That’s not to say you cannot, and should not, play with crypto – playing is how you learn. (I exclude certain individuals at NSA and elsewhere who are reviewed internally by peers) Making something that looks like crypto is easy, as is banging the bits together – but making something that is actually secure, and more importantly being able to tell the difference, is hard.Īnyone without public, peer-reviewed crypto who thinks crypto is easy is squarely in Dunning-Kruger territory.
There’s a ton of ugly math and non-obvious caveats and so on with doing it right, and no book is going to give you the skills alone – you need the books, plus experience, plus peer review, plus a truly rare mind, and even then it gets cracked in time.
People who read the books and write code without experience and peer review make bad crypto – time and time again. “honestly anyone here can read the books and learn what is needed to be a IT security expert.” Understanding risk management (hint: it’s not black and white) is ultimately each person’s own responsibility in life, and if that concept is beyond you, having your Facebook account hijacked is likely the least of your problems. Plenty of people cut insecure code that is released unverified, promoted as safe to use for real purposes, and not only given out but sold, and for some reason it is all okay because those people were collecting a salary. Don’t rely on it to hide anything important, and document that the code is experimental and it’s security is unverified. I say, dig in, get your hands dirty, and understand the risk that whatever you do should be considered utterly insecure. This helicopter-mom mentality over cutting any code to do with crypto does a dis-service to everyone but certain three-letter agencies. It’s not about how well one knows crypto, it’s about understanding risk. That idea that only large corporates or governments dare compile code with XOR is insulting.
Not just a bit over-broad, but also disappointing that this idea that the unwashed just aren’t qualified to try their hand at crypto, any crypto, keeps being promulgated by those either arrogant or with a hidden agenda.
Posted in Microcontrollers Tagged ecc, Second Factor, Teensy, Teensy LC, Two Factor, two-factor authentication, U2F, Yubikey Post navigation Despite this, it’s still an interesting project and we’re happy shared it with us. The ‘key handle’ is just XOR encryption with a fixed key, which is also insecure. Additionally, didn’t want to solder a button to his Teensy LC, so he implemented everything without a button press, which is also insecure. It should be noted that doing anything related to security by yourself, with your own code is dumb and should not be considered secure. A handy library takes on ECC for both AVR and ARM platforms and finished U2F implementation is able to turn the Teensy LC into something GitHub was selling for $5. A U2F device is just a USB HID device, which the Teensy handles in spades. Currently, Google (through Gmail and Google Drive), Github, Dropbox, and even WordPress (through a plugin) support U2F devices, so a tiny USB key that’s able to provide U2F is a very useful device.Īfter digging into the U2F specification found the Teensy LC would be a perfect platform for experimentation.
Universal 2nd Factor is exactly what it says on the tin: it doesn’t replace your password, but it does provide a little bit of extra verification to prove that the person logging into an account is indeed the person that should. he ended up building a U2F key with a Teensy LC, and in the process brought U2F to the unwashed masses. bought two, but wondered if he could bring U2F to other microcontrolled devices. Last month, GitHub users were able to buy a special edition Universal 2nd Factor (U2F) security key for just five bucks.