A severe cryptographic vulnerability in the popular open-source Meshtastic project allows attackers to decrypt private messages and hijack nodes across LoRa mesh networks.
  • redsand@lemmy.dbzer0.comEnglish
    7·
    3 days ago

    They still need help upgrading the key exchange to be quantum resistant if anyone needs a summer project.

    • Kairos@lemmy.todayEnglish
      61·
      3 days ago

      No they don’t “need” help doing that. Quantum resistance is kind of a waste of time considering the largest number factored by these things is 21.

      And the known algorithm we halve just square roots the search space on average. So a 256 bit key is still secure. Quantum resistance just seems like another industry scam to try and take us away from well supported open-source stuff.

      • Socsa@sh.itjust.worksEnglish
        1·
        23 hours ago

        It’s also not that hard to implement. It’s just a slightly different algorithm.

        Also it’s not an industry scam - literally the only standard out so far is from NIST.

      • JackbyDev@programming.devEnglish
        3·
        2 days ago

        The idea that people use quantum computers against meshtastic nodes is pretty funny to me. I think meshtastic attracts a certain kind of person who is security minded and maybe even prepper adjacent (like ham radio tends to). That leads to some odd things like worrying about nation states attacking their nodes.

        To be clear, I’m not saying better security isn’t worth it, nor am I saying it wouldn’t ever happen, but the idea that folks are hiding things that important on meshtastic is a little silly to me. I think their biggest threat is other hobbyists. Not nation states.

        • redsand@lemmy.dbzer0.comEnglish
          3·
          2 days ago

          It’s mostly the issue of saving transmissions for later. Very much not a high priority but solid future planning in the face of governments plagiarizing Orwell and Huxley.

      • redsand@lemmy.dbzer0.comEnglish
        8·
        3 days ago

        It’s just math and the relentless march of technology. Fear not, we have lots of open source post quantum cryptography libraries.

          • SmokeyDope@lemmy.worldEnglish
            6·
            3 days ago

            The point in time after the first qbit based supercomputers transitioned from theoretical abstraction to physical proven reality. Thus opening up the can-of-worms of feasabily cracking classical cryptographic encryptions like an egg within human acceptable time frames instead of longer-than-the-universes-lifespan timeframes… Thanks, superposition probability based parallel computations.

          • InnerScientist@lemmy.worldEnglish
            3·
            3 days ago

            From Wikipedia:

            Post-quantum cryptography, sometimes referred to as quantum-proof, quantum-safe, or quantum-resistant, is the development of cryptographic algorithms that are currently thought to be secure against a cryptanalytic attack by a quantum computer.

              • InnerScientist@lemmy.worldEnglish
                3·
                2 days ago

                RSA 1024 is post quantum if you want to ignore progress in cryptography and use current algorithms. (We have no quantum computers that can crack it right now)

                It’s about preparing for quantum computers by using algorithms that are secure against conventional and future quantum computers. If you assume that a quantum computer will exist that can crack RSA 2048/4096, then all data that gets send right now can be decrypted at that time. If we get working quantum computers in 20 years then in 20 years all banking data, chat messages, emails,… send with RSA today can be compromised.
                If we switch to algorithms that don’t get easier to crack with quantum computers then even when they get strong enough nothing will change and only data send with older algorithms can be decrypted.

                See also the rest of the Wikipedia article, here a continuation of my previous snippet:

                Most widely used public-key algorithms rely on the difficulty of one of three mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems could be easily solved on a sufficiently powerful quantum computer running Shor’s algorithm or possibly alternatives.

                As of 2024, quantum computers lack the processing power to break widely used cryptographic algorithms; however, because of the length of time required for migration to quantum-safe cryptography, cryptographers are already designing new algorithms to prepare for Y2Q or Q-Day, the day when current algorithms will be vulnerable to quantum computing attacks.

            • Kairos@lemmy.todayEnglish
              11·
              3 days ago

              Can they? Can they really break RSA 4096? Because the algorithm we have to do that just turns it from 256 bits of entropy to 128, which is still not breakable.

              • redsand@lemmy.dbzer0.comEnglish
                3·
                3 days ago

                Algorithms. Plural. Shor’s and Grover’s. Nothing public that can break anything in use but progress marches on and governments are always expected to be 5-10 years ahead

                • Kairos@lemmy.todayEnglish
                  1·
                  3 days ago

                  Hm. It appears I did not know about Shor’s. :/ sorry.

                  Although I’m willing to bet that it requires an exponential amount of correction qbits.

  • einfach_orangensaft@sh.itjust.worksEnglish
    215·
    3 days ago

    “Flaw” yeah sure no “Tailored access road” there… I kinda always assumed there is something fishy about Meshtastic…

    If you depend on a “off grid” communication device…choose a analog radio that has to dumb of hardware to run a exploit (or broadcast your GPS location lmao).