Speaking of the NaCL Box
Here's a 'Go' implementation of it: https://godoc.org/golang.org/x/crypto/nacl/box
(what is 'NaCL'?) - conventionally, its "salt" if we're going by the periodic table, but in this context, we're referring to the cryptographic library (and you use 'salt' in cryptography, get it?)
This library has extremely strong cryptography. The hyperlinked text above leads to Daniel Bernstein's site - we don't need to speak on how legitimate his algorithms tend to be (despite the weird wave of hate they've been getting from other jealous cryptographers that haven't been able to achieve the same level of notoriety that Daniel Bernstein).
Here's a 'Go' implementation of it: https://godoc.org/golang.org/x/crypto/nacl/box
(what is 'NaCL'?) - conventionally, its "salt" if we're going by the periodic table, but in this context, we're referring to the cryptographic library (and you use 'salt' in cryptography, get it?)
This library has extremely strong cryptography. The hyperlinked text above leads to Daniel Bernstein's site - we don't need to speak on how legitimate his algorithms tend to be (despite the weird wave of hate they've been getting from other jealous cryptographers that haven't been able to achieve the same level of notoriety that Daniel Bernstein).
pkg.go.dev
box package - golang.org/x/crypto/nacl/box - Go Packages
Package box authenticates and encrypts small messages using public-key cryptography.
LibreCryptography
Speaking of the NaCL Box Here's a 'Go' implementation of it: https://godoc.org/golang.org/x/crypto/nacl/box (what is 'NaCL'?) - conventionally, its "salt" if we're going by the periodic table, but in this context, we're referring to the cryptographic library…
Getting into the Actual Box Itself
Specifications (breakdown) of the box can be found on the nacl subdomain of the cr.yp.to site here = https://nacl.cr.yp.to/box.html
Essentially this 'box' provides an API-friendly, callable authenticated public key encryption tool for communications.
The entire scheme is setup with repudiation to provide plausible deniability (i.e., deniable authentication [dPAKE]).
A really good breakdown can be found here = https://crypto.stackexchange.com/questions/78071/what-does-crypto-box-actually-mean-in-libsodium-and-nacl
Specifications (breakdown) of the box can be found on the nacl subdomain of the cr.yp.to site here = https://nacl.cr.yp.to/box.html
Essentially this 'box' provides an API-friendly, callable authenticated public key encryption tool for communications.
The entire scheme is setup with repudiation to provide plausible deniability (i.e., deniable authentication [dPAKE]).
A really good breakdown can be found here = https://crypto.stackexchange.com/questions/78071/what-does-crypto-box-actually-mean-in-libsodium-and-nacl
Cryptography Stack Exchange
What does "crypto_box" actually mean in libsodium and NaCl?
I cannot find what "crypto_box" actually means. In general, and in specific cases, what does "box" do? I know that libsodium is authenticated encryption, but GPG is not. "Box" makes me think the
Crypto Stackexchange
Usually when it comes to any online message board, question & answer platform (like Quora / Yahoo! Answers back in the day), or general social media - you're rarely going to get the best of the bunch in terms of responses.
But StackExchange is clearly the exception.
The answers that the people on there give are mind-blowingly above & beyond what is expected on the internet. Anywhere. At any point.
In fact, the answers on StackExchange are so reliable, that many consider it to be a legitimate citation whenever facts are given with a direct reference behind it linking to the site.
Many Professionals on the Network
Individuals such as the creators of the Skein hash function, Blake2 / Blake3 among others (Zooko was one of the contributors to Blake3).
Usually when it comes to any online message board, question & answer platform (like Quora / Yahoo! Answers back in the day), or general social media - you're rarely going to get the best of the bunch in terms of responses.
But StackExchange is clearly the exception.
The answers that the people on there give are mind-blowingly above & beyond what is expected on the internet. Anywhere. At any point.
In fact, the answers on StackExchange are so reliable, that many consider it to be a legitimate citation whenever facts are given with a direct reference behind it linking to the site.
Many Professionals on the Network
Individuals such as the creators of the Skein hash function, Blake2 / Blake3 among others (Zooko was one of the contributors to Blake3).
Implicit Certificates (specification by the secg ; same organization that published info on various ecdsa curves)
Here's the link = https://www.secg.org/sec4-1.0.pdf
'ECQV' is its abbreviation. Make sure that you remember that if you want to check up on it for yourself at any point in the near future.
Here's the link = https://www.secg.org/sec4-1.0.pdf
'ECQV' is its abbreviation. Make sure that you remember that if you want to check up on it for yourself at any point in the near future.
Blake3 Hash Function
Purports to be quicker than all other hash functions (yes, even SHA1) by orders of magnitude.
Yes, these are the same folk that built blake2 (almost selected as the official keccak implementation; did not lose due to inferior security but rather due to 'speed reasons')
Here's the GitHub for any that wish to try it out = https://github.com/BLAKE3-team/BLAKE3
Its built in Rust. If you want it on the command line you're going to need to build up 'b3sum' (that's the ultimate binary that you're going to be calling in the terminal).
There are also binaries available in the releases though.
Purports to be quicker than all other hash functions (yes, even SHA1) by orders of magnitude.
Yes, these are the same folk that built blake2 (almost selected as the official keccak implementation; did not lose due to inferior security but rather due to 'speed reasons')
Here's the GitHub for any that wish to try it out = https://github.com/BLAKE3-team/BLAKE3
Its built in Rust. If you want it on the command line you're going to need to build up 'b3sum' (that's the ultimate binary that you're going to be calling in the terminal).
There are also binaries available in the releases though.
GitHub
GitHub - BLAKE3-team/BLAKE3: the official Rust and C implementations of the BLAKE3 cryptographic hash function
the official Rust and C implementations of the BLAKE3 cryptographic hash function - BLAKE3-team/BLAKE3
LibreCryptography
Blake3 Hash Function Purports to be quicker than all other hash functions (yes, even SHA1) by orders of magnitude. Yes, these are the same folk that built blake2 (almost selected as the official keccak implementation; did not lose due to inferior security…
1. blake3 rust crate = https://crates.io/crates/blake3
2. b3sum rust crate = https://crates.io/crates/b3sum
3. Blake3 Paper (explaining the specifications, design rationale, caveats & features) = https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf
2. b3sum rust crate = https://crates.io/crates/b3sum
3. Blake3 Paper (explaining the specifications, design rationale, caveats & features) = https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf
GitHub
BLAKE3-specs/blake3.pdf at master · BLAKE3-team/BLAKE3-specs
The BLAKE3 paper: specifications, analysis, and design rationale - BLAKE3-team/BLAKE3-specs
Bao Hashing Mode (for Blake3)
One of the better features that the project boasts is the 'bao hashing mode' (which you can find in specifications here = https://github.com/oconnor663/bao)
"Bao is an implementation of the BLAKE3 verified streaming"
Described in section 6.4 of their specification = https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf
Once compiled with Rust, you're left with a binary executable (move it to path or export the path where its at), and you'll be able to call it from the command line.
What it Does
1. This is an encoder (not an encryptor, there's a difference). That means that it is designed to encode data (you can use the 'iv' that blake hashing provides for this as well)
2. Supposing you encoded a bunch of (encrypted) data, then sent that to a node or someone else to store - you would not need to process all of the encrypted blob that they're holding in order to be assured that they have all of your data. You should be able to a 'slice' out of it and checksum it from anywhere.
So that's very uniquely cool.
One of the better features that the project boasts is the 'bao hashing mode' (which you can find in specifications here = https://github.com/oconnor663/bao)
"Bao is an implementation of the BLAKE3 verified streaming"
Described in section 6.4 of their specification = https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf
Once compiled with Rust, you're left with a binary executable (move it to path or export the path where its at), and you'll be able to call it from the command line.
What it Does
1. This is an encoder (not an encryptor, there's a difference). That means that it is designed to encode data (you can use the 'iv' that blake hashing provides for this as well)
2. Supposing you encoded a bunch of (encrypted) data, then sent that to a node or someone else to store - you would not need to process all of the encrypted blob that they're holding in order to be assured that they have all of your data. You should be able to a 'slice' out of it and checksum it from anywhere.
So that's very uniquely cool.
GitHub
GitHub - oconnor663/bao: an implementation of BLAKE3 verified streaming
an implementation of BLAKE3 verified streaming. Contribute to oconnor663/bao development by creating an account on GitHub.
Europol Decryption Program
One of the more concerning developments that we've seen in this international nation-state warfare vs. encryption.
https://www.europol.europa.eu/newsroom/news/europol-and-european-commission-inaugurate-new-decryption-platform-to-tackle-challenge-of-encrypted-material-for-law-enforcement
One of the more concerning developments that we've seen in this international nation-state warfare vs. encryption.
https://www.europol.europa.eu/newsroom/news/europol-and-european-commission-inaugurate-new-decryption-platform-to-tackle-challenge-of-encrypted-material-for-law-enforcement
Europol
Europol and the European Commission inaugurate new decryption platform to tackle the challenge of encrypted material for law enforcement…
This week Europol launched an innovative decryption platform, developed in close cooperation with the European Commission's Joint Research Centre. It will significantly increase Europol’s capability to decrypt information lawfully obtained in criminal investigations.…
LibreCryptography
Europol Decryption Program One of the more concerning developments that we've seen in this international nation-state warfare vs. encryption. https://www.europol.europa.eu/newsroom/news/europol-and-european-commission-inaugurate-new-decryption-platform…
Specifically, the article claims that Europol has managed to successfully erect a "decryption platform" that will "significantly increase Europol's capability to decrypt information lawfully obtained in criminal investigations."
The press release also goes on to state that the platform's existence is in "Full respect of fundamental rights and without limiting or weakening encryption", which rings a bit hollow when considering that the tool will be "availabe to national law enforcement authorities of all Member States to help keep societies and citizens safe and secure."
### Why This Screams Bullshit
The fact that there will be multiple different nation states (essentially all members of the European Union) that have access to this tool (whatever it is), makes the supposed benefits of this action entirely null.
To begin with there's:
1. A ton of different nation states that will have access to these tools and information. To suggest that they will all use these tools in a responsible manner that's considerate of their citizens' rights is preposterous
2. With such intel / resources being passed around freely to all of the member states of the European Union, one must wonder how in the world the EU can guarantee that there will be any level of real control for how this platform is administered.
To suggest that all member nations of the EU will unanimously act in an ethical manner in-line with the values of all of their respective citizens is a preposterous claim at best.
What Can Be Done
We can bitch about this endlessly or we can look at the reality of the situation.
The chances that they have found a way to break all of modern encryption is highly unlikely (and if this were the case, then its very unlikely that this secret would be kept very long).
However, with that being said, it is likely that the EU has amassed the resources necessary to subvert some of the more commonly used ciphers / algorithms that are in use today. The threshold for being able to do so would not require them to necessary "break" encryption schemes (which we know is exceedingly difficulty on a scale with an upper bound at infinity).
However, using exploits like Spectre / Meltdown, cache timing attacks, differential analysis etc., could afford member states of Europol with the tools necessary to compromise individuals through other means.
The press release also goes on to state that the platform's existence is in "Full respect of fundamental rights and without limiting or weakening encryption", which rings a bit hollow when considering that the tool will be "availabe to national law enforcement authorities of all Member States to help keep societies and citizens safe and secure."
### Why This Screams Bullshit
The fact that there will be multiple different nation states (essentially all members of the European Union) that have access to this tool (whatever it is), makes the supposed benefits of this action entirely null.
To begin with there's:
1. A ton of different nation states that will have access to these tools and information. To suggest that they will all use these tools in a responsible manner that's considerate of their citizens' rights is preposterous
2. With such intel / resources being passed around freely to all of the member states of the European Union, one must wonder how in the world the EU can guarantee that there will be any level of real control for how this platform is administered.
To suggest that all member nations of the EU will unanimously act in an ethical manner in-line with the values of all of their respective citizens is a preposterous claim at best.
What Can Be Done
We can bitch about this endlessly or we can look at the reality of the situation.
The chances that they have found a way to break all of modern encryption is highly unlikely (and if this were the case, then its very unlikely that this secret would be kept very long).
However, with that being said, it is likely that the EU has amassed the resources necessary to subvert some of the more commonly used ciphers / algorithms that are in use today. The threshold for being able to do so would not require them to necessary "break" encryption schemes (which we know is exceedingly difficulty on a scale with an upper bound at infinity).
However, using exploits like Spectre / Meltdown, cache timing attacks, differential analysis etc., could afford member states of Europol with the tools necessary to compromise individuals through other means.
AsyncSSH (this is the major key that we need to use)
- Allows for SSH / SFTP / other nice things on top
- Allows for ed448 algorithm (this one is pretty fucking significant)
- We also have the option of creating a certificate as well (which will provide even more authentication in the process ; but in order for that to work, we need to ensure that the copy of the certificate on our server is also within the separate shell instance as well)<— would it be a better idea for us to just tunnel that information over there?
https://asyncssh.readthedocs.io/en/stable/#interactive-input
- Allows for SSH / SFTP / other nice things on top
- Allows for ed448 algorithm (this one is pretty fucking significant)
- We also have the option of creating a certificate as well (which will provide even more authentication in the process ; but in order for that to work, we need to ensure that the copy of the certificate on our server is also within the separate shell instance as well)<— would it be a better idea for us to just tunnel that information over there?
https://asyncssh.readthedocs.io/en/stable/#interactive-input
Stateless PGP Keys
This is something that's been needed for quite some time. This allows for you to regenerate your PGP keys deterministically.
https://github.com/skeeto/passphrase2pgp
The magic of this stems from picking a finite UNIX time to enter as an input in the key generation process. Then voila.
This is something that's been needed for quite some time. This allows for you to regenerate your PGP keys deterministically.
https://github.com/skeeto/passphrase2pgp
The magic of this stems from picking a finite UNIX time to enter as an input in the key generation process. Then voila.
GitHub
GitHub - skeeto/passphrase2pgp: Generate a PGP key from a passphrase
Generate a PGP key from a passphrase. Contribute to skeeto/passphrase2pgp development by creating an account on GitHub.
Quantum Safe Onion Routing = https://arxiv.org/pdf/2001.03418.pdf (this is probably already several levels above what we see from the Tor Project already; I really don't like their earlier specifications and standards to be entirely honest with you)
^^ Maybe we also throw this in the t.me/libredarkweb channel ; why not?
^^ Maybe we also throw this in the t.me/libredarkweb channel ; why not?
Telegram
LibreDarkweb
Darkweb info ; part of the @Librehash collective
Apologies for the gap in publishing on here, there are quite a few things that I have to add in here, so figure that I may as well stop procrastinating on that and get to it.
Forwarded from Librehash Research
Researcher Discovered the NIST Specification on SHA256 Prime Values is Incorrect
"According to the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Publication 180-2, 'These words represent the first thirty-two bits of the fracitonal parts of t he cube roots of the first sixty-four prime numbers.'
No reason was provided as to why these values were selected...
Close examination of the SHA-256 constants reveals that only four of the numbers are actually prime numbers.
Source = https://www.femto-second.com/papers/SHA256LimitedStatisticalAnalysis.pdf
"According to the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Publication 180-2, 'These words represent the first thirty-two bits of the fracitonal parts of t he cube roots of the first sixty-four prime numbers.'
No reason was provided as to why these values were selected...
Close examination of the SHA-256 constants reveals that only four of the numbers are actually prime numbers.
Source = https://www.femto-second.com/papers/SHA256LimitedStatisticalAnalysis.pdf
Standard Notes Updated Their Cryptography
These updates are palpable upgrades to the application itself.
Now they employ Argon2 for the password hashing and XChacha20-Poly1305 for the creation of the nonce (changes for each note that is saved by a user).
That's not to say that the cryptographic primitives that they were using before were weak, but these are obviously considerably stronger (and cryptographically more secure as well).
In many cases it is also estimated that Chacha20-poly1305 is faster than AES256-GCM on hardware (and software as well).
196-bit nonces are used for the chacha20 stream cipher encryption.
More information on the specification for this upgrade / update can be found here = https://docs.standardnotes.org/specification/encryption/
These updates are palpable upgrades to the application itself.
Now they employ Argon2 for the password hashing and XChacha20-Poly1305 for the creation of the nonce (changes for each note that is saved by a user).
That's not to say that the cryptographic primitives that they were using before were weak, but these are obviously considerably stronger (and cryptographically more secure as well).
In many cases it is also estimated that Chacha20-poly1305 is faster than AES256-GCM on hardware (and software as well).
196-bit nonces are used for the chacha20 stream cipher encryption.
More information on the specification for this upgrade / update can be found here = https://docs.standardnotes.org/specification/encryption/
docs.standardnotes.org
Encryption Protocol Specification v004 | Standard Notes Documentation
Specification for the Standard Notes end-to-end encryption.
OASIS Key Management Protocol = https://docs.oasis-open.org/kmip/kmip-spec/v2.1/csprd01/kmip-spec-v2.1-csprd01.pdf
A lot cryptographic repos contained here for you to peruse through (hence the name of the GitHub account, I suppose) = https://github.com/CryptoFanOrg
GitHub
Crypto Fan Org
Crypto Fan's Group. Crypto Fan Org has 140 repositories available. Follow their code on GitHub.
Best Explanation / Breakdown of How TLS Works You'll Ever Find in Life = https://tls.ulfheim.net/
tls12.xargs.org
The Illustrated TLS 1.2 Connection
Every byte of a TLS connection explained and reproduced