Crypto history 2015 update - skipped so 2016 is 2 years ? uh ohh.

Sep.2014.
(SHELLSHOCK wasn't cypto.)


Oct.2014.

POODLE  - ???Padding Oracle on Downgraded Legacy Encryption???
Yet another side-jack exploit ??? HTTPS in Starbucks not safe if SSLv3 downgrade allowed ! 
Another "Padding Oracle" attack on Block-mode ciphers on the deprecated SSL3 (replaced by TLS1.1)
http://www.wired.com/2014/10/poodle-explained/
Disable ssl3 in browser, servers. Now.

SSLsplit - tool for MITM intercept (think public wifi portal, corp or school gateway) "SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. Connections are transparently intercepted through a network address translation engine and redirected to SSLsplit. SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted."

Nov.2014.

EFF Audits. Panned by Thomas H. Ptacek ???@tqbf.

InfoSec HotSpot ???@InfoSecHotSpot 
HOW TO STEAL DATA FROM AN AIRGAPPED COMPUTER USING FM RADIO WAVES - http://ow.ly/DQSPA 

 HeartBleed follow-up - 
http://www.theregister.co.uk/2014/11/10/sys_admins_your_weekends_slowed_the_response_to_heartbleed/ 
Should REVOKE exposed certs so there's a change reuse of them is caught ! 
http://www.umiacs.umd.edu/~tdumitra/papers/IMC-2014.pdf
[As if CRLs were reliable ... see Chrome dispute.]


http://motherboard.vice.com/en_ca/read/secure-messaging-might-not-be-so-secure-otr-libpurple
(tl;dr: Crypto as after-thought option is doomed. )

EFF partners with some industry players to give out free SSL certs.

Launching in 2015: A Certificate Authority to Encrypt the Entire Web 
"Let's Encrypt"  https://www.letsencrypt.org 
https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web
Includes domain ownership verification.
(If that's gamable it could be trouble?)
EFF, Google, ...


Whatsapp Messaging now Encrypted  
(end to end, enabled by default but not activated automatically; Android only initially)
http://www.wired.com/2014/11/whatsapp-encrypted-messaging/
"WhatsApp (acquired by Facebook for $19 billion early 2014) integrates the recently audited Open Whisper Systems' "TextSecure" into WhatsApp for Android."
https://www.grc.com/sn/SN-482-Notes.pdf
[OWS/TS passed an audit recently with one tweak required.]
[anti-MITM key verification is MANUAL setup (so controlled; once),  threema-style optical or dictate the hash.]

DEC.

Sony breach may have breached private keys - which?
Can we know which weren't ?

JULY 2015
How NSA and GCHQ spied on the Cold War world - BBC News
http://www.bbc.com/news/uk-33676028
Friedman Collection # 41741409078064.pdf in /home/wdr/100G/Scarfed/Infosec/Declassified/Friedman_Collection


MARCH 2016 
  * SECURITY UPDATE: side channel attack on modular exponentiation
    - debian/patches/CVE-2016-0702.patch: use constant-time calculations in
      crypto/bn/asm/x86_64-mont5.pl, crypto/bn/bn_exp.c,
      crypto/perlasm/x86_64-xlate.pl, crypto/constant_time_locl.h.
    - CVE-2016-0702
  https://ssrg.nicta.com.au/projects/TS/cachebleed/ "CacheBleed: A Timing Attack on OpenSSL Constant Time RSA" 
 & http://cseweb.ucsd.edu/~hovav/papers/hs09.html "Reconstructing RSA Private Keys from Random Key Bits"
https://www.openssl.org/news/secadv/20160301.txt
https://cachebleed.info
https://security-tracker.debian.org/tracker/CVE-2016-0702
(fix is (in part) to assembler cross coder in perl.)


https://drownattack.com/
https://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/
"CVE-2016-0800, a novel cross-protocol attack that uses SSLv2 handshakes to decrypt TLS sessions"

brokenlock


http://www.metzdowd.com/pipermail/cryptography/2016-March/028824.html
On the Impending Crypto Monoculture
Peter Gutmann
https://en.wikipedia.org/wiki/Poly1305
http://cr.yp.to/chacha.html
http://cr.yp.to/djb.html
http://cr.yp.to/ecdh.html = Curve25519 

=========
ProtonMail no longer in Beta


https://protonmail.com/
"free" and "encrypted" and "commercial" ... that's concerning .
 user friendly packaging of OpenPGP.
"They admit that because the system relies on JavaScript downloaded to a browser, a hacker or government altering Protonmail's server could weaken or eliminate the encryption."


bricker
CERN/MIT suggests there may not be a secret profit motive. Will have to check if Steve Gibson or one of the public cryptographers outside the project have reviewed it.

 https://www.grc.com/sn/sn-462.htm https://www.sans.org/newsletters/newsbites/xviii/22#301 http://m.economictimes.com/magazines/panache/everything-you-need-to-know-about-the-fake-email-interview-of-vijay-mallya/articleshow/51451519.cms 
Why oh why did they think they could PHP safely? http://www.securitynewsonline.com/securityblogs/article.php?title=ProtonMail.ch_Header_Injection_CSRF

Ahh, it is Freemium - tiered pricing.

In-Browser crytpo gives me hives because of all the flaws in JS sandbox etc, but for ease of use, their LastPass-style zero-knowledge cloud keying makes sense.


( Paid accounts allow more than one address, own domains, and remove message/day cap. Free account not usable as primary ema1)

It's not entirely a walled garden. Email to people outside is Symmetric key, with the out-of-band passphrase that Tom mentioned. Also says their messages can be downloaded and decrypted offline with PGP.


https://www.cryptocoinsnews.com/inside-look-protonmail-end-end-encrypted-email/
CCN: Financial Bitcoin & Cryptocurrency News
An Inside Look at ProtonMail: End-to-End Encrypted Email - CCN: Financial Bitcoin & Cryptocurrency News
ProtonMail perfectly blends security with simplicity to offer a free, end-to-end encrypted email service based in Switzerland. (128KB)
May 3rd, 2014 at 7:55 AM


https://www.wired.com/2015/10/mr-robot-uses-protonmail-still-isnt-fully-secure/
WIRED
Mr. Robot Uses ProtonMail, But It Still Isn???t Fully Secure
The latest encrypted email service to rise in popularity is ProtonMail, which attracted wide attention after it was featured on Mr. Robot. But how secure is it really? (92KB)

Key threats - 
  - in-browser leakage 
  - malware or Gov't MITM/proxy substitutes requested public-key or JS code
  - touch id (legally & illegally is coercible)
  - self-deleting is dubious offering
  - phone verification on free accounts hurts anons *and* spammers.
     (reCaptcha for for some low risk, but multiple accounts, sketchy IP,... 
      will trigger email or SMS verification. alternative is upgrade w PayPal or BitCoin,
      but BTC isn't all that anonymous.)
  - Q. Did you implement session management? It is a security risk 
       if I disconnect & reconnect 2 a diff net and can read mail w/o cred
    A This behavior is preferred by most users so we are keeping it this way.


"Have you tried Pandor (Chrome) vs Mailvelope? [BTW Pandor does not intercept as per dev]! It integrates exceptionally well with Gmail, it's easy as pie -- encrypts --> send What about RetroShare (Cross-platform) " [Mailvelope failed usability testing.]

===========
(many more named exploits)
============
2016-08-16 https://motherboard.vice.com/read/wave-of-spoofed-encryption-keys-shows-weakness-in-pgp
Why we read the 40 char fingerprint, not just the short id .
What is an OpenPGP Key ID collision - http://security.stackexchange.com/questions/74009/ddg#74010
https://duckduckgo.com/?q=pgp+short-key-id+collision&t=canonical&ia=qa
(been demonstrated since late 2011)
--receive-key will use long id as documented from  1.4 & 2.0 forward ? 

============
new NIST backdoor suggested? 
=============
Changes for gnupg versions:
Installed version: 1.4.16-1ubuntu2.3
Available version: 1.4.16-1ubuntu2.4

Version 1.4.16-1ubuntu2.4: 

  * SECURITY UPDATE: random number generator prediction
    - debian/patches/CVE-2016-6313-1.patch: improve readability by using a
      macro in cipher/random.c.
    - debian/patches/CVE-2016-6313-2.patch: hash continuous areas in the
      csprng pool in cipher/random.c.


WRONG NUMBER;  CVE-2016-6313 is correct, 
  -6316 and -6313 cross-tangled in some postings.
@gnupg Sorry, the CVE in the announcemen is wrong.  CVE-2016-6313  is the right one and  used in commit messages.
https://twitter.com/gnupg/status/765956493720055808 


https://marc.info/?l=oss-security&m=147145356517182&w=2

https://twitter.com/gnupg/status/765947090212126721
Critical bug found in Libgcrypt and in GnuPG 1.4: https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html ??? - fixes are released.



https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html 

Felix D??rre and Vladimir Klebanov discovered that GnuPG incorrectly handled
mixing functions in the random number generator. An attacker able to obtain
4640 bits from the RNG can trivially predict the next 160 bits of output.
This bug exists since 1998 in all GnuPG and Libgcrypt versions.

A first analysis on the impact of this bug in GnuPG shows that existing
RSA keys are not weakened.  For DSA and Elgamal keys it is also unlikely
that the private key can be predicted from other public information.
This needs more research and I would suggest _not to_ overhasty revoke
keys. 

Update instructions

The problem can be corrected by updating your syste

CVE-2016-6316. Priority. High. Description. random number generator prediction. 

Security fixes for Libgcrypt and GnuPG 1.4 [CVE-2016-6316 < 6313 really]
From: Werner Koch: Subject: Security fixes for Libgcrypt and GnuPG 1.4 [CVE-2016-xxxx] Date: Wed, 17 Aug 2016 18:06:56 +0200: User-agent: Gnus/5.13 (Gnus v5.13)
 lists.gnu.org/archive/html/info-gnu/2016-08/msg00008.

CVE-2016-6313 in Ubuntu
CVE-2016-6313. Priority. High. Description. random number generator prediction. References. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313
 people.ubuntu.com/~ubuntu-security/cve/CVE-2016-6313

Entropy Loss and Output Predictability in the Libgcrypt PRNG CVE-2016-6313 Felix D??rre Karlsruhe Institute of Technology, Germany felix.doerre@student.kit.edu
 formal.iti.kit.edu/~klebanov/pubs/libgcrypt-cve-2016-6313.pdf

What does the GnuPG CVE-2016-6313 random number generator vulnerability mean for already generated keys? up vote down vote favorite.
 askubuntu.com/questions/814145/what-does-the-gnupg-cve-...

GnuPG and Libgcrypt CVE-2016-6313 Local Predictable Random ...
92527 GnuPG and Libgcrypt CVE-2016-6313 Local Predictable Random Number Generator Weakness
 cvedetails.com/bugtraq-bid/92527/GnuPG-and-Libgcrypt-CVE...





================
The Million-Key Question???Investigating the Origins of RSA Public Keys
Authors: Petr ??venda, Mat???? Nemec, Peter Sekan, Rudolf Kva????ovsk??, David Form??nek, David Kom??rek, and Vashek Maty????, Masaryk University
Awarded Best Paper Usenix Security 2016
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/svenda
(paper and slides saved)
https://www.dancvrcek.com/re-investigating-the-origins-of-rsa-public-keys/
https://www.lightbluetouchpaper.org/2016/08/10/usenix-security-best-paper-2016-the-million-key-question-origins-of-rsa-public-keys/
http://crcs.cz/wiki/public/papers/usenix2016 
 - links online key classifier