Tiny Bytes: RSA
tldr RSA works by exploiting the fact we can’t easily factor 2 large prime numbers and group theory to make a trapdoor permutation, aka a function that turns x into y but y can’t easily be turned into x without a secret. However, implementing RSA gets tricky because there’s lots of subtle attacks.MathRSA takes advantage of the group Z^*_{n} (multiplicative group of integers modulo n). This is the non-negative integers less than n that have an inverse modulo n. 1 x 1 mod n = 1. 0 x int = 0 so ...
Tiny Bytes: Chilling
Hi, Just chilling tonight. Aiming to finish up chapter tomorrow. Night, Lucas
Tiny Bytes: Quickie
Hi, Did much more writing on RSA. Will finish soon. Bye, Lucas
Tiny Bytes: RSA
tldr RSA works by exploiting the fact we can’t easily factor 2 large prime numbers and group theory to make a trapdoor permutation, aka a function that turns x into y but y can’t easily be turned into x without a secret. However, implementing RSA gets tricky because there’s lots of subtle attacks.MathRSA takes advantage of the group Z^*_{n} (multiplicative group of integers modulo n). This is the non-negative integers less than n that have an inverse modulo n. 1 x 1 mod n = 1. 0 x int = 0 so ...
Tiny Bytes: Chilling
Hi, Just chilling tonight. Aiming to finish up chapter tomorrow. Night, Lucas
Tiny Bytes: Quickie
Hi, Did much more writing on RSA. Will finish soon. Bye, Lucas
Share Dialog
Share Dialog
Subscribe to ldnovak
Subscribe to ldnovak
<100 subscribers
<100 subscribers
Hey,
I wanted to think a bit about proving privacy. You can tell me your product maintains my privacy, but how I can I KNOW that your claims are true. If a VPN service says it won’t log any data and give you anonymity, how can one prove this? If your app says you won’t collect personal data, how can you prove this?
What inspired this post was a letter written by Rep Anna Eshoo and Senator Wyden to the FTC to manage privacy claims made by VPN. The letter asks the FTC to add government oversight to validate privacy claims made by VPN companies.
Auditing is used all the time for security. You need to audit your handling of sensitive health data. Security audits are the industry standard for validating a smart contract. Code is checked for bugs and vulnerabilities. NIST has competitions where everyone tries to break crypto schemes. The algorithms and libraries that no one finds holes in are the ones that people say are safe.
It seems like lots of people looking for issues and no one finding an issue is the best way to know something is secure. Then, when the best practices are known, validating that people are using the best practices.
I’d imagine that the same is/will be true for privacy. A quick search shows that there’s lots of services for getting privacy audits of your stack. Part of the requirements for crypto algorithms is their ability to preserve privacy.
From my (limited understanding) it feels that a lot of these privacy standards aren’t crazy. Especially with the rise of big data collection and analysis, there’s a lot of sophisticated ways that privacy could be broken. It’s not just about preventing Alice from reading my messages, it’s also about letting her see some analysis of the messages (e.g., see what was said but not when or to whom it was sent). This becomes a lot harder. We are working on ways to make this happen and audit the process. I just wish these kind of primitives and standards have been worked out.
I wonder what are other ways to prove privacy without auditing. Part of that may just have to be feel. There’s things you can know the app is bad. However, writing this down this is still a form of auditing. Someone makes a claim and people test if it is true.
I am curious on giving people a better feel of privacy. If I talk to a friend in my home, I know that it’s a conversation with just us. No one else is listening to track me or sell me products. Someone could put a bug in my house or hack one of my devices, but I don’t think I’m worth that effort.
Could we give people that kind of feel online. On this site with this browser on this device you should expect this information to be known. I think this would be really cool if it was intuitive.
Good night y’all,
Lucas
Hey,
I wanted to think a bit about proving privacy. You can tell me your product maintains my privacy, but how I can I KNOW that your claims are true. If a VPN service says it won’t log any data and give you anonymity, how can one prove this? If your app says you won’t collect personal data, how can you prove this?
What inspired this post was a letter written by Rep Anna Eshoo and Senator Wyden to the FTC to manage privacy claims made by VPN. The letter asks the FTC to add government oversight to validate privacy claims made by VPN companies.
Auditing is used all the time for security. You need to audit your handling of sensitive health data. Security audits are the industry standard for validating a smart contract. Code is checked for bugs and vulnerabilities. NIST has competitions where everyone tries to break crypto schemes. The algorithms and libraries that no one finds holes in are the ones that people say are safe.
It seems like lots of people looking for issues and no one finding an issue is the best way to know something is secure. Then, when the best practices are known, validating that people are using the best practices.
I’d imagine that the same is/will be true for privacy. A quick search shows that there’s lots of services for getting privacy audits of your stack. Part of the requirements for crypto algorithms is their ability to preserve privacy.
From my (limited understanding) it feels that a lot of these privacy standards aren’t crazy. Especially with the rise of big data collection and analysis, there’s a lot of sophisticated ways that privacy could be broken. It’s not just about preventing Alice from reading my messages, it’s also about letting her see some analysis of the messages (e.g., see what was said but not when or to whom it was sent). This becomes a lot harder. We are working on ways to make this happen and audit the process. I just wish these kind of primitives and standards have been worked out.
I wonder what are other ways to prove privacy without auditing. Part of that may just have to be feel. There’s things you can know the app is bad. However, writing this down this is still a form of auditing. Someone makes a claim and people test if it is true.
I am curious on giving people a better feel of privacy. If I talk to a friend in my home, I know that it’s a conversation with just us. No one else is listening to track me or sell me products. Someone could put a bug in my house or hack one of my devices, but I don’t think I’m worth that effort.
Could we give people that kind of feel online. On this site with this browser on this device you should expect this information to be known. I think this would be really cool if it was intuitive.
Good night y’all,
Lucas
No activity yet