3DES has been broken for a decade. Nice job putting it all together though.
tptacek•1h ago
It has? What exactly do you mean by that?
zxcvasd•57m ago
if i were to guess, they are referring to CVE-2016-2183, which lead to deprecation of 3DES by NIST in 2019 (announced in 2017) and disallowing all uses in 2023. openssl also stopped including it in default builds starting in 2016 because it is considered weak.
tptacek•45m ago
This is Sweet32, an attack on any block cipher with an 8-byte block size. We don't consider those ciphers "broken"; they just can't be used safely in some common modes. You shouldn't use 3DES or IDEA or Blowfish, of course, but I don't think they're considered "broken", not in the same sense that, say, RC4 is.
tialaramex•13m ago
It's true that 64 bits was known not to be enough when DES shipped decades ago, but there is some difference between "We know that's a bad idea" and a demo showing why, and so I think I'm OK with the word "broken" in that context.
There's a reason POCs matter right? Why you feel comfortable (even though I don't agree) saying multi-threaded Go doesn't have a memory safety problem and yet you wouldn't feel comfortable making the same claim for C++.
1970-01-01•2m ago
It means you should not use it for anything important, because it can be decrypted by the public with little effort. If you look back, it has been this way for quite awhile. Start here: https://nvd.nist.gov/vuln/detail/cve-2016-2183
arkwin•1h ago
Looks awesome! I see some Flipper Zero apps were already created. When will you be releasing this for the Chameleon? Also, any plans to port this over to the Proxmark?
noproto•1h ago
All of the attacks are released for the three platforms (Proxmark3, Flipper Zero, and Chameleon Ultra). Our goal was day 1 support for RFID testing devices.
1970-01-01•1h ago
tptacek•1h ago
zxcvasd•57m ago
tptacek•45m ago
tialaramex•13m ago
There's a reason POCs matter right? Why you feel comfortable (even though I don't agree) saying multi-threaded Go doesn't have a memory safety problem and yet you wouldn't feel comfortable making the same claim for C++.
1970-01-01•2m ago