Security Cryptography Whatever
Security Cryptography Whatever
Cryptography Tier List
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
(NSFW) Three AI-generated guests rank cryptography things into a tier list. Play along at home and make your own tier list: https://tiermaker.com/create/cryptography-15683166
This episode is definitely not safe for work and definitely a parody. Do not base your decision in the 2024 election off of this podcast episode. No campaigns have endorsed this podcast.
"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)
Modern Cryptography Tier List Discussion
Speaker 1All right , guys , let's do this . We all ready for a cryptography tier list ?
Speaker 2Yeah , let's fucking do this .
Speaker 3Obama , this is a bad idea . Bad idea . But people are saying I'm the best at tier lists , so let's go .
Speaker 1Okay , we're starting with some classic algorithms . First up is the Caesar cipher .
Speaker 3If the Caesar cipher is so great , how come he got stabbed ? I like people that don't get stabbed .
Speaker 2Leave Brutus out of this . Donald the Caesar cipher was a great innovation for its time and accomplished its goal of securing communication between Caesar and his generals .
Speaker 1I don't know , joe . It is just a fixed key substitution cipher after all .
Speaker 3It's backdoored .
Speaker 1It is not backdoored , it's just lame .
Speaker 2The Caesar cipher is not for computers , it's for regular , hardworking Americans .
Speaker 3Sleepy Joe is so old he only likes the ciphers that don't require computers .
Speaker 2Fuck you , Donald . Let's see you try to defeat the Huns .
Speaker 1Shut up , you two . I'm marking it as considered harmful , and that's that . Next up is a similar one , the Visionaire cipher . That wasn't actually invented by Visionaire , that's right , it was invented by an Italian .
Speaker 3I don't care . They're all losers and suckers . It's a dog shit . Cipher defeated by frequency analysis .
Speaker 2You can't deny it's better than the basic Caesar cipher Donald .
Speaker 1I'm tired of talking about all this stuff from before Claude Shannon was even born . I'm putting it in C , tier one , above the Caesar cipher . Let's get to some more modern ciphers like DES .
Speaker 3DES is dog shit . It was backdoored by GCHQ .
Speaker 1What the fuck Donald GCHQ ? Make DES stronger by editing it to be resistant to differential cryptanalysis years before the existence of differential cryptanalysis was declassified .
Speaker 2He's absolutely right , donald , I was there .
Speaker 1Wait , how old are you ?
Speaker 3You can't honestly be telling me you're using DES . It only has 64-bit blocks . Even if the S-boxes weren't dog shit , the whole thing is too close to the birthday . Bound on modern connections .
Speaker 2Whose birthday is it ?
Speaker 1It's not anybody's birthday .
Speaker 2Trump said it was close to someone's birthday . No , he didn't .
Speaker 3Of course , obama likes DES , he bailed out the banks , and all the banks used 3DS .
Speaker 1If the banks used better cryptography , maybe I wouldn't have had to bail them out . Ds was impressive at the time , but it is a bad choice in modern times . I'm marking it as considered harmful . How about Diffie Hellman ? New directions in cryptography ? Seems like an easy S tier .
Speaker 3Wrong the S-boxes . Split out the elliptic curve Diffie Hellman and the finite field Diffie Hellman . Finite field Diffie Hellman was not a good deal . Elliptic curves are a better deal .
Speaker 2What the hell is he talking about ?
Speaker 1Fine , we can drop finite field Diffie Hellman to A tier . Next up is RSA S tier .
Speaker 3Sleepy Joe is so old he still thinks RSA is a good idea . Have you ever tried padding an RSA ciphertext , Joe , RSA is C tier at best .
Speaker 2You set the padding bytes to the number of bytes . This is that simple .
Speaker 3Pkcs my ass , sleepy Joe .
Speaker 1Would you cut it out , you two ? Rsa certainly is impactful , but we really should have listened to Rogue in the 90s about Pkcs versus OEAP .
Speaker 3Blickenbacker is going to fuck you up , Sleepy Joe .
Speaker 2Anyone can tell you not to use E equals three Donald .
Speaker 3No , the other Blickenbacker .
Speaker 1There are a lot of Blickenbacker attacks . I can't keep track of them all .
Speaker 3C tier .
Speaker 1S tier . I'm splitting the difference and putting it B tier , even though Shamir and Koblets are both going to kill me . This is crap . Shut up , Joe . Okay , next up is Blowfish .
Speaker 3Blowfish . We're talking about Blowfish .
Speaker 2Is that the porn star you slept with ?
Speaker 3You just hate me because I'm cool and rich and you're old , Sleepy Joe .
Speaker 1It's a cipher from Schneier .
Speaker 2Didn't he come to the White House when you and I were president ?
Speaker 1I don't know , probably he just does policy now .
Speaker 3I can't believe this cipher is even here . It was cool for two minutes in the 90s .
Speaker 2Like Oasis .
Speaker 3Sleepy Joe gets it .
Speaker 1Yeah , it was fine , but there's really no reason to use it these days . C tier the RC4 stream cipher is next . That should be an easy considered harmful .
Speaker 3Good call Obama . Rc4 is totally broken . If you use RC4 , china can read all your plaintext like they have a golden key .
Speaker 2Trump knows all about golden streams . Ha good one , joe .
Speaker 1Thanks Obama . Okay , aes should be an easy S tier .
Speaker 3What the fuck Obama ? Aes is too underspecified to be S ? Tier . To do anything with it , you have to use a fancy cipher mode . It doesn't work out of the box like the ciphers from DJB .
Speaker 2Who is DJB ?
Speaker 3He's the best cryptographer .
Speaker 1Why are we talking about DJB ? I've never heard of him . Everyone has heard of DJB , but I don't think we should be putting him on a pedestal . He said some crazy shit and hangs out with bad people .
Speaker 2Like Trump's mom .
Speaker 1Exactly Joe .
Speaker 3What the fuck Obama .
Speaker 1Be quiet , Donald . I dare to say AES needs to be used in the proper mode to be safe . I think that's more NIST's fault , but I'll put it in A tier . Speaking of modes , CBC is up next .
Speaker 2CBC is all you need to encrypt as much as you want .
Speaker 3Once again , Sleepy Joe doesn't understand how to implement secure padding . Are you really using CBC mode , Joe ?
Speaker 2You can do random access decryption . What's not to like ?
Speaker 3What's not to like . It's called padding oracles Joe .
Speaker 1Skill issue . I agree with Trump . We have better options these days , Joe .
Speaker 2H-Mac the ciphertext and it's all fine .
Speaker 1No one does that . Everyone does Mac than encrypt who ?
Speaker 2does Mac than encrypt .
Speaker 3TLS . Does that , joe ? That's why it's dog shit . Remember Poodle .
Speaker 2Shut the fuck up , Donald . Wait , what do dogs have to do with this ?
Speaker 1Both of you shut the fuck up . Cbc is C tier .
Speaker 2Trump said there was a Poodle .
Speaker 1Poodle is a padding oracle attack on CBC mode in SSLv3 . Then , where is the dog ?
Speaker 3Obama is hiding the dog .
Speaker 1No , I'm not . What the fuck are you two talking about ? I'm moving on . H-mac is up next .
Speaker 2That shit is S tier for sure .
Speaker 3Sleepy Joe , have you never heard of an AEAD ? I bet this guy has never heard of an AEAD . What are you using H-Mac for ?
Speaker 1Donald has a point H-Mac is great , but you don't need to use it . If you're able to use an AEAD like AES , gcm , I'll knock it down to A tier . H-mac is core to .
Speaker 2Kim Dem Brock .
Speaker 1Everyone stopped using Kems until we got to post quantum cryptography . Joe .
Speaker 3Joe is so old he's still using an abacus 64K of RAM should be enough for anybody .
Speaker 1Speaking of old stuff , we've got SSLv2 up next .
Speaker 2What happened to SSLv1 ?
Speaker 1Well , Joe , you'd have to ask Marc Andreessen that .
Speaker 3I'll ask Peter Thiel .
Speaker 1What ? Why , would you ask Peter Thiel ? He wasn't at Netscape in the 90s .
Speaker 2I was in Wilmington in the 90s .
Speaker 3He's my favorite venture capitalist .
Speaker 1This doesn't have to do with VCs or A16Z . This is about Netscape .
Speaker 2I got Netscape off my AOL CDs . Does anyone need minutes ?
Speaker 1Minutes . How do you still have minutes ?
Speaker 2I bought 40 years worth of minutes in 98 , and I'm still working through them .
Speaker 1I can't believe this . I'm putting SSLv2 in considered harmful because its handshake is vulnerable to MITM .
Speaker 3Those third-rate developers at the fake news organization OpenSSL left it enabled by default for too long and gave us drown . Sslv2 is a garbage protocol .
Speaker 2OpenSSL has done more for encrypted communications than any other software package in the world .
Speaker 3Remember Heartbleed sleepy Joe , Disastrous , gross incompetence , worst library ever .
Speaker 2After Heartbleed we were able to get them funding and they really improved the quality . We're building back better .
Speaker 1That's true , but OpenSSL 3.0 has been a mess . Anyway , I'm putting SSLv2 in considered harmful in TLS and S-tier it's goaded .
Speaker 2I agree , tls is fucking goaded .
Speaker 3This tier really has our society degraded so much that this is what counts as S-tier . Does nobody remember 2015 , when there was a new TLS attack coming out every month ? I won't deny it's better than SSLv2 , but S-tier should be reserved for things that created a revolution in cryptography .
Speaker 1Brink of a revolution . You wouldn't even put Diffie Hellman in S-tier . How is TLS not the foundation of the web revolution ?
Speaker 2Just put it in S-tier Barack Don't give him a chance . He'll talk your fucking ear off . And besides , the only revolution he knows about was January 6th .
Speaker 3Shut up sleepy Joe . I'll tell you exactly how not . It may be used for HTTPS , but that's the only reason it's popular Cryptographic agility was a terrible decision . It isn't until TLS 1.3 that they even bothered to define the groups for key agreement in advance . Who wants to waste a round trip just to pick a prime number that might be backdoor ?
Speaker 2I'll take .
Speaker 1The protocol has evolved over time . Tls 1.3 could be considered a whole entry on its own .
Speaker 2Yeah , how come SSLV2 gets its own entry in the tier list but TLS 1.3 doesn't ? What the hell , barack ?
Speaker 3The only people who run TLS 1.3 are liberal big tech and they use zero RTT to push their fake news even faster . No one else implements it .
Speaker 2Skill issue .
Speaker 1Fine . Tls did have a rough time , but I think we landed in a good place with TLS 1.3 . I'll move it down to A-tier .
Speaker 2I can't believe . Tls is fucking A-tier .
Speaker 3Deal with it , sleepy Joe .
Speaker 2Screw you Donald .
Speaker 1Okay , SSH , this one should be another easy S tier .
Speaker 2I agree , but I'm sure Donald is going to come in with some contrarian bullshit .
Speaker 3SSHv2 was the only protocol designed in the 90s that wasn't pure scum . I agree it's S ? Tier .
Speaker 1Holy shit , we agreed on something . Let's keep this moving with some VPN protocols . How do we feel about IPsec ?
Speaker 2I've been deploying IPsec VPNs for years . It's a secure way to bridge your on-prem and cloud networks .
Speaker 1Wait , you do network security architecture consulting .
Speaker 3Yeah , and I don't know why he does . Sleepy Joe's network diagrams are going to ruin this country and your networks will be overrun with crime . Everyone knows IPsec is a dog shit protocol .
Speaker 1IPsec is very complicated compared to a more modern VPN like WireGuard .
Speaker 2WireGuard . Are you kidding me ? No one can deploy anything beyond a simple point-to-point WireGuard network without using tail scale , unless you have a full-blown network platform team like Flyio .
Speaker 3That's true , sleepy .
Speaker 1Joe Fine , IPsec is C tier and WireGuard is A tier .
Speaker 2I can't believe you would do this to me , Brock .
Speaker 1Can we just rank the noise protocol framework ?
Speaker 3It's easy to make a protocol framework secure if you leave out key distribution . I would rather roll my own protocol with Libsodium than pretend I'm using noise .
Speaker 1You shouldn't roll your own crypto , Donald .
Speaker 3I'm not rolling my own crypto . I'm using Libsodium .
Speaker 2I've never heard of the noise protocol framework .
Speaker 1How have you heard of WireGuard and not noise ? Wireguard uses noise under the hood .
Speaker 3Nothing uses noise under the hood . It's all custom variants .
Speaker 1That's the point , Donald . It's a protocol framework , not a protocol implementation or specification .
Speaker 3That's fucking useless Obama .
Speaker 1It popularized triple-diffie-helmin and can provide authentication without needing signatures , and many systems have other mechanisms for key distribution , like an IDP .
Speaker 3It's a B tier framework that sidesteps the hard problems .
Speaker 2What's a protocol framework , Donald ?
Speaker 1Shut up , joe . Ugh , fine , I'll put it in B tier , even though that feels mean to Trevor Perrin . Next up are AES , gcm and ChaCha Polly .
Speaker 3GCM is trash ChaCha all the way .
Speaker 1Of course you'd say that , donald , you're such a DJB stan .
Speaker 2I thought his initials were DJT Donald J Trump .
Speaker 1No , Joe , that doesn't make any sense . You can't stan yourself .
Speaker 3I can , because I am the best and I am always winning .
Speaker 2How come you lost the election to me , then , donald .
Speaker 3You stole all the votes in Michigan . Nothing can be done to cure that giant scam now .
Speaker 1Loser . Shut up you two . Aes GCM is good when you have hardware support . Chacha is good when you need to encrypt in software .
Speaker 3Fuck you , Obama . Gcm is a trash AEAD and it's vulnerable to nonce collision attacks .
Speaker 1So is ChaCha you idiot
Ranking Cryptographic Concepts and Algorithms
Speaker 1. I'm ranking both B tier because they involve caller managed nonces .
Speaker 2I just use a counter .
Speaker 1Of course you do sleepy , Joe Donald , weren't you just complaining about the birthday bound ? Shouldn't you prefer counter based systems ? I never said that Fake news . God damn it , not this again . Would , you just shut up man Winning . We're moving on to hash functions .
Speaker 3Dank Biden knows all about the good hash .
Speaker 1That's right , I'm fucking lit , Joe . You gotta share that with me . Anyway , first one up is MD5 . This is an easy considered harmful . It's literally in the name of the paper .
Speaker 3Remember when they used all those PS3 to calculate a hash collision of a root CA .
Speaker 2That was totally dope . Also , I love the PS3 .
Speaker 3Me too . Joe Want to play . Journey later .
Speaker 1You can't pick who you play Journey with . That's the whole point of the game .
Speaker 3Joe can watch me play it .
Speaker 2Yeah , Barack , we can switch off .
Speaker 1If we're playing PS3 , I want to play the Last of Us .
Speaker 3You're just bandwagoning because of the TV show .
Speaker 1Fuck you , Donald . Also , what the fuck does any of this have to do with MD5 ?
Speaker 3Why are we even bothering with MD5 ? It's a total fraud , a bigger fraud than Biden winning the election .
Speaker 1Skill issue . Donald , stop saying that .
Speaker 3SHA-1 is also a total fraud .
Speaker 2There's online tools to collide PDFs . It's even weaker than Trump's wall .
Speaker 1Donald should have hired the team behind SHA-2 to build his wall . Maybe then it'd be collision resistant .
Speaker 3No , I should have hired DJB to make my wall , because the only hash function I trust is SIPHASH . Attacks only get better , and if SHA-1 is broken , then SHA-2 and SHA-3 must be next .
Speaker 1That's not how attacks work , donald . Sha-1 , 2 , and 3 are completely different things , and SIPHASH isn't even on our list . Stop bringing DJB into this .
Speaker 3NIST backdoors , all the standards . I don't want anything that came out of a NIST competition . I told Rick Perry to cut NIST but he forgot what department they were in .
Speaker 2NIST competitions grow the economy Benefits everybody , hurts nobody .
Speaker 1Oh fuck , I forgot about Rick Perry . I'm a total idiot .
Speaker 2We have to ignore this clown . Obama's SHA-2 is clearly S-tier .
Speaker 1Agreed . What about SHA-3 ? There's a SHA-3 ? Yes , joe , there's a SHA-3 . It's a sponge-based construction .
Speaker 3Moon math . I don't trust it .
Speaker 1Sounds like a skill issue .
Speaker 2What is a sponge construction ?
Speaker 1It's good for making duplex objects but to be honest , there's not a big reason to not just use SHA-2 for regular hashing . I'm putting it in B-tier Since nobody knows what a duplex object is except me . I'm putting them in A-tier Because they're amazing , but I'm not sure if they're quantum resistant .
Speaker 3Quantum computers aren't real . They're fake news .
Speaker 2Isn't quantum for key distribution .
Speaker 3Quantum key distribution isn't real sleepy Joe .
Speaker 1Donald's right about quantum key distribution . It's a scam . Let's move on to some signatures . How do we want to rank DSA and ECDSA ?
Speaker 2I don't see the point of DSA when you have RSA .
Speaker 3RSA . Joe , are you so out of touch ? You think we should still sign with RSA ?
Speaker 1We already ranked RSA Donald . But if you can't handle RSA signatures , I've got bad news for you about the WebPKI .
Speaker 3I don't care about the failing WebPKI Obama , but DSA is D-tier shit . It wasn't useful until DJB invented elliptic curves .
Speaker 1DJB didn't invent elliptic curves , it was Koblets and Miller .
Speaker 3Never heard of them .
Speaker 2Elliptic curves are just too complicated .
Speaker 1Skill issue . I'm putting DSA and C-tier and ECDSA and A-tier .
Speaker 3I'll allow DSA and C-tier because of its impact , but what are you smoking that ? You think ECDSA is A-tier ? Do you just expect everybody to special case points being added to themselves in addition and yet somehow still be constant time ? Did you hear that , people ? You think special cases are still constant time ? Edwards , curves are so much better . Ecdsa is B-tier at best .
Speaker 1That may have been true in the 2000s , but we have complete formulas for the NIST curves now , with no special cases .
Speaker 3Yeah , and they work by converting the loser NIST curves to them , to Edwards representations .
Speaker 1Okay , fine , ecdsa is B-tier , but since no goddamn ED-25519 libraries can interoperate with each other on the edge cases , I keeping ED-DSA at B-tier as well .
Speaker 3I'll allow it so long as you make Curve 25519 .
Speaker 1S-tier . If Curve 25519 is S-tier , how come everybody has to copy Adam Langley's implementation everywhere ?
Speaker 2Who's Adam Langley ? Is he the guy from Maroon 5 that looks like a Chipotle bag ?
Speaker 1No , that's Adam Lambert . Agl is a cryptographer at Google .
Speaker 3Want to get Chipotle later , Joe .
Speaker 2Oh , fuck , yeah , that sounds awesome , donald Obama , hurry up with the tier list . Donnie and I are going to get Chipotle .
Speaker 1God damn it . I'm not the one holding everything up . I'm putting Curve 25519 in A-tier because of the library and API issues and I'm putting the double odd curves in S-tier because they're clearly better than 25519 .
Speaker 3No one takes those double odd curves seriously . But whatever , I'm beyond caring about your terrible tier list .
Speaker 1I don't know why I agreed to do this either , but we're here and we're going to finish it . Next up is Restretto .
Speaker 2If you need a prime order group , why don't you just take the integers mod P ?
Speaker 1That's order P minus one Joe .
Speaker 3Restretto is great because it lets you bridge Curve 25519 , the best curve to cryptocurrency protocols that use zero knowledge proofs .
Speaker 1I'm not sure I care about the cryptocurrency use case that much , but I agree Restretto is very good at what it does , and Joe already showed us it's easy to fuck this up . I think this is a great example of do one thing and do it well . Let's put it in S tier .
Speaker 3You just want to rank it higher than curve 25519 to fuck with me . But if that's what it takes to get some acknowledgement of all the developments in cryptography that have been driven by investment in cryptocurrency , I'm fine with it .
Speaker 1Okay , moving on . Next up is dual EC .
Speaker 3Backdoor . Dual EC is backdoor .
Speaker 2We don't know that it's backdoor .
Speaker 1I mean , we basically do , joe . Did you read the intelligence brief ? Ask me about it . On signal , I'm putting dual EC and backdoor . Next up is devu random for generating random numbers . Backdoor Backdoor . It's not fucking backdoor , donald . The implementation is open source .
Speaker 2What if the entropy pool hasn't been fully initialized yet ? Remember all those keys Nadia factored using GCD back in 2012 ? Joe Biden remembers .
Speaker 1Backdoor , backdoor . Shut the fuck up , donald . Backdoor Joe . Sounds like you're making the case for get random , which fixes the initialization blocking issue with you random .
Speaker 2Yeah , openbsd has this right from the start .
Speaker 3Shut up , joe . Theo might hear you , and then we'll have to invite him to Chipotle .
Speaker 1Can I come to Chipotle ?
Speaker 3No , obama , you have Ligma .
Speaker 1I do not have Ligma Ligma balls . Sleepy Joe gets it . Fuck both of you . I'm putting you random in B tier and get random in S tier . Looks like B Crypt and S Crypt are next .
Speaker 3I know you don't respect law and order , but if shut 2 is S tier , then B Crypt also should be S tier .
Speaker 1Finally , Donald says something reasonable . How else are you going to hash passwords ?
Speaker 2You're supposed to hash passwords .
Speaker 3Not if you use email to sign in . Joe .
Speaker 2I always just reset my password because I can't remember it .
Speaker 1I'm putting S Crypt in B tier because no one actually needs a memory hard hash .
Speaker 3What about Dogecoin ?
Speaker 1Donald , I know you're an Elon stand , but Dogecoin is fucking stupid .
Speaker 3Not , it's fucking goaded .
Speaker 2It has a picture of a Shiba Inu . It's fucking goaded .
Speaker 1Not fucking saying fucking goaded . Can we just finish this tier list ?
Speaker 2It doesn't matter . I still agree that Snarks are Moon Math .
Speaker 3That's not what he said , Sleepy Joe .
Speaker 1Actually , you know what ? I don't understand any of this . Zero knowledge crap . If anything is Moon Math , it's Snarks .
Speaker 2I agree . Anything with an elliptic curve is Moon Math .
Speaker 1Let's skip ZK Snarks and Bullet Proofs . That leaves us with ECB and X509 .
Speaker 2ECB is the one with the penguins right . It's the worst of the cipher modes .
Speaker 3Finally , Sleepy Joe says something I can agree with ECB and Considered Harmful .
Speaker 1Done . That leaves us with X509 .
Speaker 2Trash , trash .
Speaker 1Trash X509 . It's Considered Harmful . All right , fellas , we did it . We completed the tier list . We're done .
Speaker 3We did it , Joe . Let's go get Chipotle while my Minecraft is updating .
Speaker 2Yeah , let's do it , donald . See you later Obama .