What does “secure” mean for an authenticated cipher?

This week I am in Tokyo to present a research paper in cryptography at the 24th International Conference on Fast Software Encryption, the reference academic conference on symmetric crypto. This paper is the result of a semester project that I started last year during my master at EPFL, in collaboration with Damian Vizár from the … Continue reading What does “secure” mean for an authenticated cipher?

On CIA Crypto

On Tuesday, Wikileaks released a tranche of alleged Top Secret CIA documents, many involving explanations of their cryptographic requirements.   Reading through the documents turned out to be anticlimactic, the CIA’s cryptographic requirements are pretty boring, and that is how it usually works in cryptography. Quoting from the document, "These requirements are intended to ensure a … Continue reading On CIA Crypto

Why Replace SHA-1 with BLAKE2?

Unless you've lived under a rock for the last twelve years, you must know that the cryptographic hash function SHA-1 is broken, in the sense that it's not as secure as it should be: SHA-1 produces 160-bit digests, meaning that finding a collision (or two messages hashing to the same value) should take approximately 280 operations, … Continue reading Why Replace SHA-1 with BLAKE2?

Responding to Ticketbleed

Today Cloudflare publicly disclosed a software vulnerability in the F5 BIG-IP appliance. The following is our action report for clients utilizing the BIG-IP appliance.  It is worth noting that this only impacts appliances running the non-default Session Tickets option. Summary Ticketbleed is a high severity software vulnerability in the TLS stack of F5 BIG-IP appliances allowing a … Continue reading Responding to Ticketbleed

Wire Cryptography Audit (with X41 D-Sec)

Kudelski Security's JP Aumasson and X41 D-Sec's Markus Vervier were hired to audit Wire's cryptography core, the Proteus library. Wire is an application for mobile and desktop systems that provides end-to-end encrypted messaging, and Proteus implements a protocol combining the X3DH key agreement protocol and the double ratchet algorithm in order to provide high security guarantees to Wire's … Continue reading Wire Cryptography Audit (with X41 D-Sec)

The Quantum Computer FAQ

This is probably how a quantum computer looks    ¯\(°_o)/¯ Several readers of the post Defeating Quantum Algorithms with Hash Functions found it difficult to follow without background information on quantum computers. So here I'd like to summarize basic facts about quantum computers and to debunk some preconceived ideas: What is NOT a quantum computer? A quantum computer … Continue reading The Quantum Computer FAQ

Forging RSA-PSS signatures with mbedTLS

This posts describes how to forge public-key signatures computed using mbedTLS’s implementation of RSA-PSS (the RSA-based standard signature scheme). Forging a signature means determining a valid signature of some message without knowing the secret key, but possibly know valid signatures of other messages. A signature scheme—or implementation thereof—is considered insecure if such forgeries are practical. … Continue reading Forging RSA-PSS signatures with mbedTLS