Toggle light / dark theme

SHA-256 is a one way hashing algorithm. Cracking it would have tectonic implications for consumers, business and all aspects of government including the military.

It’s not the purpose of this post to explain encryption, AES or SHA-256, but here is a brief description of SHA-256. Normally, I place reference links in-line or at the end of a post. But let’s get this out of the way up front:

One day after Treadwell Stanton DuPont claimed that a secret project cracked SHA-256 more than one year ago, they back-tracked. Rescinding the original claim, they announced that an equipment flaw caused them to incorrectly conclude that they had algorithmically cracked SHA-256.

All sectors can still sleep quietly tonight,” said CEO Mike Wallace. “Preliminary results in this cryptanalytic research led us to believe we were successful, but this flaw finally proved otherwise.

Yeah, sure! Why not sell me that bridge in Brooklyn while you backtrack?

The new claim makes no sense at all—a retraction of an earlier claim about a discovery by a crack team of research scientists (pun intended). The clues offered in the original claim, which was issued just one day earlier, cast suspicion on the retraction. Something fishy is going on here. Who pressured DuPont into making the retraction—and for what purpose? Something smells rotten in Denmark!

Let’s deconstruct this mess by reviewing the basic facts:

  • Wall Street, financial services firm claims they have solved a de facto contest in math & logic
  • They cracked the code a year ago, yet— incredibly—kept it secret until this week
  • A day later (with no outside review or challenge),* they admit the year-old crack was flawed

Waitacottenpickensec, Mr. DuPont!! The flaw (an ‘equipment issue’) was discovered a year after the equipment was configured and used—but just one day after you finally decided to disclose their past discovery? Poppycock!

I am not given to conspiracy theories (a faked moon landing, suppressing perpetual motion technology, autism & vaccinations, etc)—But I recognize government pressure when I see it! Someone with guns and persuasion convinced DuPont to rescind the claim and offer a silly experimental error.

Consider the fallout, if SHA-256 were to suddenly lose public confidence…

  • A broken SHA-256 would wreak havoc on an entrenched market. SHA-256 is a foundational element in the encryption used by consumers & business
  • But for government, disclosing a crack to a ubiquitous standard that they previously discovered (or designed) would destroy a covert surveillance mechanism—because the market would move quickly to replace the compromised methodology.

I understand why DuPont would boast of an impressive technical feat. Cracking AES, SSL or SHA-256 has become an international contest with bragging rights. But, I cannot imagine a reason to wait one year before disclosing the achievement. This, alone, does not create a conundrum. Perhaps DuPont was truly concerned that it would undermine trust in everyday communications, financial transactions and identity/access verification…

But retracting the claim immediately after disclosing it makes no sense at all. There is only one rational explanation. The original claim undermines the interests of some entity that has the power or influence to demand a retraction. It’s difficult to look at this any other way.

What about the everyday business of TS DuPont?

If the purpose of the original announcement was to generate press for DuPont’s financial services, then they have succeeded. An old axiom says that any press is good press. In this case, I don’t think so! Despite the potential for increased name recognition (Who knew that any DuPont was into brokerage & financial services?) I am not likely to think positively of TS DuPont for my investment needs.


* The cryptographic community could not challenge DuPont’s original claim, because it was not accompanied by any explanation of tools, experimental technique or mathematical methodology. Recognizing that SHA-256 is baked into the global infrastructure banking, of commerce and communications, their opaque announcement was designed to protect the economy. Thank you, Mr. DuPont, for being so noble!


Philip Raymond co-chairs CRYPSA, hosts the Bitcoin Event and is keynote speaker at Cryptocurrency Conferences. He is a top writer at Quora.

Here is a question that keeps me up at night…

Is the San Bernardino iPhone just locked or is it properly encrypted?

Isn’t full encryption beyond the reach of forensic investigators? So we come to the real question: If critical data on the San Bernardino iPhone is properly encrypted, and if the Islamic terrorist who shot innocent Americans used a good password, then what is it that the FBI thinks that Apple can do to help crack this phone? Doesn’t good encryption thwart forensic analysis, even by the FBI and the maker of the phone?

iphone-01In the case of Syed Rizwan Farook’s iPhone, the FBI doesn’t know if the shooter used a long and sufficiently unobvious password. They plan to try a rapid-fire dictionary attack and other predictive algorithms to deduce the password. But the content of the iPhone is protected by a closely coupled hardware feature that will disable the phone and even erase memory, if it detects multiple attempts with the wrong password. The FBI wants Apple to help them defeat this hardware sentry, so that they can launch a brute force hack—trying thousands of passwords each second. Without Apple’s help, the crack detection hardware could automatically erase incriminating evidence, leaving investigators in the dark.

Mitch Vogel is an Apple expert. As both a former police officer and one who has worked with Apple he succinctly explains the current standoff between FBI investigators and Apple.


The iPhone that the FBI has is locked with a passcode and encrypted. It can only be decrypted with the unique code. Not even Apple has that code or can decrypt it. Unlike what you see in the movies, it’s not possible for a really skilled hacker to say “It’s impossible“” and then break through it with enough motivation. Encryption really is that secure and it’s really impossible to break without the passcode.

What the FBI wants to do is brute force the passcode by trying every possible combination until they guess the right one. However, to prevent malicious people from using this exact technique, there is a security feature that erases the iPhone after 10 attempts or locks it for incrementally increasing time periods with each attempt. There is no way for the FBI (or Apple) to know if the feature that erases the iPhone after 10 tries is enabled or not, so they don’t even want to try and risk it.

oceans_of_data-sSo the FBI wants Apple to remove that restriction. That is reasonable. They should, if it is possible to do so without undue burden. The FBI should hand over the iPhone to Apple and Apple should help them to crack it.

However, this isn’t what the court order is asking Apple to do. The FBI wants Apple to create software that disables this security feature on any iPhone and give it to them. Even if it’s possible for this software to exist, it’s not right for the FBI to have it in their possession. They should have to file a court order every single time they use it. The FBI is definitely using this situation as an opportunity to create a precedent and give it carte blanche to get into any iPhone without due process.

So the answer to your question is that yes it is that secure and yes, it’s a ploy by the FBI. Whether it’s actually possible for Apple to help or not is one question and whether they should is another. Either way, the FBI should not have that software.

Ex-NSA boss says FBI director is wrong on encryption

encryption

Encryption protects everyone’s communications, including terrorists. The FBI director wants to undermine that. The ex-NSA director says that’s a terrible idea.

The FBI director wants the keys to your private conversations on your smartphone to keep terrorists from plotting secret attacks.

But on Tuesday, the former head of the U.S. National Security Agency…

Read the full article at CNN Money
http://money.cnn.com/2016/01/13/technology/nsa-michael-hayden-encryption/

By — Wired
Original illustration: Getty
Encryption is hard. When NSA leaker Edward Snowden wanted to communicate with journalist Glenn Greenwald via encrypted email, Greenwald couldn’t figure out the venerable crypto program PGP even after Snowden made a 12-minute tutorial video.

Nadim Kobeissi wants to bulldoze that steep learning curve. At the HOPE hacker conference in New York later this month he’ll release a beta version of an all-purpose file encryption program called miniLock, a free and open-source browser plugin designed to let even Luddites encrypt and decrypt files with practically uncrackable cryptographic protection in seconds.

“The tagline is that this is file encryption that does more with less,” says Kobeissi, a 23-year old coder, activist and security consultant. “It’s super simple, approachable, and it’s almost impossible to be confused using it.”

Read more