Senator Wyden asks NIST to develop standards for safely sending and receiving files. This would be a modern and secure replacement for the “encrypted” ZIP files most government employees currently email each other. https://www.wyden.senate.gov/imo/media/doc/061919%20Wyden%20Sensitive%20Data%20Transmission%20Best%20Practices%20Letter%20to%20NIST.pdf …
-
Show this thread
-
This is actually really important. Right now on many ancient versions of Windows, when you “encrypt” (password protect) a ZIP file using the OS default utility, you get encryption using the legacy ZIP scheme, which is totally broken. 1/
7 replies 17 retweets 46 likesShow this thread -
Not broken as in “you picked password kittycat1”, which would be bad enough. Broken as in, there’s a known plaintext attack on the terrible cipher of legacy ZIP that can recover the key. https://link.springer.com/chapter/10.1007/3-540-60590-8_12 … 2/
4 replies 9 retweets 58 likesShow this thread -
This is the default ZIP encryption algorithm on Windows XP and (ugh) current versions of MacOS. To Microsoft’s credit, they removed it on more recent versions of the home version of Windows. Not sure what the Pro versions use. 3/
8 replies 7 retweets 37 likesShow this thread -
But even if you use a modern ZIP utility, you’re still dealing with modestly crummy crypto. Check out the iteration count on that PBKDF2.
4/pic.twitter.com/GZovF1wqNb
2 replies 2 retweets 31 likesShow this thread -
We cryptographers are arguing over PGP key sizes. Meanwhile government employees are emailing each other documents encrypted with a cipher that was handily broken in the 90s. 5/
5 replies 38 retweets 89 likesShow this thread -
This is one of those areas (like legacy SMS) where we’ve somehow gotten stuck with the least common denominator. There’s a huge opportunity for smart people in this field to come up with something much better. 6/
1 reply 2 retweets 27 likesShow this thread -
Matthew Green Retweeted Adam Langley
To quote
@agl__ (the guy who has managed to ship post-quantum cryptography in your web browser), there’s a huge opportunity here if NIST responds and asks the community for proposals. 6/6https://twitter.com/agl__/status/1141433190487220224?s=21 …Matthew Green added,
1 reply 3 retweets 35 likesShow this thread -
(Also dammit, I cannot properly number a Twitter thread to save my life.)
7 replies 1 retweet 30 likesShow this thread
FWIW, if NIST did have a competition, I think AWS would make a submission, either or ourselves or in partnership with others as we have before. We already have an "Encrypt this" in our Crypto SDK, and thoughts on more.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.