Security Cryptography Whatever
Security Cryptography Whatever
Cryptography Tier List
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
(NSFW) Three AI-generated guests rank cryptography things into a tier list. Play along at home and make your own tier list: https://tiermaker.com/create/cryptography-15683166
This episode is definitely not safe for work and definitely a parody. Do not base your decision in the 2024 election off of this podcast episode. No campaigns have endorsed this podcast.
"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
All right, guys, let's do this. We all ready for a cryptography tier list?
Speaker 2Yeah, let's fucking do this.
Speaker 3Obama, this is a bad idea. Bad idea. But people are saying I'm the best at tier lists, so let's go.
Speaker 1Okay, we're starting with some classic algorithms. First up is the Caesar cipher.
Speaker 3If the Caesar cipher is so great, how come he got stabbed? I like people that don't get stabbed.
Speaker 2Leave Brutus out of this. Donald the Caesar cipher was a great innovation for its time and accomplished its goal of securing communication between Caesar and his generals.
Speaker 1I don't know, joe. It is just a fixed key substitution cipher after all.
Speaker 3It's backdoored.
Speaker 1It is not backdoored, it's just lame.
Speaker 2The Caesar cipher is not for computers, it's for regular, hardworking Americans.
Speaker 3Sleepy Joe is so old he only likes the ciphers that don't require computers.
Speaker 2Fuck you, Donald. Let's see you try to defeat the Huns.
Speaker 1Shut up, you two. I'm marking it as considered harmful, and that's that. Next up is a similar one, the Visionaire cipher. That wasn't actually invented by Visionaire, that's right, it was invented by an Italian.
Speaker 3I don't care. They're all losers and suckers. It's a dog shit. Cipher defeated by frequency analysis.
Speaker 2You can't deny it's better than the basic Caesar cipher Donald.
Speaker 1I'm tired of talking about all this stuff from before Claude Shannon was even born. I'm putting it in C, tier one, above the Caesar cipher. Let's get to some more modern ciphers like DES.
Speaker 3DES is dog shit. It was backdoored by GCHQ.
Speaker 1What the fuck Donald GCHQ? Make DES stronger by editing it to be resistant to differential cryptanalysis years before the existence of differential cryptanalysis was declassified.
Speaker 2He's absolutely right, donald, I was there.
Speaker 1Wait, how old are you?
Speaker 3You can't honestly be telling me you're using DES. It only has 64-bit blocks. Even if the S-boxes weren't dog shit, the whole thing is too close to the birthday. Bound on modern connections.
Speaker 2Whose birthday is it?
Speaker 1It's not anybody's birthday.
Speaker 2Trump said it was close to someone's birthday. No, he didn't.
Speaker 3Of course, obama likes DES, he bailed out the banks, and all the banks used 3DS.
Speaker 1If the banks used better cryptography, maybe I wouldn't have had to bail them out. Ds was impressive at the time, but it is a bad choice in modern times. I'm marking it as considered harmful. How about Diffie Hellman? New directions in cryptography? Seems like an easy S tier.
Speaker 3Wrong the S-boxes. Split out the elliptic curve Diffie Hellman and the finite field Diffie Hellman. Finite field Diffie Hellman was not a good deal. Elliptic curves are a better deal.
Speaker 2What the hell is he talking about?
Speaker 1Fine, we can drop finite field Diffie Hellman to A tier. Next up is RSA S tier.
Speaker 3Sleepy Joe is so old he still thinks RSA is a good idea. Have you ever tried padding an RSA ciphertext, Joe, RSA is C tier at best.
Speaker 2You set the padding bytes to the number of bytes. This is that simple.
Speaker 3Pkcs my ass, sleepy Joe.
Speaker 1Would you cut it out, you two? Rsa certainly is impactful, but we really should have listened to Rogue in the 90s about Pkcs versus OEAP.
Speaker 3Blickenbacker is going to fuck you up, Sleepy Joe.
Speaker 2Anyone can tell you not to use E equals three Donald.
Speaker 3No, the other Blickenbacker.
Speaker 1There are a lot of Blickenbacker attacks. I can't keep track of them all.
Speaker 3C tier.
Speaker 1S tier. I'm splitting the difference and putting it B tier, even though Shamir and Koblets are both going to kill me. This is crap. Shut up, Joe. Okay, next up is Blowfish.
Speaker 3Blowfish. We're talking about Blowfish.
Speaker 2Is that the porn star you slept with?
Speaker 3You just hate me because I'm cool and rich and you're old, Sleepy Joe.
Speaker 1It's a cipher from Schneier.
Speaker 2Didn't he come to the White House when you and I were president?
Speaker 1I don't know, probably he just does policy now.
Speaker 3I can't believe this cipher is even here. It was cool for two minutes in the 90s.
Speaker 2Like Oasis.
Speaker 3Sleepy Joe gets it.
Speaker 1Yeah, it was fine, but there's really no reason to use it these days. C tier the RC4 stream cipher is next. That should be an easy considered harmful.
Speaker 3Good call Obama. Rc4 is totally broken. If you use RC4, china can read all your plaintext like they have a golden key.
Speaker 2Trump knows all about golden streams. Ha good one, joe.
Speaker 1Thanks Obama. Okay, aes should be an easy S tier.
Speaker 3What the fuck Obama? Aes is too underspecified to be S? Tier. To do anything with it, you have to use a fancy cipher mode. It doesn't work out of the box like the ciphers from DJB.
Speaker 2Who is DJB?
Speaker 3He's the best cryptographer.
Speaker 1Why are we talking about DJB? I've never heard of him. Everyone has heard of DJB, but I don't think we should be putting him on a pedestal. He said some crazy shit and hangs out with bad people.
Speaker 2Like Trump's mom.
Speaker 1Exactly Joe.
Speaker 3What the fuck Obama.
Speaker 1Be quiet, Donald. I dare to say AES needs to be used in the proper mode to be safe. I think that's more NIST's fault, but I'll put it in A tier. Speaking of modes, CBC is up next.
Speaker 2CBC is all you need to encrypt as much as you want.
Speaker 3Once again, Sleepy Joe doesn't understand how to implement secure padding. Are you really using CBC mode, Joe?
Speaker 2You can do random access decryption. What's not to like?
Speaker 3What's not to like. It's called padding oracles Joe.
Speaker 1Skill issue. I agree with Trump. We have better options these days, Joe.
Speaker 2H-Mac the ciphertext and it's all fine.
Speaker 1No one does that. Everyone does Mac than encrypt who?
Speaker 2does Mac than encrypt.
Speaker 3TLS. Does that, joe? That's why it's dog shit. Remember Poodle.
Speaker 2Shut the fuck up, Donald. Wait, what do dogs have to do with this?
Speaker 1Both of you shut the fuck up. Cbc is C tier.
Speaker 2Trump said there was a Poodle.
Speaker 1Poodle is a padding oracle attack on CBC mode in SSLv3. Then, where is the dog?
Speaker 3Obama is hiding the dog.
Speaker 1No, I'm not. What the fuck are you two talking about? I'm moving on. H-mac is up next.
Speaker 2That shit is S tier for sure.
Speaker 3Sleepy Joe, have you never heard of an AEAD? I bet this guy has never heard of an AEAD. What are you using H-Mac for?
Speaker 1Donald has a point H-Mac is great, but you don't need to use it. If you're able to use an AEAD like AES, gcm, I'll knock it down to A tier. H-mac is core to.
Speaker 2Kim Dem Brock.
Speaker 1Everyone stopped using Kems until we got to post quantum cryptography. Joe.
Speaker 3Joe is so old he's still using an abacus 64K of RAM should be enough for anybody.
Speaker 1Speaking of old stuff, we've got SSLv2 up next.
Speaker 2What happened to SSLv1?
Speaker 1Well, Joe, you'd have to ask Marc Andreessen that.
Speaker 3I'll ask Peter Thiel.
Speaker 1What? Why, would you ask Peter Thiel? He wasn't at Netscape in the 90s.
Speaker 2I was in Wilmington in the 90s.
Speaker 3He's my favorite venture capitalist.
Speaker 1This doesn't have to do with VCs or A16Z. This is about Netscape.
Speaker 2I got Netscape off my AOL CDs. Does anyone need minutes?
Speaker 1Minutes. How do you still have minutes?
Speaker 2I bought 40 years worth of minutes in 98, and I'm still working through them.
Speaker 1I can't believe this. I'm putting SSLv2 in considered harmful because its handshake is vulnerable to MITM.
Speaker 3Those third-rate developers at the fake news organization OpenSSL left it enabled by default for too long and gave us drown. Sslv2 is a garbage protocol.
Speaker 2OpenSSL has done more for encrypted communications than any other software package in the world.
Speaker 3Remember Heartbleed sleepy Joe, Disastrous, gross incompetence, worst library ever.
Speaker 2After Heartbleed we were able to get them funding and they really improved the quality. We're building back better.
Speaker 1That's true, but OpenSSL 3.0 has been a mess. Anyway, I'm putting SSLv2 in considered harmful in TLS and S-tier it's goaded.
Speaker 2I agree, tls is fucking goaded.
Speaker 3This tier really has our society degraded so much that this is what counts as S-tier. Does nobody remember 2015, when there was a new TLS attack coming out every month? I won't deny it's better than SSLv2, but S-tier should be reserved for things that created a revolution in cryptography.
Speaker 1Brink of a revolution. You wouldn't even put Diffie Hellman in S-tier. How is TLS not the foundation of the web revolution?
Speaker 2Just put it in S-tier Barack Don't give him a chance. He'll talk your fucking ear off. And besides, the only revolution he knows about was January 6th.
Speaker 3Shut up sleepy Joe. I'll tell you exactly how not. It may be used for HTTPS, but that's the only reason it's popular Cryptographic agility was a terrible decision. It isn't until TLS 1.3 that they even bothered to define the groups for key agreement in advance. Who wants to waste a round trip just to pick a prime number that might be backdoor?
Speaker 2I'll take.
Speaker 1The protocol has evolved over time. Tls 1.3 could be considered a whole entry on its own.
Speaker 2Yeah, how come SSLV2 gets its own entry in the tier list but TLS 1.3 doesn't? What the hell, barack?
Speaker 3The only people who run TLS 1.3 are liberal big tech and they use zero RTT to push their fake news even faster. No one else implements it.
Speaker 2Skill issue.
Speaker 1Fine. Tls did have a rough time, but I think we landed in a good place with TLS 1.3. I'll move it down to A-tier.
Speaker 2I can't believe. Tls is fucking A-tier.
Speaker 3Deal with it, sleepy Joe.
Speaker 2Screw you Donald.
Speaker 1Okay, SSH, this one should be another easy S tier.
Speaker 2I agree, but I'm sure Donald is going to come in with some contrarian bullshit.
Speaker 3SSHv2 was the only protocol designed in the 90s that wasn't pure scum. I agree it's S? Tier.
Speaker 1Holy shit, we agreed on something. Let's keep this moving with some VPN protocols. How do we feel about IPsec?
Speaker 2I've been deploying IPsec VPNs for years. It's a secure way to bridge your on-prem and cloud networks.
Speaker 1Wait, you do network security architecture consulting.
Speaker 3Yeah, and I don't know why he does. Sleepy Joe's network diagrams are going to ruin this country and your networks will be overrun with crime. Everyone knows IPsec is a dog shit protocol.
Speaker 1IPsec is very complicated compared to a more modern VPN like WireGuard.
Speaker 2WireGuard. Are you kidding me? No one can deploy anything beyond a simple point-to-point WireGuard network without using tail scale, unless you have a full-blown network platform team like Flyio.
Speaker 3That's true, sleepy.
Speaker 1Joe Fine, IPsec is C tier and WireGuard is A tier.
Speaker 2I can't believe you would do this to me, Brock.
Speaker 1Can we just rank the noise protocol framework?
Speaker 3It's easy to make a protocol framework secure if you leave out key distribution. I would rather roll my own protocol with Libsodium than pretend I'm using noise.
Speaker 1You shouldn't roll your own crypto, Donald.
Speaker 3I'm not rolling my own crypto. I'm using Libsodium.
Speaker 2I've never heard of the noise protocol framework.
Speaker 1How have you heard of WireGuard and not noise? Wireguard uses noise under the hood.
Speaker 3Nothing uses noise under the hood. It's all custom variants.
Speaker 1That's the point, Donald. It's a protocol framework, not a protocol implementation or specification.
Speaker 3That's fucking useless Obama.
Speaker 1It popularized triple-diffie-helmin and can provide authentication without needing signatures, and many systems have other mechanisms for key distribution, like an IDP.
Speaker 3It's a B tier framework that sidesteps the hard problems.
Speaker 2What's a protocol framework, Donald?
Speaker 1Shut up, joe. Ugh, fine, I'll put it in B tier, even though that feels mean to Trevor Perrin. Next up are AES, gcm and ChaCha Polly.
Speaker 3GCM is trash ChaCha all the way.
Speaker 1Of course you'd say that, donald, you're such a DJB stan.
Speaker 2I thought his initials were DJT Donald J Trump.
Speaker 1No, Joe, that doesn't make any sense. You can't stan yourself.
Speaker 3I can, because I am the best and I am always winning.
Speaker 2How come you lost the election to me, then, donald.
Speaker 3You stole all the votes in Michigan. Nothing can be done to cure that giant scam now.
Speaker 1Loser. Shut up you two. Aes GCM is good when you have hardware support. Chacha is good when you need to encrypt in software.
Speaker 3Fuck you, Obama. Gcm is a trash AEAD and it's vulnerable to nonce collision attacks.
Ranking Cryptographic Concepts and Algorithms
Speaker 1So is ChaCha you idiot. I'm ranking both B tier because they involve caller managed nonces.
Speaker 2I just use a counter.
Speaker 1Of course you do sleepy, Joe Donald, weren't you just complaining about the birthday bound? Shouldn't you prefer counter based systems? I never said that Fake news. God damn it, not this again. Would, you just shut up man Winning. We're moving on to hash functions.
Speaker 3Dank Biden knows all about the good hash.
Speaker 1That's right, I'm fucking lit, Joe. You gotta share that with me. Anyway, first one up is MD5. This is an easy considered harmful. It's literally in the name of the paper.
Speaker 3Remember when they used all those PS3 to calculate a hash collision of a root CA.
Speaker 2That was totally dope. Also, I love the PS3.
Speaker 3Me too. Joe Want to play. Journey later.
Speaker 1You can't pick who you play Journey with. That's the whole point of the game.
Speaker 3Joe can watch me play it.
Speaker 2Yeah, Barack, we can switch off.
Speaker 1If we're playing PS3, I want to play the Last of Us.
Speaker 3You're just bandwagoning because of the TV show.
Speaker 1Fuck you, Donald. Also, what the fuck does any of this have to do with MD5?
Speaker 3Why are we even bothering with MD5? It's a total fraud, a bigger fraud than Biden winning the election.
Speaker 1Skill issue. Donald, stop saying that.
Speaker 3SHA-1 is also a total fraud.
Speaker 2There's online tools to collide PDFs. It's even weaker than Trump's wall.
Speaker 1Donald should have hired the team behind SHA-2 to build his wall. Maybe then it'd be collision resistant.
Speaker 3No, I should have hired DJB to make my wall, because the only hash function I trust is SIPHASH. Attacks only get better, and if SHA-1 is broken, then SHA-2 and SHA-3 must be next.
Speaker 1That's not how attacks work, donald. Sha-1, 2, and 3 are completely different things, and SIPHASH isn't even on our list. Stop bringing DJB into this.
Speaker 3NIST backdoors, all the standards. I don't want anything that came out of a NIST competition. I told Rick Perry to cut NIST but he forgot what department they were in.
Speaker 2NIST competitions grow the economy Benefits everybody, hurts nobody.
Speaker 1Oh fuck, I forgot about Rick Perry. I'm a total idiot.
Speaker 2We have to ignore this clown. Obama's SHA-2 is clearly S-tier.
Speaker 1Agreed. What about SHA-3? There's a SHA-3? Yes, joe, there's a SHA-3. It's a sponge-based construction.
Speaker 3Moon math. I don't trust it.
Speaker 1Sounds like a skill issue.
Speaker 2What is a sponge construction?
Speaker 1It's good for making duplex objects but to be honest, there's not a big reason to not just use SHA-2 for regular hashing. I'm putting it in B-tier Since nobody knows what a duplex object is except me. I'm putting them in A-tier Because they're amazing, but I'm not sure if they're quantum resistant.
Speaker 3Quantum computers aren't real. They're fake news.
Speaker 2Isn't quantum for key distribution.
Speaker 3Quantum key distribution isn't real sleepy Joe.
Speaker 1Donald's right about quantum key distribution. It's a scam. Let's move on to some signatures. How do we want to rank DSA and ECDSA?
Speaker 2I don't see the point of DSA when you have RSA.
Speaker 3RSA. Joe, are you so out of touch? You think we should still sign with RSA?
Speaker 1We already ranked RSA Donald. But if you can't handle RSA signatures, I've got bad news for you about the WebPKI.
Speaker 3I don't care about the failing WebPKI Obama, but DSA is D-tier shit. It wasn't useful until DJB invented elliptic curves.
Speaker 1DJB didn't invent elliptic curves, it was Koblets and Miller.
Speaker 3Never heard of them.
Speaker 2Elliptic curves are just too complicated.
Speaker 1Skill issue. I'm putting DSA and C-tier and ECDSA and A-tier.
Speaker 3I'll allow DSA and C-tier because of its impact, but what are you smoking that? You think ECDSA is A-tier? Do you just expect everybody to special case points being added to themselves in addition and yet somehow still be constant time? Did you hear that, people? You think special cases are still constant time? Edwards, curves are so much better. Ecdsa is B-tier at best.
Speaker 1That may have been true in the 2000s, but we have complete formulas for the NIST curves now, with no special cases.
Speaker 3Yeah, and they work by converting the loser NIST curves to them, to Edwards representations.
Speaker 1Okay, fine, ecdsa is B-tier, but since no goddamn ED-25519 libraries can interoperate with each other on the edge cases, I keeping ED-DSA at B-tier as well.
Speaker 3I'll allow it so long as you make Curve 25519.
Speaker 1S-tier. If Curve 25519 is S-tier, how come everybody has to copy Adam Langley's implementation everywhere?
Speaker 2Who's Adam Langley? Is he the guy from Maroon 5 that looks like a Chipotle bag?
Speaker 1No, that's Adam Lambert. Agl is a cryptographer at Google.
Speaker 3Want to get Chipotle later, Joe.
Speaker 2Oh, fuck, yeah, that sounds awesome, donald Obama, hurry up with the tier list. Donnie and I are going to get Chipotle.
Speaker 1God damn it. I'm not the one holding everything up. I'm putting Curve 25519 in A-tier because of the library and API issues and I'm putting the double odd curves in S-tier because they're clearly better than 25519.
Speaker 3No one takes those double odd curves seriously. But whatever, I'm beyond caring about your terrible tier list.
Speaker 1I don't know why I agreed to do this either, but we're here and we're going to finish it. Next up is Restretto.
Speaker 2If you need a prime order group, why don't you just take the integers mod P?
Speaker 1That's order P minus one Joe.
Speaker 3Restretto is great because it lets you bridge Curve 25519, the best curve to cryptocurrency protocols that use zero knowledge proofs.
Speaker 1I'm not sure I care about the cryptocurrency use case that much, but I agree Restretto is very good at what it does, and Joe already showed us it's easy to fuck this up. I think this is a great example of do one thing and do it well. Let's put it in S tier.
Speaker 3You just want to rank it higher than curve 25519 to fuck with me. But if that's what it takes to get some acknowledgement of all the developments in cryptography that have been driven by investment in cryptocurrency, I'm fine with it.
Speaker 1Okay, moving on. Next up is dual EC.
Speaker 3Backdoor. Dual EC is backdoor.
Speaker 2We don't know that it's backdoor.
Speaker 1I mean, we basically do, joe. Did you read the intelligence brief? Ask me about it. On signal, I'm putting dual EC and backdoor. Next up is devu random for generating random numbers. Backdoor Backdoor. It's not fucking backdoor, donald. The implementation is open source.
Speaker 2What if the entropy pool hasn't been fully initialized yet? Remember all those keys Nadia factored using GCD back in 2012? Joe Biden remembers.
Speaker 1Backdoor, backdoor. Shut the fuck up, donald. Backdoor Joe. Sounds like you're making the case for get random, which fixes the initialization blocking issue with you random.
Speaker 2Yeah, openbsd has this right from the start.
Speaker 3Shut up, joe. Theo might hear you, and then we'll have to invite him to Chipotle.
Speaker 1Can I come to Chipotle?
Speaker 3No, obama, you have Ligma.
Speaker 1I do not have Ligma Ligma balls. Sleepy Joe gets it. Fuck both of you. I'm putting you random in B tier and get random in S tier. Looks like B Crypt and S Crypt are next.
Speaker 3I know you don't respect law and order, but if shut 2 is S tier, then B Crypt also should be S tier.
Speaker 1Finally, Donald says something reasonable. How else are you going to hash passwords?
Speaker 2You're supposed to hash passwords.
Speaker 3Not if you use email to sign in. Joe.
Speaker 2I always just reset my password because I can't remember it.
Speaker 1I'm putting S Crypt in B tier because no one actually needs a memory hard hash.
Speaker 3What about Dogecoin?
Speaker 1Donald, I know you're an Elon stand, but Dogecoin is fucking stupid.
Speaker 3Not, it's fucking goaded.
Speaker 2It has a picture of a Shiba Inu. It's fucking goaded.
Speaker 1Not fucking saying fucking goaded. Can we just finish this tier list?
Speaker 2It doesn't matter. I still agree that Snarks are Moon Math.
Speaker 3That's not what he said, Sleepy Joe.
Speaker 1Actually, you know what? I don't understand any of this. Zero knowledge crap. If anything is Moon Math, it's Snarks.
Speaker 2I agree. Anything with an elliptic curve is Moon Math.
Speaker 1Let's skip ZK Snarks and Bullet Proofs. That leaves us with ECB and X509.
Speaker 2ECB is the one with the penguins right. It's the worst of the cipher modes.
Speaker 3Finally, Sleepy Joe says something I can agree with ECB and Considered Harmful.
Speaker 1Done. That leaves us with X509.
Speaker 2Trash, trash.
Speaker 1Trash X509. It's Considered Harmful. All right, fellas, we did it. We completed the tier list. We're done.
Speaker 3We did it, Joe. Let's go get Chipotle while my Minecraft is updating.
Speaker 2Yeah, let's do it, donald. See you later Obama.