[HN Gopher] Show HN: An Elliptic Curve-Based Secure Chat, Writte...
       ___________________________________________________________________
        
       Show HN: An Elliptic Curve-Based Secure Chat, Written Using Rust
       and Protobuf
        
       This is a project I made to learn more about crypto. I've also
       written a [post](https://vaktibabat.github.io/posts/ecurvechat/)
       that explains all the crypto concepts and algorithms used in the
       project, and how I implemented them. I'd be very glad for any
       feedback about both the code and the post :)
        
       Author : vaktibabat
       Score  : 21 points
       Date   : 2024-09-19 18:22 UTC (4 hours ago)
        
 (HTM) web link (github.com)
 (TXT) w3m dump (github.com)
        
       | woodruffw wrote:
       | First of all, nice work! Learning by doing is great, especially
       | with cryptography.
       | 
       | Some observations from a very quick scan:
       | 
       | 1. You should include a disclaimer somewhere in the repo that
       | this is an educational project, not something people should
       | seriously use. This is the "escape hatch" for the "don't roll
       | your own crypto" rule.
       | 
       | 2. You're rolling your own curve math, including ECDH and ECDSA.
       | These are not easy to get right; in particular, it looks like
       | you've got a classic "attacker can send you a point not on the
       | curve" bug here[1], unless I'm missing where you validate the
       | other party's point.
       | 
       | 3. Your protocol seems to allow variance over the curve
       | parameters, which is notoriously dangerous (and is why X.509 and
       | similar protocols prefer "named curve" sets over explicit
       | parameter sets).
       | 
       | [1]:
       | https://github.com/vaktibabat/ecurvechat/blob/4a1d91bd02bbc8...
        
       ___________________________________________________________________
       (page generated 2024-09-19 23:01 UTC)