The issue is also present in the upstream implementations from SUPERCOP, NaCl and from the official Salsa20 website, but it will not be fixed there because the author does not consider it a problem. (Because NaCl tells you not to encrypt messages bigger than 4 KiB.)
-
Show this thread
-
Replying to @FiloSottile
The cipher stream would cycle? does that mean that the implementations are incompatible now and that > 256GiB data would decrypt to garbage? while still having a EtM HMAC or Poly1305 tag pass?
3 replies 0 retweets 3 likes -
Replying to @colmmacc
Well, yeah, that's what happens when the cipher stream is wrong. (Worse, since it cycles it breaks unpredictability and secrecy.) Not sure I understand your point?
2 replies 0 retweets 5 likes -
Replying to @FiloSottile @colmmacc
With respect, I was scanning this thread (linked from elsewhere), and this specific tweet clued me in that you worked for Google before I clicked on your profile.
1 reply 0 retweets 1 like -
Replying to @QuinnyPig @colmmacc
Well, that’s concerning since I’ve only been at Google for a year and worked on open source the entire time. Have they hired me just for my tweeting style?
Anyway, not sure I understand your point? ;)1 reply 0 retweets 5 likes -
(Also, I know Colm and I know he wasn’t actually asking me to explain stream ciphers to him, not that you could have known this, but since you are commenting on our 1:1 interactions...)
2 replies 0 retweets 3 likes -
Replying to @FiloSottile @QuinnyPig
I'll translate the undeserved snark
At AWS we have a fairly robust policy of no backwards incompatible changes ever. We'll rev new API versions for tiny things, to the point of parody, and we never turn off old services or APIs.2 replies 0 retweets 9 likes -
Google has a bit of a reputation for indifference, by turning things off. But it's undeserved here ... when it comes to crypto ... 100% back-compatibility and security are in conflict. Turning off insecure ciphers is one of the few back-incompatible changes we *do* make.
1 reply 3 retweets 13 likes -
ELB security policies are our best effort yet to do both: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html … Whenever we have to, we immediately change the default policy (which is non-back-compat), but customers can pin to a version if they need to too.
2 replies 0 retweets 4 likes -
Replying to @colmmacc @FiloSottile
If memory serves, you emailed all effected customers at least once after a policy update, didn’t you?
1 reply 0 retweets 0 likes
Yes, and that e-mail and every one of these changes got CISO and CEO level review. We have an internal <24 hour goal to be able to run the whole process from a paper being published to the default changed in all regions, but we beat it by going as fast as we can.
-
-
Id love to be a fly on the wall on one of those tt's
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.