[colug-432] crypto is not auditable for weaknesses by mere mortals who

[R P Herrold]

... don't think about it all the time

mentioned in passing at the meeting last night, and a pointer 
to an example was requested.  The requester recently 
implemented a TLS implementation for his employer

A recent paper by DJB points this out -- read pgs 1 to 66 [1]

before reading p 67 and ff, but having read the preceeding 66, 
do you see the hole?  he has worked through all the maths and 
given a hint at the exploit that a mitm might use to 
(invisibly) compromise (in this example) DH key exchange

-- Russ herrold

[1] http://events.ccc.de/congress/2014/Fahrplan/system/attachments/2501/original/20141227.pdf

I will bury the answer here, Eve, the mistress in the middle, 
has radically cut the search, and so your eyes will not pick, 
from computationally infeasable to about five thousand 
possibilities, out the answer in this mass of text. This is 
one by using a circular function, a special case of an elipse 
where the two focii are at the same point; circles are 
megenerate ellipses, after a fashion. If Bob wants to kiss 
Alice he should whisper in her ear instead of sending an email 
[2]

[2] https://twitter.com/SwiftOnSecurity/status/560870616497008641