Skip to content
By using Twitter’s services you agree to our Cookies Use. We and our partners operate globally and use cookies, including for analytics, personalisation, and ads.

This is the legacy version of twitter.com. We will be shutting it down on June 1, 2020. Please switch to a supported browser, or disable the extension which masks your browser. You can see a list of supported browsers in our Help Center.

  • Home Home Home, current page.
  • About

Saved searches

  • Remove
  • In this conversation
    Verified accountProtected Tweets @
Suggested users
  • Verified accountProtected Tweets @
  • Verified accountProtected Tweets @
  • Language: English
    • Bahasa Indonesia
    • Bahasa Melayu
    • Català
    • Čeština
    • Dansk
    • Deutsch
    • English UK
    • Español
    • Filipino
    • Français
    • Hrvatski
    • Italiano
    • Magyar
    • Nederlands
    • Norsk
    • Polski
    • Português
    • Română
    • Slovenčina
    • Suomi
    • Svenska
    • Tiếng Việt
    • Türkçe
    • Ελληνικά
    • Български език
    • Русский
    • Српски
    • Українська мова
    • עִבְרִית
    • العربية
    • فارسی
    • मराठी
    • हिन्दी
    • বাংলা
    • ગુજરાતી
    • தமிழ்
    • ಕನ್ನಡ
    • ภาษาไทย
    • 한국어
    • 日本語
    • 简体中文
    • 繁體中文
  • Have an account? Log in
    Have an account?
    · Forgot password?

    New to Twitter?
    Sign up
colmmacc's profile
Colm MacCárthaigh
Colm MacCárthaigh
Colm MacCárthaigh
@colmmacc

Tweets

Colm MacCárthaigh

@colmmacc

AWS, Apache, Crypto, Irish Music, Haiku, Photography

Seattle
notesfromthesound.com
Joined April 2008

Tweets

  • © 2020 Twitter
  • About
  • Help Center
  • Terms
  • Privacy policy
  • Imprint
  • Cookies
  • Ads info
Dismiss
Previous
Next

Go to a person's profile

Saved searches

  • Remove
  • In this conversation
    Verified accountProtected Tweets @
Suggested users
  • Verified accountProtected Tweets @
  • Verified accountProtected Tweets @

Promote this Tweet

Block

  • Tweet with a location

    You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more

    Your lists

    Create a new list


    Under 100 characters, optional

    Privacy

    Copy link to Tweet

    Embed this Tweet

    Embed this Video

    Add this Tweet to your website by copying the code below. Learn more

    Add this video to your website by copying the code below. Learn more

    Hmm, there was a problem reaching the server.

    By embedding Twitter content in your website or app, you are agreeing to the Twitter Developer Agreement and Developer Policy.

    Preview

    Why you're seeing this ad

    Log in to Twitter

    · Forgot password?
    Don't have an account? Sign up »

    Sign up for Twitter

    Not on Twitter? Sign up, tune into the things you care about, and get updates as they happen.

    Sign up
    Have an account? Log in »

    Two-way (sending and receiving) short codes:

    Country Code For customers of
    United States 40404 (any)
    Canada 21212 (any)
    United Kingdom 86444 Vodafone, Orange, 3, O2
    Brazil 40404 Nextel, TIM
    Haiti 40404 Digicel, Voila
    Ireland 51210 Vodafone, O2
    India 53000 Bharti Airtel, Videocon, Reliance
    Indonesia 89887 AXIS, 3, Telkomsel, Indosat, XL Axiata
    Italy 4880804 Wind
    3424486444 Vodafone
    » See SMS short codes for other countries

    Confirmation

     

    Welcome home!

    This timeline is where you’ll spend most of your time, getting instant updates about what matters to you.

    Tweets not working for you?

    Hover over the profile pic and click the Following button to unfollow any account.

    Say a lot with a little

    When you see a Tweet you love, tap the heart — it lets the person who wrote it know you shared the love.

    Spread the word

    The fastest way to share someone else’s Tweet with your followers is with a Retweet. Tap the icon to send it instantly.

    Join the conversation

    Add your thoughts about any Tweet with a Reply. Find a topic you’re passionate about, and jump right in.

    Learn the latest

    Get instant insight into what people are talking about now.

    Get more of what you love

    Follow more accounts to get instant updates about topics you care about.

    Find what's happening

    See the latest conversations about any topic instantly.

    Never miss a Moment

    Catch up instantly on the best stories happening as they unfold.

    1. Colm MacCárthaigh‏ @colmmacc 10 Dec 2019
      • Report Tweet
      • Report NetzDG Violation

      Time for a Tuesday Tweet thread! Today's is going to be about SCRAM! It's a new extra mis-use resistant symmetric encryption mode that we're working on as part of @AWSOpen s2n. https://github.com/awslabs/s2n/tree/master/scram …pic.twitter.com/Rhknph6wMx

      1 reply 23 retweets 48 likes
      Show this thread
    2. Colm MacCárthaigh‏ @colmmacc 10 Dec 2019
      • Report Tweet
      • Report NetzDG Violation

      First a small disclaimer: SCRAM is secure, but it's not finalized and we might make tweaks. We're going to be playing around with SCRAM on some experimental datasets and seeing what effect some tweaks have on performance.

      1 reply 0 retweets 1 like
      Show this thread
    3. Colm MacCárthaigh‏ @colmmacc 10 Dec 2019
      • Report Tweet
      • Report NetzDG Violation

      TLDR: SCRAM 1/ adds protection against applications that either forget to authenticate plaintext, or intentionally look at plaintext before it's been authenticated, and 2/ integrates message padding directly into the AEAD layer.

      1 reply 0 retweets 0 likes
      Show this thread
    4. Colm MacCárthaigh‏ @colmmacc 10 Dec 2019
      • Report Tweet
      • Report NetzDG Violation

      Probably obvious by now that SCRAM is an AEAD algorithm, like AES-GCM, or ChaCha20-Poly1305, which means that it both encrypts data, and authenticates it (along with any additional data you want to authenticate, but not encrypt). Don't AEAD algs already defend against corruption?

      1 reply 0 retweets 0 likes
      Show this thread
    5. Colm MacCárthaigh‏ @colmmacc 10 Dec 2019
      • Report Tweet
      • Report NetzDG Violation

      Most cryptographic libraries implement 'in place' encryption; which means that the decrypted plaintext is available in application memory before it's authenticated (this happens only at the end).

      1 reply 0 retweets 0 likes
      Show this thread
    6. Colm MacCárthaigh‏ @colmmacc 10 Dec 2019
      • Report Tweet
      • Report NetzDG Violation

      Sometimes application developers just forget to check the return code of the authentication check. This is a serious security issue, but it's very hard to test for; normal data will decrypt just fine, you need a test case with a corrupt encrypted input.

      1 reply 0 retweets 1 like
      Show this thread
    7. Colm MacCárthaigh‏ @colmmacc 10 Dec 2019
      • Report Tweet
      • Report NetzDG Violation

      Sometimes application developers intentionally look at plaintext before it's been authenticated, as in "EFAIL". They think that getting a "head start" on the data is worth it and that canceling or undoing the work if the auth fails is sufficient. Bad bad!

      1 reply 0 retweets 0 likes
      Show this thread
    8. Colm MacCárthaigh‏ @colmmacc 10 Dec 2019
      • Report Tweet
      • Report NetzDG Violation

      SCRAM prevents looking at plaintext prior to authentication cryptographically, not just with pinky promises. The MAC *has* to be computed to release the encryption key. If the application doesn't do this correctly, it won't decrypt, the application will just always get garbage.

      2 replies 0 retweets 3 likes
      Show this thread
      Colm MacCárthaigh‏ @colmmacc 10 Dec 2019
      • Report Tweet
      • Report NetzDG Violation

      Next up: SCRAM integrates padding! Traffic analysis is by far the most practical attack on modern encryption. By looking at message sizes, attackers can guess content, or decipher a voice call, and more. Very practical.

      9:03 AM - 10 Dec 2019
      • 2 Likes
      • vladdy Daniel Hwang
      1 reply 0 retweets 2 likes
        1. New conversation
        2. Colm MacCárthaigh‏ @colmmacc 10 Dec 2019
          • Report Tweet
          • Report NetzDG Violation

          Many application developers don't appreciate how practical traffic analysis is, or if they do, they don't know how to implement message padding correctly. For example: many think that randomizing message sizes is a good idea (it is not).

          1 reply 0 retweets 2 likes
          Show this thread
        3. Colm MacCárthaigh‏ @colmmacc 10 Dec 2019
          • Report Tweet
          • Report NetzDG Violation

          SCRAM integrates padding directly; both to abstract away a problem that application developers mess up, and to signal to application and protocol designers, with the API, that padding is an important consideration.

          1 reply 0 retweets 1 like
          Show this thread
        4. Colm MacCárthaigh‏ @colmmacc 10 Dec 2019
          • Report Tweet
          • Report NetzDG Violation

          That's SCRAM! It's designed by Shay Gueron (AWS and University of Haifa), me (AWS), and Alex Weibel (AWS). Check it out at https://github.com/awslabs/s2n/tree/master/scram …, feedback is very welcome, we'll be publishing everything with our security proofs once finalized.

          1 reply 3 retweets 6 likes
          Show this thread
        5. Colm MacCárthaigh‏ @colmmacc 10 Dec 2019
          • Report Tweet
          • Report NetzDG Violation

          Bonus tweet: SCRAM uses the same underlying primitives as AES-GCM, so it still gets to use existing hardware acceleration!

          0 replies 0 retweets 5 likes
          Show this thread
        6. End of conversation

      Loading seems to be taking a while.

      Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

        Promoted Tweet

        false

        • © 2020 Twitter
        • About
        • Help Center
        • Terms
        • Privacy policy
        • Imprint
        • Cookies
        • Ads info