Monday, October 11, 2021

Tuesday, August 24, 2021

Post-Quantum opmsg trickery

I have added patches to opmsg to implement PQC during the transitioning phase. Adding PQC sounds easier than it actually is, as there are several (administrative) problems:

* So far, no PQC algo has been standartized. Everything is     still floating and in progress.

* Several PQC open-source projects exist, such as  OpenQuantumSafe which implement the candidate algos, but which recommend to not use their impl in production code.

* Some patches for OpenSSL 1.1.0 exist such as for NTRU, but only cover the 1.1 API which will soon be denounced.

* OpenSSL 3.0 on the rising, changing the ENGINE API in favor of "Providers", but I didn't see any PQC code in it.

* Big tech companies making their own PQC patches and tests for marketing reasons but these are not usable for opmsg as they only cover TLS handshakes for their own good.

Sounds to me like I could only bet on the wrong horse by making any decision.

Therefore, I decided to agnostically add PQC support by following recommendations of the BSI when migrating crypto to PQC for the time being. That means extending opmsg Brainkey Personas by a second type "brainkey2" which adds a symmetric salt in the ECDH Kex. This is transparent to the user. At the same time, I ban non-AEAD symmetric algorithms for future encrypts (decrypts still work for compat) and extend the coverage of the AEAD to the entire message, including the header. That means that the entire opmsg is not only integrity protected by the ECDSA signature, but also by the AES-GCM MAC. The PFS property and everything else stays the same. The new default calgo is now "aes256gcm".

I am sorry I had to kick bf, cast5 and ripemd160 from newly encrypted messages, but these algos are outdated anyway. It should still be possible to decrypt all previous messages, despite of ciphers and persona types.

I have to check how OpenSSL develops, as I want to keep compatibility with LibreSSL API. So I have to be careful when adding new symmetric ciphers with AEAD capability such as EVP_aria_256_gcm().

Friday, July 23, 2021

multiple stuff trickery

I added some new features and workarounds to some of my projects:

* New features for crash, namely TCP and UDP port forwarding similar to psc and some other neat stuff

* better support for brainkey personas in opmsg, as well as workarounds for a recent OpenSSL regression that does not allow to set ECDH privkeys to NULL any longer when doing the PFS Kex

Monday, June 7, 2021

harddns updates

Google DoH again changed their JSON replies, so I had to adjust my harddns parsing. Otherwise you will get NXDOMAIN when asking

Wednesday, May 26, 2021

DGC trickery

In order to re-find all the necessary documents easily, I created a repo to have the EU vaccination certificate stuff in a single place. I will add code, keys and threat analysis as I go.

Tuesday, May 25, 2021

New quircs

The small footprint quirc QR decoding lib has merged some fixes that makes it way more reliable when scanning flipped QR codes. I merged these fixes myself to opmsg-qr (which forks quirc), so its in turn also more reliable when scanning opmsg QR-code keys sent via phone messengers. Give it a try! Painless opmsg persona sharing via Signal and such. Still recommended to use camera with auto-focus. Scanning QR codes with opmsg-qr however needs some seconds, compared on what you experience by scanning with your phone. So, just experiment with it to get a feeling and how it could be useful.

Friday, May 21, 2021

Armbian trickery

Some new root magic for IoT ARM boards. This time for Armbian, in a  very generic way so to run on almost all boards.

Tuesday, April 13, 2021

PSC SOCKS trickery

I submitted a patch to PSC SOCKS handling. The bug that was fixed could lead to poor browsing experience. By now, its not necessary anymore to click the reload button to finish loading of some sites.

Friday, March 19, 2021

Friday, March 12, 2021

tinkershell trickery

 After a couple of years, I published a new one of the famous boomsh exploits. This time for an IoT devel board, running a Debianish distribution for ARM.