An interactive intro to Elliptic Curve Cryptography

https://growingswe.com/blog/elliptic-curve-cryptography

#HackerNews #EllipticCurveCryptography #InteractiveLearning #CryptoBasics #Cybersecurity #Education

It's been a while since I've last used #crypto (and by that I don't mean coins but oldschool #cryptography : encrypting and signing mails, etc.), and lately I've only used #gpg to encrypt my #pass vault.

However, I wanted to up my game a little, so here it comes: For the first time I got myself a hardware token. I opted for #yubikey even though #nitrokey is probably the better option, because of #opensource. But I wanted my first steps to be smooth ones, and also try out all the different operational scenarios; and all research said that Yubikey is the better supported and the more versatile option (maybe I'll switch to a #nitrokey later on).

I went a bit overboard with the setup as well. I got myself some new USB drives, one flashed with #tails - a portable live #linux system by the @torproject developers, to boot with it a machine #offthegrid on which I'd create my keys. A #gnupg main key just for certification, and three subkeys for signing, encryption and authentication. The main key was moved to two backup USB drives, the subkeys on two Yubikeys (which as a bit of a hassle as usually you are only allowed to move them to one).

While the private main key will never see the light of day (i.e. just stay on the thumbdrives or be imported by the off-grid tails system), the subkeys will live on my tokens (which are not extractable as well).

They expire every year so I'd need to renew them (with the main key on tails), my identities are tied to the main key, and if any key is compromized I can easily create new ones with that main key.

To me that seems pretty sound, and a lot of overkill, tbh :D But it was also quite fun.

Next up: Switching my environment to use Yubikey and my new GPG keys instead of #ssh etc. And after that I'll give #2FA a try. And if I am not on the PC I'll guess I'll read some more about #EllipticCurveCryptography. First time I am using those algorithms. So long, #RSA, you've been a great companion, and hello #ed25519, nice to meet you.

#security #privacy

A while ago, I saw a post about a new set of elliptic curve parameters published by someone named Víctor Duarte, and boosted by Professor Bill Buchanan, known for his expertise in cryptography.

So I went ahead and wrote a Go implementation for it.

The parameters have been given the name EccFrog512ck2.

The key length is roughly 512-bits long, which should be fairly secure (against classical attacks).

It's pretty neat.

Please do check it out.

https://github.com/shovon/go-eccfrog512ck2

#Cryptography #EllipticCurveCryptography #ECC

What isn't linked from those four pages above, however, is the one gem I had been pointed to some time ago. And hadn't made the connection that this was the same person!

Michael Driscoll's «The Animated Elliptic Curve» really helped me in understanding Elliptic Curve Cryptography with its wonderful, well-described animations which you can replay until you understand them.

5/6
#ECC #EllipticCurve #EllipticCurveCryptography
https://curves.xargs.org/

According to #Yubico, it took six months for a firmware vulnerability that allows cloning of #YubiKeys using #EllipticCurveCryptography to be resolved and responsibly revealed to the public. That's not the problem.

The real problem is there will always be another unpatched vulnerability just around the corner. That's why we need new ways of framing what #cybersecurity should look like in today's modern enterprise. Old-school #defenseindepth still has a place, but businesses must find new ways to reduce the amount of sensitive data that's at risk in a #databreach when all layers of defense are inevitably pierced.

https://www.yubico.com/support/security-advisories/ysa-2024-03/

@skiff open sourced their cryptographic library "including useful functions for symmetric encryption, asymmetric encryption, hashing, and more. Contributions and suggestions are welcome!"

#OpenSource #foss #npm #nodejs #e2ee #encryption #cryptography #ellipticcurvecryptography #ecc #emailencryption

A great article that goes over how the #SIKE algorithm was cracked with a single #PC and high-level #theoretical #mathematics re: the #EllipticCurve. #EllipticCurveCryptography

https://phys.org/news/2022-11-mathematical-theorem-encryption-algorithm.html

Xiaomi Cryptographically Signs Scooter Firmware – What’s Next?

[Daljeet Nandha] from [RoboCoffee] writes to us, sharing his research on cryptographic signature-based firmware authenticity checks recently added to the Xiaomi Mi scooter firmware. Those scooters use an OTA firmware update mechanism over BLE, so you can update your scooter using nothing but a smartphone app - great because you can easily get all the good new features, but suboptimal because you can easily get all the bad new features. As an owner of a Mi 1S scooter but a hacker first and foremost, [Daljeet] set up a HTTPS proxy and captured the firmware files that the app downloaded from Xiaomi servers, dug into them, and summarized what he found.

Confirming this update will indefinitely lock you out of any third-party OTA updates

Unlike many of the security measures we've seen lacking-by-design, this one secures the OTA firmware updates with what we would consider the industry standard - SHA256 hash with elliptic cryptography-backed signing. As soon as the first firmware version implementing signature checks is flashed into your scooter, it won't accept anything except further firmware binaries that come with Xiaomi's digital signature. Unless a flaw is found in the signature checking implementation, the "flash a custom firmware with a smartphone app" route no longer seems to be a viable pathway for modding your scooter in ways Xiaomi doesn't approve of.

Having disassembled the code currently available, [Daljeet] tells us about all of this - and more. In his extensive writeup, he shares scripts he used on his exploration journey, so that any sufficiently motivated hacker can follow in his footsteps, and we highly recommend you take a look at everything he's shared. He also gives further insights, explaining some constraints of the OTA update process and pointing out a few security-related assumptions made by Xiaomi, worth checking for bypassing the security implemented. Then, he points out the firmware filenames hinting that, in the future, the ESC (Electronic Speed Control, responsible for driving the motors) board firmware might be encrypted with the same kind of elliptic curve cryptography, and finds a few update hooks in the decompiled code that could enable exactly that in future firmware releases.

One could argue that these scooters are typically modified to remove speed limits, installed there because of legal limitations in a variety of countries. However, the legal speed limits are more nuanced than a hard upper boundary, and if the hardware is capable of doing 35km/h, you shouldn't be at mercy of Xiaomi to be able to use your scooter to its full extent where considerate. It would be fair to assert, however, that Xiaomi did this because they don't want to have their reputation be anywhere near "maker of scooters that people can modify to break laws with", and therefore we can't expect them to be forthcoming.

Furthermore, of course, this heavily limits reuse and meaningful modification of the hardware we own. If you want to bring a retired pay-to-ride scooter back to usefulness, add Bluetooth, or even rebuild the scooter from the ground up, you should be able to do that. So, how do we go around such restrictions? Taking the lid off and figuring out a way to reflash the firmware through SWD using something like a Pi Pico, perhaps? We can't wait to see what hackers figure out.

#securityhacks #transportationhacks #digitalsignature #electricscooter #ellipticcurvecryptography #escooter #firmwarehacking #firmwaremodding #scooter #scooterhacking