مسعود @masoud

Zack WeinbergMathematical <a href="https://masto.hackers.town/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#cryptography</a> question. Suppose you wish to *store* a very large number (2**40 or more) of messages. All of these messages have the *same* relatively short length, on the order of 2**15 bits, and are to be encrypted with the same symmetric key.In this regime, how do you size the IV and MAC for some target security level k? Still just k bits each, or does it get more interesting?

Tommaso GagliardoniThe war on crypto never ends. The war on privacy, civil rights, security and freedom of speech never ends.This time we are dangerously close to lose. The "Child Sexual Abuse" (CSA) EU regulation proposal, more aptly nicknamed "ChatControl", will be voted AGAIN this October, and many countries who opposed it last year are now undecided. The proposal at its roots aims at allowing authorities to break end-to-end encryption for the usual reason: "because of the children". As a father of two, I am disgusted by this recurring, cheap rhetoric.What you can do: <a href="https://www.patrick-breyer.de/en/posts/chat-control/#WhatYouCanDo" rel="nofollow noopener" translate="no" target="_blank">https://www.patrick-breyer.de/en/posts/chat-control/#WhatYouCanDo</a><a href="https://infosec.exchange/tags/eu" class="mention hashtag" rel="nofollow noopener" target="_blank">#eu</a> <a href="https://infosec.exchange/tags/CSA" class="mention hashtag" rel="nofollow noopener" target="_blank">#CSA</a> <a href="https://infosec.exchange/tags/CSAM" class="mention hashtag" rel="nofollow noopener" target="_blank">#CSAM</a> <a href="https://infosec.exchange/tags/ChatControl" class="mention hashtag" rel="nofollow noopener" target="_blank">#ChatControl</a> <a href="https://infosec.exchange/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#privacy</a> <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://infosec.exchange/tags/surveillance" class="mention hashtag" rel="nofollow noopener" target="_blank">#surveillance</a> <a href="https://infosec.exchange/tags/authoritarianism" class="mention hashtag" rel="nofollow noopener" target="_blank">#authoritarianism</a> <a href="https://infosec.exchange/tags/crypto" class="mention hashtag" rel="nofollow noopener" target="_blank">#crypto</a> <a href="https://infosec.exchange/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#cryptography</a> <a href="https://infosec.exchange/tags/civilrights" class="mention hashtag" rel="nofollow noopener" target="_blank">#civilrights</a>

ltningWhy on earth was the <a class="hashtag" href="https://pleroma.anduin.net/tag/activitypub" rel="nofollow noopener" target="_blank">#ActivityPub</a> protocol even let out the door without a well-specified and mandatory graceful, non-destructive key rotation scheme?Yes I know the privacy issues. Those are not valid reasons to not have such a mechanism; it's a valid reason to not enable or use one.What we're stuck with now is a ton of instances with absurdly long, legacy-algorithm keys (RSA-4096) with no way to replace them with shorter/better keys without effectively losing everything ever posted on the instance.The protocol is only 7 years old! EC crypto was well-established at the time, and should have been the default.And what happens once everyone has to replace the keys, because RSA is broken by quantum computers (I know, probably 100 years to go)? The <a class="hashtag" href="https://pleroma.anduin.net/tag/fediverse" rel="nofollow noopener" target="_blank">#Fediverse</a> will be a wasteland, with no instances trusting anything from any other instance, so all <a class="hashtag" href="https://pleroma.anduin.net/tag/federation" rel="nofollow noopener" target="_blank">#Federation</a> breaks down.Sorry if I got some details wrong about what the protocol says. If I get flamed to death for being wrong, then I'll consider that a Good Thing(TM). I've been trying to find a way to rotate/replace keys for a while and all my searching turns up is either 1) confirmation that most people don't know or care about cryptography, or 2) <a href="https://socialhub.activitypub.rocks/t/key-rotation-notification/562" rel="nofollow noopener" target="_blank">https://socialhub.activitypub.rocks/t/key-rotation-notification/562</a> - which really isn't helpful.If it is possible to gracefully rotate the key(s) of an instance/user, there really has to exist some documentation that explains clearly how to implement this in a server and how to exercise it as a server operator.<a class="hashtag" href="https://pleroma.anduin.net/tag/cryptography" rel="nofollow noopener" target="_blank">#Cryptography</a> <a class="hashtag" href="https://pleroma.anduin.net/tag/rant" rel="nofollow noopener" target="_blank">#Rant</a> <a class="hashtag" href="https://pleroma.anduin.net/tag/mastodon" rel="nofollow noopener" target="_blank">#Mastodon</a>

Alley StoughtonInterested in theoretical cryptography and/or formal methods? Boston University is hosting a summer school on Universally Composable Security and the EasyUC framework for formalizing UC models and proofs.The school is from August 11 - 14, 2025. Registration is free, and we're supporting both in person and Zoom participation.For more information and to register, visit:<a href="https://www.bu.edu/riscs/events/uc-easyuc-summer-school/" rel="nofollow noopener" translate="no" target="_blank">https://www.bu.edu/riscs/events/uc-easyuc-summer-school/</a><a href="https://fosstodon.org/tags/Cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cryptography</a> <a href="https://fosstodon.org/tags/FormalMethods" class="mention hashtag" rel="nofollow noopener" target="_blank">#FormalMethods</a>

Taffer 🇨🇦 :godot:Great, informative writeup of Cryptographic Gotchas: <a href="https://gotchas.salusa.dev/" rel="nofollow noopener" translate="no" target="_blank">https://gotchas.salusa.dev/</a>Lots of fantastic references and links in there, too.<a href="https://mastodon.gamedev.place/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#cryptography</a> <a href="https://mastodon.gamedev.place/tags/crypto" class="mention hashtag" rel="nofollow noopener" target="_blank">#crypto</a> <a href="https://mastodon.gamedev.place/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://mastodon.gamedev.place/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a>

Stewart V. WrightIf you're not following <a href="https://mastodon.social/@gutenberg_org" class="u-url mention" rel="nofollow noopener" target="_blank">@gutenberg_org</a> you are missing out.A wonderful source of everything from <a href="https://fosstodon.org/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#cryptography</a> through <a href="https://fosstodon.org/tags/art" class="mention hashtag" rel="nofollow noopener" target="_blank">#art</a>, <a href="https://fosstodon.org/tags/feminism" class="mention hashtag" rel="nofollow noopener" target="_blank">#feminism</a> to the <a href="https://fosstodon.org/tags/philosophy" class="mention hashtag" rel="nofollow noopener" target="_blank">#philosophy</a> of <a href="https://fosstodon.org/tags/physics" class="mention hashtag" rel="nofollow noopener" target="_blank">#physics</a> and a whole lot more I can't make vaguely alliterate.<a href="https://fosstodon.org/tags/ProjectGutenberg" class="mention hashtag" rel="nofollow noopener" target="_blank">#ProjectGutenberg</a> - free <a href="https://fosstodon.org/tags/ebooks" class="mention hashtag" rel="nofollow noopener" target="_blank">#ebooks</a>

Project GutenbergEverything You Need to Know About Cryptography (History & Examples)Cryptography is the art of hiding the meaning of a text from everyone except the intended receivers through the use of various techniques.by Sourima RanaCryptography at PG: <a href="https://www.gutenberg.org/ebooks/subject/7599" rel="nofollow noopener" translate="no" target="_blank">https://www.gutenberg.org/ebooks/subject/7599</a><a href="https://mastodon.social/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#cryptography</a>

Delta ChatLast week four new <a href="https://chaos.social/tags/chatmail" class="mention hashtag" rel="nofollow noopener" target="_blank">#chatmail</a> relays popped up from four different continents from four different entities. Permission-free interoperability based on <a href="https://chaos.social/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#cryptography</a> ... That's how we like it and how it generally is with the email system: separation of transport and apps. App developers can't access messages, and relay operators can not break e2ee encryption. Fwiw May 14th there is another round at a <a href="https://chaos.social/tags/Moscow" class="mention hashtag" rel="nofollow noopener" target="_blank">#Moscow</a> court where our lawyers will convey this impossibility for <a href="https://chaos.social/tags/deltachat" class="mention hashtag" rel="nofollow noopener" target="_blank">#deltachat</a> to hand over data.

Tommaso GagliardoniI have been thinking for a while about the issue of anonymity in Web3 (and, more in general, anonymous transactions). The growing realization of the damage caused by decentralized financial technologies is nagging my cypherpunk self, who has been at war for a lifetime against invasive tracking, manipulative marketing, and surveillance capitalism. I collected my thoughts here: <a href="https://gagliardoni.net/#20250427_privacy_compliance" rel="nofollow noopener" translate="no" target="_blank">https://gagliardoni.net/#20250427_privacy_compliance</a>Spoiler alert: I'm not endorsing backdoors, but I think some middleground solution must be found.<a href="https://infosec.exchange/tags/horizenlabs" class="mention hashtag" rel="nofollow noopener" target="_blank">#horizenlabs</a> <a href="https://infosec.exchange/tags/crypto" class="mention hashtag" rel="nofollow noopener" target="_blank">#crypto</a> <a href="https://infosec.exchange/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#cryptography</a> <a href="https://infosec.exchange/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#privacy</a> <a href="https://infosec.exchange/tags/compliance" class="mention hashtag" rel="nofollow noopener" target="_blank">#compliance</a> <a href="https://infosec.exchange/tags/aml" class="mention hashtag" rel="nofollow noopener" target="_blank">#aml</a> <a href="https://infosec.exchange/tags/kyc" class="mention hashtag" rel="nofollow noopener" target="_blank">#kyc</a> <a href="https://infosec.exchange/tags/anonymity" class="mention hashtag" rel="nofollow noopener" target="_blank">#anonymity</a> <a href="https://infosec.exchange/tags/web3" class="mention hashtag" rel="nofollow noopener" target="_blank">#web3</a> <a href="https://infosec.exchange/tags/gnutaler" class="mention hashtag" rel="nofollow noopener" target="_blank">#gnutaler</a> <a href="https://infosec.exchange/tags/bitcoin" class="mention hashtag" rel="nofollow noopener" target="_blank">#bitcoin</a> <a href="https://infosec.exchange/tags/monero" class="mention hashtag" rel="nofollow noopener" target="_blank">#monero</a> <a href="https://infosec.exchange/tags/zcash" class="mention hashtag" rel="nofollow noopener" target="_blank">#zcash</a> <a href="https://infosec.exchange/tags/tornadocash" class="mention hashtag" rel="nofollow noopener" target="_blank">#tornadocash</a>

Delta Chat1 cent per five years .... is the current marginal hosting cost for a <a href="https://chaos.social/tags/chatmail" class="mention hashtag" rel="nofollow noopener" target="_blank">#chatmail</a> address, with which <a href="https://chaos.social/tags/deltachat" class="mention hashtag" rel="nofollow noopener" target="_blank">#deltachat</a> apps facilitate world-wide private messaging including interactive <a href="https://chaos.social/tags/webxdc" class="mention hashtag" rel="nofollow noopener" target="_blank">#webxdc</a> apps that run end-to-end encrypted in any chat group.<1 Million EUR per year is the estimated marginal hosting costs for 350 Million EU citizens. Such scaling requires, however, research and development, including careful UX and <a href="https://chaos.social/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#cryptography</a> work. Related writing from <a href="https://mastodon.social/@gordon" class="u-url mention" rel="nofollow noopener" target="_blank">@gordon</a> <a href="https://newsletter.squishy.computer/p/cryptography-scales-trust" rel="nofollow noopener" translate="no" target="_blank">https://newsletter.squishy.computer/p/cryptography-scales-trust</a>

:vim: :rust:<a href="https://cryptography.rs/" rel="nofollow noopener" translate="no" target="_blank">https://cryptography.rs/</a><a href="https://fosstodon.org/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#rust</a> <a href="https://fosstodon.org/tags/Cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cryptography</a>

Tedi HeriyantoWhy Rust is Perfect for Cryptography & Security: <a href="https://medium.com/@aannkkiittaa/why-rust-is-perfect-for-cryptography-security-e7938832f16d" rel="nofollow noopener" translate="no" target="_blank">https://medium.com/@aannkkiittaa/why-rust-is-perfect-for-cryptography-security-e7938832f16d</a><a href="https://infosec.exchange/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#rust</a> <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://infosec.exchange/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#cryptography</a>

Alexander Hansen FærøyThis is undoubtedly the most promising Post-Quantum TLS deployment situation I have seen for <a href="https://mastodon.social/tags/Tor" class="mention hashtag" rel="nofollow noopener" target="_blank">#Tor</a> since we started discussing it more actively in the team. Very exciting!I hope that OpenSSL 3.5, when released, will make it into <a href="https://mastodon.social/tags/Debian" class="mention hashtag" rel="nofollow noopener" target="_blank">#Debian</a> Trixie. That would make deployment of this so much more snappy and easy for the Tor network to upgrade, but that may be dreaming. The timelines here look quite difficult for that to happen, but let's hope.<a href="https://mastodon.social/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#cryptography</a> <a href="https://mastodon.social/tags/pqc" class="mention hashtag" rel="nofollow noopener" target="_blank">#pqc</a> <a href="https://mastodon.social/tags/pqcrypto" class="mention hashtag" rel="nofollow noopener" target="_blank">#pqcrypto</a>

Veronica Olsen 🏳️‍🌈🇳🇴🌻Haha, good one!<a href="https://mastodon.online/tags/Cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cryptography</a>

Tommaso GagliardoniOMG it happened! My horrible webpage has now an RSS feed!<a href="https://gagliardoni.net/#20250312_rss" rel="nofollow noopener" translate="no" target="_blank">https://gagliardoni.net/#20250312_rss</a><a href="https://infosec.exchange/tags/rss" class="mention hashtag" rel="nofollow noopener" target="_blank">#rss</a> <a href="https://infosec.exchange/tags/gagliardoni" class="mention hashtag" rel="nofollow noopener" target="_blank">#gagliardoni</a> <a href="https://infosec.exchange/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#cryptography</a> <a href="https://infosec.exchange/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#privacy</a> <a href="https://infosec.exchange/tags/quantum" class="mention hashtag" rel="nofollow noopener" target="_blank">#quantum</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/retro" class="mention hashtag" rel="nofollow noopener" target="_blank">#retro</a> <a href="https://infosec.exchange/tags/vaporwave" class="mention hashtag" rel="nofollow noopener" target="_blank">#vaporwave</a>

Delta Chat<a href="https://framapiaf.org/@sebsauvage" class="u-url mention" rel="nofollow noopener" target="_blank">@sebsauvage</a> <a href="https://nerdculture.de/@titaniumbiscuit" class="u-url mention" rel="nofollow noopener" target="_blank">@titaniumbiscuit</a> not all classic e-mail providers work equally well but many do. Since <a href="https://chaos.social/tags/chatmail" class="mention hashtag" rel="nofollow noopener" target="_blank">#chatmail</a> entered the global e-mail server network 14 months ago, and we introduced instant-onboarding april 2024, we de-emphasize <a href="https://chaos.social/tags/gmail" class="mention hashtag" rel="nofollow noopener" target="_blank">#gmail</a> <a href="https://chaos.social/tags/outlook" class="mention hashtag" rel="nofollow noopener" target="_blank">#outlook</a> and <a href="https://chaos.social/tags/iCloud" class="mention hashtag" rel="nofollow noopener" target="_blank">#iCloud</a> and don't perform "free" work to help them continue to dominate. Instead we put our energy into growing the chatmail server network which does away with spam/rate-limit problems by design. Everything is based on <a href="https://chaos.social/tags/interoperable" class="mention hashtag" rel="nofollow noopener" target="_blank">#interoperable</a> <a href="https://chaos.social/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#cryptography</a> .

JunoCryptoRave is an annual event held in São Paulo and centered on encryption, privacy and free software. They are raising funds for the 2025 edition, are 100% independently funded and do not accept corporate sponsors.Check out their website for how you can contribute, learn more or get in touch: <a href="https://2025.cryptorave.org/en/" rel="nofollow noopener" translate="no" target="_blank">https://2025.cryptorave.org/en/</a>In their own words, the event is "inspired by the decentralized global action to disseminate and democratize knowledge and basic concepts of cryptography and free software".Please boost!<a href="https://mastodon.bsd.cafe/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#cryptography</a> <a href="https://mastodon.bsd.cafe/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#privacy</a> <a href="https://mastodon.bsd.cafe/tags/encryption" class="mention hashtag" rel="nofollow noopener" target="_blank">#encryption</a> <a href="https://mastodon.bsd.cafe/tags/foss" class="mention hashtag" rel="nofollow noopener" target="_blank">#foss</a> <a href="https://mastodon.bsd.cafe/tags/freesoftware" class="mention hashtag" rel="nofollow noopener" target="_blank">#freesoftware</a>

**Delta Chat** @delta@chaos.social · ۱ اسفند

۱ اسفند

Delta Chat @delta@chaos.social

#deltachat is a minority messenger today and that's just fine for now. Changes often come from the precarious fringe which has to make ends meet, under hostile circumstances. Our approaches are aiming to provide working software that does its damn job. No unable to decrypt, no going for VC/Blockchain money, no bending the knee and no endorsing of corporate platforms. The #chatmail server network implements #interoperable #cryptography , does away with shady spam lists, catering for #Gmail etc

**ティージェーグレェ** @teajaygrey@snac.bsd.cafe · ۳۰ بهمن *

۳۰ بهمن *

ティージェーグレェ @teajaygrey@snac.bsd.cafe

I submitted a Pull Request to update MacPorts' OpenSSH to 9.9p2 here:

https://github.com/macports/macports-ports/pull/27712

GitHub Continuous Integration checks are running. Hopefully they will be OK (Update 2 out of 3 have completed successfully, which is a good sign).

I tested locally without issues, but I also build against LibreSSL locally, whereas GitHub CI and MacPorts' Build Bots I think default to OpenSSL.

This release is to address some vulnerabilities identified by Qualys and other less critical bugs.

More details from upstream here:

https://www.openssh.com/releasenotes.html#9.9p2

Of particular note:

" Fix CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1
(inclusive) contained a logic error that allowed an on-path
attacker (a.k.a MITM) to impersonate any server when the
VerifyHostKeyDNS option is enabled. This option is off by default.

* Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1
(inclusive) is vulnerable to a memory/CPU denial-of-service related
to the handling of SSH2MSGPING packets. This condition may be
mitigated using the existing PerSourcePenalties feature.

Both vulnerabilities were discovered and demonstrated to be exploitable
by the Qualys Security Advisory team. We thank them for their detailed
review of OpenSSH."

If I read everything correctly, these vulnerabilities primarily only impact the Portable OpenSSH releases (which is what MacPorts uses). However, OpenBSD has also issued the following errata to mitigate one of the issues as it also appears to impact OpenBSD users:

"008: SECURITY FIX: February 18, 2025 All architectures
sshd(8) denial of service relating to SSH2MSGPING handling. ssh(1) server impersonation when VerifyHostKeyDNS enabled.
A source code patch exists which remedies this problem."

Source code patch for OpenBSD here:

https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/008_ssh.patch.sig

Having written as much, it appears as if the main OpenSSH version for OpenBSD is still 9.9, so I am not going to make a submission for undeadly.org Other editors reading this are welcome to though, I just kind of have a lot of other stuff on my plate at present.

As usual, I also have too much going on in my life to want more responsibilities such as commit access within MacPorts, so it's up to someone else to merge it.

#OpenSSH #MacPorts #SecureShell #InfoSec #Cryptography #Security #CVE #PatchTuesday #OpenSource #OpenBSD

GitHubopenssh: update to 9.9p2 by artkiver · Pull Request #27712 · macports/macports-portsاز artkiver

**Delta Chat** @delta@chaos.social · ۲۶ بهمن *

۲۶ بهمن *

Delta Chat @delta@chaos.social

Isn't it poetic and ironic that out of all possible time lines we are in one where #securejoin #openpgp protocols on top of the existing #email protocols offer the arguably most solidly scaling, useable, world-wide federated end-to-end encrypted messaging reality, safe against compromised #mitm servers? Hundreds of billions spend to create "the email successor" and here we are in 2025 .... #interoperable #email and #cryptography as the tortoise looking at Achilles through the back mirror :)

جست‌وجوهای اخیر

گزینه‌های جست‌وجو

به مدیریت:

آمار کارساز:

#cryptography