CrypTweet: Strong Encryption for Twitter DMs

32 points by trib 14 years ago | 22 comments

It's been a while in the making, but this is well worth some attention.

I've been lucky enough to be an early tester on CrypTweet - http://plexusproject.org/ - a public-key based method for encryption of Twitter DMs.

A base version is now available on the site linked above. It works nicely out of the box, but is kind of raw - minimal functional set, and all that.

For anyone interested in this kind of thing, for any number of reasons, may I (mis)quote that great Australian music commentator, Ian "Molly" Meldrum, and suggest you do yourself a favor by checking CrypTweet out.

trib -- @trib about.me/trib

ctz 14 years ago |

- Website contains no details of the cryptography.

- Stores private key by: a) SHA384-ing your passphrase, and choosing a sub-sequence of the output depending on one bit of the output (this is poor for brute-force resistance compared to PB-KDF2), b) DES3 in CBC mode with a fixed IV and PKCS5 padding (insecure for CCA2 and providing no authenticity. This is vulnerable to recovery using the padding oracle attack).

- Messages are encrypted with RSA-PKCS1.5 in signing mode (in other words, RSASSA-PKCS1-v1_5, not RSAES-PKCS1-v1_5). That means messages are trivially recoverable through KPA.

So: don't use this for anything other than a toy. The crypto is misdesigned.

mpesce 14 years ago | |

This is awesome feedback. Thank you very much. Your comments are noted and will be reflected in the next revision.

ComputerGuru 14 years ago |

Are you serious? If you need secure messaging, surely you have other options than twitter?

Just copy and paste a PGP encrypted message to pastebin.ca and and tweet the link, if you must.

panza 14 years ago | |

The broader motivation is to bring crypto to services that people are using, not the other way round.

ZenPsycho 14 years ago | |

sure good idea. Oh wait I was just shot in the face while I was distracted staring at my phone for 20 minutes figuring out how to do that.

ilikepi 14 years ago | | |

Please describe a realistic scenario in which all of the following are true:

1) You are in imminent danger of being "shot in the face" or similarly harmed;

2) Your best means of salvation from (1) is communication via Twitter DM;

3) The absence of a means in which your message could be encrypted on the client side beyond the HTTPS connection to Twitter's servers would significantly increase the chance of (1).

This is a serious question.

sweis 14 years ago |

I just gave it a quick scan and found some issues: 1. PKCS1 verification looks vulnerable to a timing attack. 2. They're using plain RSA to encrypt message data without any padding like OAEP. This is not semantically secure. 3. They are not generating strong primes for RSA keys.

Hellblazer 14 years ago |

sweet jeebus. If you really need strong crypto for Twitter DM's, for god's sake just use PGP or GPG.

For the children.

ZenPsycho 14 years ago | |

I think you are discounting the level of thought and care that went into this. Meh, fail.

mjdwitt 14 years ago | | |

The level of care and thought put into creating a secure encryption scheme doesn't matter if the cryptography is broken. There's a reason you constantly hear cryptographers telling everyone to never invent their own crypto-systems; it's extremely difficult to do right.

dhx 14 years ago |

Assume for a moment that the implementation of the encryption and decryption processes are perfect. You've now completed the easiest part of the problem (to be very generous, let's call this 10% progress).

You still need to solve the problem of distributing public keys in a way that both parties can be sure they're receiving and sending messages from the correct entity. Do you trust all of the certification authorities that are automatically trusted in standard browser or operating system distributions? If not, how do you communicate public keys securely between two or more parties?

And how do you distribute the application and ensure that users aren't tricked into using a modified/backdoored version?

How do you ensure that users aren't tricked via a phishing attack into inadvertently handing over keys, downloading software from the attacker or otherwise compromising their own security?

If one party to a conversation is compromised, do you care if the identities and messages from other parties to the conversation become compromised as a flow-on effect?

How do you ensure that parties to a conversation are receiving all the messages sent -- is an adversary blocking random messages? Is an adversary reordering the delivery of messages to change the overall meaning of the conversation?

Have you carefully considered the implications of replay attacks?

Do you care if the system is leaking important side channel information such as the frequency of communication and time between responses?

Have you considered what users will resort to in the event that their communication method is deliberately denied? Will users fall back to a weaker method of communication? Will users tend to perform a Google search that returns a maliciously placed help/reference page that executes malware on their system?

Does the system have a means for users to expose the presence of an adversary that has compromised the system?

Algorithm implementations are just a minor (but still highly important) aspect of a full crypto system implementation.

noclip 14 years ago |

Why even bother breaking the crypto? They say right on the site that they use HTTP for public key retrieval so a MITM would simply serve up bogus public keys to the clients.

nickmerwin 14 years ago |

We built something very similar a couple years ago except all encryption/decryption is done broswer side, so no keys are ever sent through our server. Also, it uses actual tweets as opposed to DM's.

http://cryptwit.com

You can see an example here:

http://cryptwit.com/decrypt

Enter "yickster", then passphrase "hackernews"

dhx 14 years ago | |

Users need to verify the source code to cryptwit.com on every single page load to ensure that the "client side" code is not leaking the key/plaintext. There are many highly creative methods for leaking this information that would pass unnoticed through a quick code review. For this reason (amongst numerous others) the site is useless at best and harmful at worst (false sense of security for unsuspecting users).

m3owzers 14 years ago |

Nice initial attempt. Besides the encryption issues mentioned here, here's my suggestion. This needs to be built into a mobile twitter application (non-jailbreak), I use pgp encryption/decryption programs on my iPhone and they are fast. Also, you should allow the use of any key server that the user wants, as known public key server access can be blocked by a country.