Slashdot Mirror
Microsoft Adds Post-Quantum Cryptography To an OpenVPN Fork (bleepingcomputer.com)
An anonymous reader writes: Microsoft recently published an interesting open source project called "PQCrypto-VPN" that implements post-quantum cryptography (PQC) within OpenVPN. Being developed by the Microsoft Research Security and Cryptography group, as part of their research into post-quantum cryptography, this fork is being used to test PQC algorithms and their performance and functionality when used with VPNs.
Microsoft's PQCrypto-VPN is published on Github and allows anyone to build an OpenVPN implementation that can encrypt communications using three different post-quantum cryptography protocols, with more coming as they are developed. These protocols are: (1) Frodo: a key exchange protocol based on the learning with errors problem (2) SIKE: a key exchange protocol based on Supersingular Isogeny Diffie-Hellman and (3) Picnic: a signature algorithm using symmetric-key primitives and non-interactive zero-knowledge proofs.
Microsoft's PQCrypto-VPN is published on Github and allows anyone to build an OpenVPN implementation that can encrypt communications using three different post-quantum cryptography protocols, with more coming as they are developed. These protocols are: (1) Frodo: a key exchange protocol based on the learning with errors problem (2) SIKE: a key exchange protocol based on Supersingular Isogeny Diffie-Hellman and (3) Picnic: a signature algorithm using symmetric-key primitives and non-interactive zero-knowledge proofs.
Picnic might be secure from quantum computers.
But its basket structures are clearly vulnerable to bear based attacks where the attacker is mathematically proven to be smarter than average.
AntiFA: An abbreviation for Anti First Amendment.
https://en.wikipedia.org/wiki/NSAKEY
Ante-Quantum Cryptography is much, much better, more open, and way more transparent.
There is nothingness and then !BANG! the next quantum!
Microsoft? Security? Something doesn't seem quite right.
For me, security and Microsoft is not the issue. It's trust and Microsoft.
As in, "I trust Microsoft, as far as I can throw them."
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
GitHub... sounds familiar. Can't remember what it was...
It doesn't have to be like this. All we need to do is make sure we keep talking.
In french PQ stands for Toilette Paper. Everybody will laugh at this name :-D
So where's the quantum hardware to making this all work?
Meanwhile: I can tie my shoes!
It's on bleepingcomputer! It's about microsoft! Doing something others have done better already! As always!
Thanks msmash, another vapid bullshit piece, thank you so much for that.
Yeah, I fully expect them to implement a secure VPN. I don't trust them not to have backdoors (actual, rotating security holes, or otherwise) at each endpoint. They want access to your data, they have a vested interest in assuring others don't get it without going through them.
Only US patriots with US dollars get access to MS confidential data!
it has to be designed by multiple independent people out of reach from U.S. gov, or it is simply too likely to be broken in secret.
Well, you can download the source code and examine it for back doors. I know not many will do this but it would be a huge breach of trust by Microsoft if anyone found anything like a back door. Because of this I believe it's far more likely that they created this tool to appease international customers and released it as an open source project to prove it.
I smell submarine patents lurking in the future.
Unless the inventors are known and have disclaimed any future patent enforcement, this could be a trojan horse to get patent-pending algorithms in wide use.
Hur hur - Micro$haft am I right?
I'm having trust issues with this project as well, but that has more to do with somebody trying to develop a security solution against goalposts which haven't really been defined yet than it does with the name on the top of the page. They could have done all this work and the first production quantum computer could come along and roast it in .38 seconds. Or maybe it doesn't, but a cluster of them do. They literally just went "hey, we made a thing, but it might not work because we didn't make flux capacitors first".
Well, you can download the source code and examine it for back doors.
Well, google on "ken thompson compiler backdoor" :-)
You can put some source code in that looks innocuous, but the compiler adds a backdoor when it sees that code:
In 1984 KenThompson was presented with the ACM TuringAward. Ken's acceptance speech Reflections On Trusting Trust (http://cm.bell-labs.com/who/ken/trust.html) describes a hack (in every sense), the most subversive ever perpetrated, nothing less than the root password of all evil.
Ken describes how he injected a virus into a compiler. Not only did his compiler know it was compiling the login function and inject a backdoor, but it also knew when it was compiling itself and injected the backdoor generator into the compiler it was creating. The source code for the compiler thereafter contains no evidence of either virus.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Given that its hosted on Github which since Microsoft bought most of /. say they won't use, then I guess there won't be that many people trying it....
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
If my trust in Microsoft could be quantified it would be a large negative number. I trust the code however as it is available on github and I have zero doubt it will be reviewed by experts more qualified than anyone who works at Microsoft. Microsoft knows this as well and even they aren't so stupid as to chance getting caught trying anything unscrupulous in this case.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Yah, it sure doesn't sound right. I doubt Microsoft would release code like this unless they've already figured out a backdoor even if it's not obvious in the source code.
We need a lot of independent researchers opinion on that.
Everyone remember Dual EC DRBG?
https://www.theguardian.com/wo... (12 Jul 2013)
Recall "... newsletter entry stated that NSA already had pre-encryption access to Outlook email"
MS likes to help with tricky new crypto. Help the NSA.
Domestic spying is now "Benign Information Gathering"
Firstly, I said rotating security holes or otherwise (e.g. "bugs" which get patched regularly with new bugs added in their place.) Secondly, I said endpoints - as in Windows 10 itself is spyware, they aren't so much interested in breaking the VPN if they have the endpoint.
But if it's Open Sores, it'll be found fast! I mean, it only took heartbleed forever to be discovered, but that's besides the point.
"If my trust in Microsoft could be quantified it would be a large negative number."
Windows 10 is possibly the worst spyware ever made.
7 ways Windows 10 pushes ads at you
what a stupid pandering meaningless sound-bite.
it is not known that any current crypto is unbreakable by quantum computing.
They forgot to include the protocol named 'GONE FISHIN'. I are being serious.
This repository contains only config files and DLL files. Nothing is open source. Microsoft uses github only for file hosting and nothing they share is open source.
What a joke when M$ pretends to "contribute" to open source projects..
Sure they can release source code, but that does not help if the software binary is overwritten by force pushed updates. And people can not compile it by themselves, as MS requires system binaries to have their signature. In reality this is just a PR gig in their "MS loves open source" tour.
You don't seem to understand how git works or any SCM tool works. It is trivially easy to see what has changed and look closely at those changes. So no they won't be "rotating" intentional flaws.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
What are you going on about? Microsoft doesn't provide the compiler unless you decide to use theirs. No self respecting security expert would use Microsoft's compiler to build secure code. It's gcc or llvm, which are also open source.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
The source is supposedly in a different repo: https://github.com/Microsoft/o...
See: https://github.com/Microsoft/P...
OTOH, by not reading the repo README, you are supporting a long /. tradition, bravo!
I'd bet money that there is an underhanded NSA backdoor is this.
And that this is something tying OpenVPN closer to Microsoft.
It's like letting a former serial murderer who wore the skin of his victims to rape other victims write bills and have them accepted as law.
Mind you, that that analogy is based on real actual behavior of Microsoft, and merely imagines "If Microsoft was a person".
Yeah, such people might still have acceptable ideas here and there, but you better be *really* fuckin' wary!
It doesn’t even have to be visible in the original source code.
There was a whole contest, revolving around getting backdoors in under the radar: The Underhanded C Contest (The official perfectly innocent web page for law-abiding good guys)
And you can bet this is serious business for any spying agency on the planet. (Would you ignore it, if you were a spying agency?)
Not so. The properties of quantum computers are well understood; you can learn about them on an undergrad CS course. It's the engineering that's a problem.
You mean they won't do what they've done with every windows product since 95: release monthly patches for known security holes, thereby effectively creating a rotating backdoor only they have access to in a steady state manner due to obfuscation of what "bugs" exist at a given time? That's quite the prediction you've made there, contrasting to several decades of known practice by Microsoft.
Also, on a separate note, it's not trivial to rewrite git history but you can Google can the commands for it easily (but perhaps re-read what I've written because I wasn't suggesting anything along those particular lines.) I actually do that when I pushed to GitHub to turn all commits into organizational level bot authors and remove internal email addresses from the list of committers.
Not so. The properties of quantum computers are well understood; you can learn about them on an undergrad CS course. It's the engineering that's a problem.
The properties of something we are still investigating and have no samples of are well understood?
The cesspool just got a check and balance.
If my trust in Microsoft could be quantified it would be a large negative number.
It exceeds the lower bounds of a long?
I'm 99% sure they will try to slide something into the source. Who says all code submitted was written by MS employees?
The cesspool just got a check and balance.
Deterministic random number generator recommended by NSA!
The backdoor will be in the closed source pqc.dll that they place in the System32 directory. You know they won't subject their backdoors to peer review.
You should also compile with several compilers, both different makes and old versions, and compare the output.
I believe that is already suggested in the Ken Thompson paper referred to by GP but am uncertain since it was a while since I read it.