In December 2013, a curator and archaeologist purchased an antique silk dress with an unusual feature: a hidden pocket that held two sheets of paper with mysterious coded text written on them. People have been trying to crack the code ever since, and someone finally succeeded: University of Manitoba data analyst Wayne Chan. He discovered that the text is actually coded telegraph messages describing the weather used by the US Army and (later) the weather bureau. Chan outlined all the details of his decryption in a paper published in the journal Cryptologia.

“When I first thought I cracked it, I did feel really excited,” Chan told the New York Times. “It is probably one of the most complex telegraphic codes that I’ve ever seen.”

Today we celebrate 80 years of Colossus, the code-breaking computer that played a pivotal role in WWII.

Today we have released a series of rare and never-before-seen images of Colossus, in celebration of the 80th anniversary of the code-breaking computer that played a pivotal role in the Second World War effort.

The Colossus computer was created during the Second World War to decipher critical strategic messages between the most senior German Generals in occupied Europe, but its existence was only revealed in the early 2000s after six decades of secrecy.

On Thursday, UK's Government Communications Headquarters (GCHQ) announced the release of previously unseen images and documents related to Colossus, one of the first digital computers. The release marks the 80th anniversary of the code-breaking machines that significantly aided the Allied forces during World War II. While some in the public knew of the computers earlier, the UK did not formally acknowledge the project's existence until the 2000s.

Colossus was not one computer but a series of computers developed by British scientists between 1943 and 1945. These 2-meter-tall electronic beasts played an instrumental role in breaking the Lorenz cipher, a code used for communications between high-ranking German officials in occupied Europe. The computers were said to have allowed allies to "read Hitler's mind," according to The Sydney Morning Herald. //

The technology behind Colossus was highly innovative for its time. Tommy Flowers, the engineer behind its construction, used over 2,500 vacuum tubes to create logic gates, a precursor to the semiconductor-based electronic circuits found in modern computers. While 1945's ENIAC was long considered the clear front-runner in digital computing, the revelation of Colossus' earlier existence repositioned it in computing history. (However, it's important to note that ENIAC was a general-purpose computer, and Colossus was not.)

Passkeys are an asymmetric key pair

Each passkey is a pair of two related asymmetric cryptographic keys, which are very long, random strings of characters. While they differ from each other, they do have a special relationship - one can decrypt messages that have been encrypted by the other. This feature can be used to verify a user and authenticate them.

The key pair is made up of a private key that’s kept securely on your device, inside a password manager supporting passkeys (also called a passkey provider), and a public key that’s stored on the website you are logging into. Your private key is secure and never leaves your device, and the password manager keeps it locked by biometrics, PIN, or a password. The public key, on the other hand, could be shared with the world, such as in the case of a website data breach, and your security wouldn't be compromised so long as the private key stays safe.

For storing rarely used secrets that should not be kept on a networked computer, it is convenient to print them on paper. However, ordinary barcodes can store not much more than 2000 octets of data, and in practice even such small amounts cannot be reliably read by widely used software (e.g. ZXing).

In this note I show a script for splitting small amounts of data across multiple barcodes and generating a printable document. Specifically, this script is limited to less than 7650 alphanumeric characters, such as from the Base-64 alphabet. It can be used for archiving Tarsnap keys, GPG keys, SSH keys, etc.

On Sun, Apr 04, 2021 at 10:37:47AM -0700, jerry wrote:

Ideas?  Right now, I'm experimenting with printed barcodes.

You might be interested in:
https://lab.whitequark.org/notes/2016-08-24/archiving-cryptographic-secrets-on-paper/
which was written specifically for tarsnap keys.

Cheers,

• Graham Percival

An error as small as a single flipped memory bit is all it takes to expose a private key. //

Martin Blank Ars Tribunus Militum

gromett said:
I have read it twice and am still not entirely clear.
Does this affect OpenSSH? As I read it the answer is no?

As happens often in cryptographic attacks that at least start out as implementation-specific, the likely answer is "it is not currently known to affect other implementations." Cryptographic techniques always get cheaper, never more expensive, and it is difficult to guarantee that other implementations are not vulnerable through variations of this attack. //

bobo bobo said:
A link in this article, to a Wikipedia page on Man In the Middle attacks, is labeled as a "malory in the middle" attack. But, um, the Wikipedia page does not use the term "malory". I am confused by use of the word "malory".

Typo? Or am I missing something?
It's a less common use, but it's part of the movement in the IT industry to move away from sensitive terms (e.g., master/slave becoming primary/secondary or similar). I've also heard monster-in-the-middle and monkey-in-the-middle, but really, there are no suggested terms that roll off the tongue the way man-in-the-middle does while keeping the MitM shorthand. //

FabiusCunctator Ars Scholae Palatinae

The vulnerability occurs when there are errors during the signature generation that takes place when a client and server are establishing a connection. It affects only keys using the RSA cryptographic algorithm, which the researchers found in roughly a third of the SSH signatures they examined.

A good reason to not use RSA keys if possible. I configure all of my ssh setups to use ED25519 keys by default, with a fallback to RSA if ED25519 support is not available.

You can generate an ED25519 key using the standard OpenSSH package by doing:

 ssh-keygen -t ed25519

That will generate two files in your ssh key directory ('~/.ssh/' by default): 'id_ed25519' and 'id_ed25519.pub'. The first is your private key (keep it close!), while the second is your public key. Add that to the public key file you deploy to remote servers, and (where supported *) your logins will then use the new ED25519 keypair in preference to RSA ones.

• The 'where supported' caveats are important. While many if not most ssh implementations today (including OpenSSH) support ED25519 keys, there are still a few around that don't. Hence, it's a good idea to maintain both ED25519 and RSA keys and include both in your public key lists. If an implementation does not support ED25519, it will just ignore those keys and use RSA. //

Digital Twin by .ART stores information about art objects in a way that provides evidence of provenance, real-time provenance tracking and increases an art object’s value. Leveraging the easy-to-understand technology of domain names, using an international standard for describing cultural objects developed by the J. Paul Getty Trust, and offering the option of a blockchain connection, Digital Twin by .ART provides a sophisticated but easy-to-use art object identification tool.