason-donenfeld/Links: WireGuard: https://www.wireguard.comTamarin: https://tamarin-prover.github.ioIDApro: https://hex-rays.com/ida-proNIST PQC: https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissionsWireGuard Patreon: https://www.patreon.com/zx2c4"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)

A conversation that started with PAKEs (password-authenticated key exchanges) and touched on some cool math things: PRFs, finite fields, elliptic curve groups, anonymity protocols, hashing to curve groups, prime order groups, and more. With special guest, George Tankersley!Transcript: https://securitycryptographywhatever.com/2021/10/26/pakes-oprfs-algebra-with-george-tankersley/Links: SRP deprecation: https://blog.cryptographyengineering.com/should-you-use-srpOPAQUE: https://www.ietf.org/id/draft-irtf-cfrg-opaque-06.htmlobfs: https://github.com/shadowsocks/simple-obfsElligator: https://elligator.cr.yp.toHash to Curve: https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-12.htmlMagic Wormhole: https://github.com/magic-wormhole/magic-wormholeBiscuits: https://github.com/CleverCloud/biscuitRistretto: https://ristretto.groupMonero signature bug: https://www.getmonero.org/ru/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.htmlSIDH smooth-order supersingular curves: https://link.springer.com/chapter/10.1007/978-3-662-53018-4_21"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)

A lot of fixes got pushed in the past week! Please apply your updates! Apple, Chrome, Matrix, Azure, and more nonsense.Transcript:https://securitycryptographywhatever.com/2021/09/20/patch-damnit/Find us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrianLinks!The accuvant story in MIT Technology ReviewAll the Apple platforms patched FORCEDENTRY no-click 0-dayChrome patched some 0-days that were being exploited in the wildPASETO update "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)

Not the hero the internet deserves, but the one we need: it's Ryan Sleevi!We get into the weeds on becoming a certificate authority, auditing said authorities, DNSSEC, DANE, taking over country code top level domains, Luxembourg, X.509, ASN.1, CBOR, more JSON (!), ACME, Let's Encrypt, and more, on this extra lorge episode with the web PKI's Batman.Transcript: https://securitycryptographywhatever.com/2021/09/06/how-to-be-a-certificate-authority-with-ryan-sleevi/Find us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrian"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)

We're talking about Apple's new proposed client-side CSAM detection system. We weren't sure if we were going to cover this, and then we realized that not all of us have been paying super close attention to what the hell this thing is, and have a lot of questions about it. So we're talking about it, with our special guest Professor Matthew Green.We cover how Apple's system works, what it does (and doesn't), where we have unanswered questions, and where some of the gaps are.Transcript: https://securitycryptographywhatever.com/2021/08/27/apple-s-csam-detection-with-matthew-green/Find us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrianLinks:https://www.apple.com/child-safety/pdf/CSAM_Detection_Technical_Summary.pdfhttps://www.apple.com/child-safety/pdf/Apple_PSI_System_Security_Protocol_and_Analysis.pdfhttps://www.law.cornell.edu/uscode/text/18/2258Ahttps://www.missingkids.org/content/dam/missingkids/gethelp/2020-reports-by-esp.pdfhttps://www.reuters.com/article/us-apple-fbi-icloud-exclusive/exclusive-apple-dropped-plan-for-encrypting-backups-after-fbi-complained-sources-idUSKBN1ZK1CThttps://en.wikipedia.org/wiki/The_purpose_of_a_system_is_what_it_doeshttps://research.fb.com/blog/2021/02/understanding-the-intentions-of-child-sexual-abuse-material-csam-sharers/https://www.nytimes.com/interactive/2019/11/09/us/internet-child-sex-abuse.htmlhttps://www.apple.com/child-safety/pdf/Expanded_Protections_for_Children_Frequently_Asked_Questions.pdf"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)

We did not run out of things to talk about: Chrome vs. Safari vs. Firefox. Rust vs. C++. Bug bounties vs. exploit development. The Peace Corps vs. The Marine Corps.Transcript: https://securitycryptographywhatever.com/2021/08/21/platform-security-part-deux-with-justin-schuh/Find us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrian"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)