Category Archives: Cryptography

Forging administrator cookies and crocking crypto … for dummies

Posted on by

Security for virtualized datacentres

Security pro Laurens Van Houtven has created a free introduction cryptography course to help programmers lift their infosec game.

The Crypto 101 book contained everything needed to understand complete systems including block and stream ciphers; hash functions; message authentication codes; public key encryption; key agreement protocols, and signature algorithms.

Van Houtven (@lvh) said the course developed simple to more advanced primitives demonstrating the importance of each, and culminated in complete cryptosystems like Transport Layer Security (TLS), GPG, and Off The Record (OTR).

"Learn how to exploit common cryptographic flaws, armed with nothing but a little time and your favourite programming language," Van Houtven wrote of the course.

"Forge administrator cookies, recover passwords, and even backdoor your own random number generator."

"... . The goal of this book is not to make anyone a cryptographer or a security researcher. The goal of this book is to understand how complete cryptosystems work from a birds eye view, and how to apply them in real software."

Laurens Van Houtven

Crypto 101 contains exercises in which technology bods could test their crypto chops

Van Houtven said cryptography could no longer be deemed a game for experts given the recent large breaches resulting from borked or non-existent encryption.

See more here:
Forging administrator cookies and crocking crypto ... for dummies

Why the Internet is broken

Posted on by

"Much of the Internet is, in some senses, 'broken,' and will continue to be so," argues Joss Wright.

STORY HIGHLIGHTS

Editor's note: Joss Wright is a research fellow at the Oxford Internet Institute, where he focuses on cryptography, privacy-enhancing technologies and anonymous communications. He is working on the "Being There" project, which looks at privacy in public spaces, and a Google-funded project analyzing Internet censorship. The opinions expressed in this commentary are his.

(CNN) -- Our modern global communications infrastructure still relies on core principles that were defined when the Internet had only a few thousand users.

We have faster computers, more storage space, and more people using the network, but worryingly, some of the key assumptions haven't changed.

Joss Wright

As an example, take the protocol that helps determine how data gets to its destination. Different networks in the Internet "advertise" routes to deliver data to other networks, with the most efficient candidate being chosen.

In early 2010, a mistaken advertisement from China Telecom caused a small but significant proportion of global Internet traffic to be mistakenly routed through China.

Concerns such as these were not foreseen by the early designers; back then, the Internet was operated by people who knew and trusted each other.

The same cannot be said today.

Here is the original post:
Why the Internet is broken

Free government-penned crypto can swipe identities

Posted on by

Top 5 reasons to deploy VMware with Tegile

The PLAID (Protocol for Lightweight Authentication of Identity) cryptography kit appears to be insecure.

PLAID is a homebrew cryptography system designed by Centrelink - the Australian government agency that shovels out tens of billions a year in welfare payments. The system has been considered for use by US government agencies.

The software offers a means of contactless authentication using smart cards and is designed not to leak identities to scammers with dodgy card readers.

The newly-disclosed flaws allow an attacker to fuzz cards in order to generate error messages. Attackers armed with a bushel of error messages could identify individual identity numbers.

Further problems identified included a lack of RSA padding leaving certain implementations of PLAID open RSA signature cloning in a mode similar to Bleichenbacher's attack, cryptographers Matthew Green and a team of eight colleagues from the universities of London and Darmstadt found.

"I figure if someone has to use 'free' to lure you in the door, there's a good chance they're waiting on the other side with a hammer and a bottle of chloroform, or whatever the cryptographic equivalent might be," Green said of a PLAID story broken by this correspondent in a previous life.

"A quick look at PLAID didn't disappoint. The designers used ECB like it was going out of style; did unadvisable things with RSA encryption, and that was only the beginning."

Green offered a concise analysis of the recent university paper A Cryptographic Analysis of an ISO-standards-track Authentication Protocol.

"As well as reporting a number of undesirable cryptographic features of the protocol, we show that the privacy properties of PLAID are significantly weaker than claimed: using a variety of techniques we can fingerprint and then later identify cards," the researchers wrote. "These techniques involve a novel application of standard statistical and data analysis techniques in cryptography."

Read more:
Free government-penned crypto can swipe identities