Making sure crypto stays insecure (Slides: PDF download: 338KB) by Daniel J Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Crypto Talks, 18 October 2014
From the slides: Like happens here whenever anything besides AES is suggested. "Experts" come out of the woodwork.
Thankfully, the cat's out of the bag now, & for some time, so won't be going back now EVER ! The messages/info just needs to get through to more people. Every day more n more are finding out what HAS been happening, & is happening.
Of course, you could get into the mode where you also think that Bernstein has been subverted too(!) Actually, I think not, I think he's as mad at what's happened as most technologists I've met. Perhaps he's also trying to encourage the adoption of the crypto he's developed. Has anyone else thought about making cryptography more polymorphic in the same way as virus now are? The point being that, even if you wrap (and use) a standard set of cryptographic functions and obfuscate it somehow (in terms of non-standard headers or file format, a bit of trivial transformation etc), and even if this is weak or worthless, it will still take some time of a skilled cryptographer/programmer to unpack it, even if they can exploit the underlying standard. Point being, one of the improvements that can be made to the security of products is simply to make it so that bulk surveillance becomes more expensive, and one of the ways of ensuring that is to require personal/organisational (expensive and hopefully limited) time.
For files, containers, partitions, etc we already have ciphers that are stronger than AES. They've existed for many years and have never been broken, but users are pushed away from them for every conceivable reason. Too old, not as well tested, etc. That said, this isn't the encryption that most needs to be strengthened. What's really needed is a secure replacement for HTTPS that doesn't involve any form of certificate authority or central server. The difficult part IMO is devising a secure method of key exchange that is resistant to impersonation and MITM attacks.
Agree as far as encrypted communication is concerned, I thought that's what people like Steve Gibson were looking at with Authenticated Encryption and SQRL, no? Perhaps the scenario with OCB relates to the original post too!
I found the pdf a fun read - but nothing more. When I see parody being used to discuss such a serious topic (and mix the two without pointing out fact from parody) it blows all credibility.
Yes... I've harped on this issue several times in here. To sum up, I just don't trust anything new these days. What use is something that is "stronger" if it comes equipped with a backdoor and is the brainchild of members/former members of 3 letter agencies... or those in bed with them? The dual curve has already been proven to be flawed, yet you never hear anyone talk about it. The cat is out of the bag, but who is listening to it? Not enough people.