#hypothes.is

hypothesis/h#3832 (master - 58e9578 : Randall Leeds): The build is still failing.

Change view : https://github.com/hypothesis/h/compare/ff04e3e...

Build details : http://travis-ci.org/hypothesis/h/builds/42822011

hypothesis/h#3833 (master - cc3afd1 : Randall Leeds): The build is still failing.

Change view : https://github.com/hypothesis/h/compare/58e9578...

Build details : http://travis-ci.org/hypothesis/h/builds/42822919

hypothesis/h#3833 (master - cc3afd1 : Randall Leeds): The build is still failing.

Change view : https://github.com/hypothesis/h/compare/58e9578...

Build details : http://travis-ci.org/hypothesis/h/builds/42822919

hypothesis/h#3834 (master - c3d3930 : Randall Leeds): The build was fixed.

Change view : https://github.com/hypothesis/h/compare/cc3afd1...

Build details : http://travis-ci.org/hypothesis/h/builds/42823704

tilgovi what's your opinion on nacl?

woah: I have none

cool

you mean the native client?

?

oh sorry

the crypto lib

seems like the solidest option out there

I don't know anything about it really

But I respect djb a whole lot

Ahh, I remember looking at it for a while

thanks for the reminder

yea, i was pretty frustrated about the lack of a good all in one lib

but it seems that nacl is it

I had been seeing ed25519 around and hadn't looked into what it was

what're you trying to do?

making a message distribution system

important to use the right kinds of things depending on what your needs are

are you encrypting or signing?

i'm doing both

i'm just going to use nacl cause it does everything and someone can audit it in the future

not trying to play amateur cryptographer

if you want another set of eyes on whatever you use it for I'll gladly look

sure man

I'm also an amateur though

hey, wondering if you know - why nonces?

why not just random data instead

they can be random data

the important thing about a nonce is only that you use it exactly once

yea, so when do you want them to not be?

you need the same nonce that was used for encryption/signing in order to decrypt/verify

fuck

if you have a deterministic sequence of nonces used with a sequence of messages you can avoid sending the nonce

I think you'd do something like send <nonce, HMAC(nonce + message)>

err, let's say HMAC takes a secret and a message

<nonce, HMAC(nonce + secret, message)>

the other party can verify using the same nonce + secret

or, sometimes maybe the nonce isn't even used in the signing

it's just part of the payload

and the server remembers the nonces it's seen

for instance, if a user is logging in by sending a hashed copy of their password

so, what are the vulnerabilities around nonces?

you don't want someone to intercept that and send the same thing again

what can someone do with it?

they might not be able to invert the hash and find out the password, but they can use an identical packet to log in

oh cool

so the whole point is that if the message contains the same nonce as was used before, the server can say "this looks like a replay attack"

that's one use of nonces

so if i don't care if someone sends the same thing twice, i can just ignore it?

or just have it always be the same thing?

if you don't care if someone sends the same thing twice you don't need a nonce

nice

but make sure you know that's what you want

thanks for letting me know, that will save me some time

"someone" might be two different people

and that's when it might be important to have a nonce

yea, the whole thing is very idempotent

but i will keep that in mind

there may be other uses

It may matter what algorithm is being used

for instance, another use of a nonce I think

if an attacker can send some message to you, and you encrypt it with a secret and send it back

some algorithms are vulnerable to known-plaintext attacks

where a carefully constructed series of plain text, encrypted with the same secret, starts to leak information about the secret

(I think this is what broke WEP wireless encryption)

(or something similar)

for that, a nonce is useful to "mix up" the plain text that the attacker is asking you to encrypt

so that it's hard for them to choose exactly what's getting encrypted

woah: ^^

ah i see

couldn't one simply append some randomness to the response?

if that randomness is different for each response

you've just made a nonce :-D

well i want to avoid having to manage nonces between nodes

nonce = number used once. doesn't matter if it's random or not.

Well, if you can tell me more about exactly what you're doing, I can help you figure out if you need them.

But maybe we should just hang out when I get back to the bay later this week

ok, I want to encypt messages with a private key

propagate them across the network

sorry i misspoke

sign messages?

sorry, I'll wait