Always strive to learn something useful. --Sophocles

Cryptography organization has to nullify election because someone lost the decrypt key!

2025-11-29T04:42:32Z

This is both funny and sad because (A) it happened to the International Association of Cryptologic Research, an organization that's been around for 50-some years, and (2) because it demonstrates how brittle encryption can be.

The organization was its annual leadership election, and was using high-strength and verifiable encryption. Everyone who submitted their vote could verify, through their own encryption key, that their vote was correct and not tampered with. Three members of the election committee each held one-third of the key required to completely decrypt the master file to tabulate the vote, so all three had to simultaneously submit their part of the key to process the votes.

One of the members lost their part of the key, irrecoverably, through simple human error - not a hack. Thus, the file remains forever locked.

The IACR is re-running the election which will close on December 20 using a different encryption methodology requiring two of the three key portions. And the person who lost their part of the key has resigned from the election committee, I don't know if they're still part of the organization.

https://arstechnica.com/security/2025/11/cryptography-group-cancels-election-results-after-official-loses-secret-key/

https://www.schneier.com/blog/archives/2025/11/iacr-nullifies-election-because-of-lost-decryption-key.html

comments

The UK government secretly ordered Apple to weaken its iCloud encryption

2025-02-23T07:01:55Z

This was a government order. And it was a secret. Apple was not allowed to reveal the order. The purpose of the order was allegedly to make it easier for the government to find CSAM, explicit child pornography. It was, in fact, admitting that they were not being very good at their investigations and wanted Apple to make it easier for them.

So Apple broadcast not only that they received the order, they actually broadcast the text of it.

And now they've announced that they are turning off ADP, Advanced Data Protection, a form of advanced encryption of iCloud information in the UK to comply with the order. If you turn on ADP, the only person who can access your data is YOU, which also means that you can lose it. That's the risk of encryption.

Apple basically engaged in naming and shaming the government, good for them! The Home Office said "We do not comment on operational matters, including for example confirming or denying the existence of any such notices." As of this time, Apple users in the UK can no longer turn on ADP, it is expected that with a future update it will be turned off for users who previously activated it.

Without ADP, the information is still encrypted, but it is done in such a way that if the government serves Apple with a warrant, Apple can get at the information. Need I remind people about an incident that I posted about a month or so ago about a back door that the U.S. government required telecommunications providers to install for surveillance purposes that the Chinese have cracked? Several telcom providers have been compromised, and it's an extreme fight to keep them out - it's an on-going problem.

I can't wait for a British tabloid to get ahold of some MP or Lord's data and splash it all over their paper.

https://www.bbc.com/news/articles/cgj54eq4vejo

https://apple.slashdot.org/story/25/02/21/1529255/apple-removes-cloud-encryption-feature-from-uk-after-backdoor-order

comments

Microsoft will be enabling full disk encryption on clean Win 11 installs soonish

2024-08-15T15:53:50Z

A forthcoming version of Windows 11 known as 24H2 will enable Bitlocker device encryption (FDE) by default. This can be turned off if you want to get into Control Panel and deactivate it. The article notes that Tom's Hardware found that FDE can slow down disc access by 45% on solid-state drives. Additionally, Microsoft requires that the encryption key is uploaded to your Microsoft cloud account, meaning they have the means for decrypting your drive.

MS holding the key to your drive is a theoretical vulnerability. I have not read of them cooperating with authorities in the decryption of drives, much like Apple has not, though in Apple's case, they don't hold keys and cannot.

Personally, I don't think disk encryption is a good idea for the average home user. You should maintain good backups and keep them disconnected from your PC, preferably in a fire-proof lockbox or off-site. Have two sets (or more) and rotate between them so you have fall-back points if one of the backup sets fail.

We have a concept in IT that backups don't exist until you test them or need them, until that time they just exist in a void. When you pull them out and try to restore from them, that's when you find out whether or not they're any good. Backup disks and tapes fail, which is why if you value your data you want multiple copies to reduce the chance of one copy failing.

https://www.theverge.com/2024/8/14/24220138/microsoft-bitlocker-device-encryption-windows-11-default

https://tech.slashdot.org/story/24/08/14/1559240/microsoft-is-enabling-bitlocker-device-encryption-by-default-on-windows-11

comments

Major flaw found in RSA SSH where crypto keys can be recovered!

2023-11-14T21:35:14Z

This is starting out with a warning: this article is really, REALLY deep computer security stuff, DO NOT dig into it if you don't have a minimal understanding of network encryption, SSH, RSA, etcetera! YOU WILL BE LOST!

RSA is a pretty much a deprecated encryption technique. While it was good in its day, it's somewhat broken and has been superseded by better methodologies, both because technology moves ever onward and because it's broken. Apparently it's mainly in use in old systems where companies haven't bothered to replace it: 'If it ain't broke, leave it alone', and just haven't budgeted the funds and time to get it done.

People who try to break computer security have found an interesting way to break RSA even worse. They monitor and sit and wait. The first thing that happens when establishing an SSH connection (and other secure types of connections) is a handshake - the computers send a few packets back and forth, exchange keys (encryption certificates), and get to know each other (proverbially). This handshake process is supposed to be encrypted and secured and not easily spied upon. Except sometimes it isn't.

Computers make mistakes. Sometimes the process that encrypts the handshake fails, it can be a memory bit failure, and this can reveal part of one of the private keys that provides the encryption to the handshake. These keys are generated by multiplying very large prime numbers. If you recover one of the keys, you can then recover the other key by dividing by great whomping big prime numbers. Once you break that, you have access to the certificates that created the secure connection and you can now sit in the middle and impersonate all traffic of either host.

This is what people in computer security call BAD.

OpenSSH applied fixes to try to prevent it, but some major vendors, including Cisco, roll their own code and had some pretty bad vulnerabilities to this problem. They might have fixed it, but when you're running closed-source software (where you've written your own code), rather than relying on an open software where there are tons of eyes looking for problems and testing, it's often weaker than the open source version such as OpenSSH.

Interesting times.

No real solid information as to whether or not this has been exploited in the wild as it's really hard to detect interception attacks like this.

https://arstechnica.com/security/2023/11/hackers-can-steal-ssh-cryptographic-keys-in-new-cutting-edge-attack/

comments

An interesting computer security project: Dice Keys

2020-08-22T18:39:23Z

The purpose is to generate encryption keys with a high level of entropy. Specifically, it's a kit of 25 dice that get locked in to a 5x5 grid. For each die, the die is individually numbered, each face is individually numbered, and the rotation is individually numbered! Because of this, the entropy possible is 2^196, or 124,127,134,662,179,891,202,329,100,571,859,806,502,566,406,865,813,504,000,000! That's a bloody huge number!

Here's what it looks like after you shake the dice in the provided bag, roll them into the provided plastic cage and lock them down:

After you roll the dice and lock it down, you use a smartphone app to capture the dice and an app generates the key, which you can use within your phone or copy into a USB key. The best thing is that the software that generates the key is open source, so if the company disappears, as long as you still have your dice or a picture of it, you can still regenerate your key! And the case design is such that if you drop it (or a toddler accident), it won't accidentally pop open and spill the dice all over the place.

Bruce Schneier, noted encryption expert, is a consultant on the project.

I ordered two of them, I think they're pretty cool. And at $25 for the basic kit, they're not too expensive. Honestly, I don't know if I'll ever use it, but the potential utility is quite good. And since they've already built 900 kits and sent them to the fulfillment center, there's zero chance that the project will not succeed.

https://www.crowdsupply.com/dicekeys/dicekeys

comments