Previously we talked about Zero Knowledge Proofs as an emerging way to avoid having to trust large organizations who may intentionally misuse or unintentionally compromise our data. Secure Multiparty Computation (SMPC) is another cryptographic approach, like Zero Knowledge Proofs, that had been kicking around in academia for a number of decades before our messy and hyperconnected world found practical applications for it. Secure Multiparty Computation is a way for a number of parties to work together to solve a problem without revealing the information used in the computation to the other parties. It is an approach seen as more straightforward and less computationally expensive than alternatives i.e. homomorphic encryption.
Read moreJanuary 25, 2021
It was typical of renaissance and early-modern scientists to use anagrams or proto-hash functions of their scientific discoveries. The anagram of a Latin sentence would be published as a way of staking a claim to a scientific discovery that still required further research or results.
Read moreJanuary 11, 2021
The new 3rd revision of the FIPS 140 standards for Cryptographic Modules is an effort to align the NIST-managed standard with its ISO counterpart ISO 19790(2012).
Read moreDecember 22, 2020
The short answer with supporting evidence is no, because it has been deprecated by the NIST since 2017 for new applications and for all applications by 2023.
Read moreNovember 20, 2020
These are anxious times. For the worriers among us 2020 has been a bumper year. We’ve had a global pandemic and the rise of Fascism in democratic countries. Not content with this, the techno-literate fretful have added ‘Quantum Supremacy’ to the list of concerns....
Read moreOctober 27, 2020
If you want to supply cloud-based services to the US Federal Government, you have to get FedRAMP approval. This certification process covers a whole host of security issues, but is very specific about its requirements on cryptography: you have to use FIPS 140-2 validated modules wherever cryptography is needed. This is a stronger requirement than just using the NIST recommended (or "FIPS compliant") algorithms: you have to be able to show that the implementation of these algorithms has passed a FIPS 140-2 validation...
Read moreOctober 23, 2020
In this short demo, Graham explains how to use a Hardware Security Module (HSM) securely.
Read moreSeptember 21, 2020
In this video Dr. Graham Steel explains how to move to cloud cryptography easily and securely using Cryptosense Analyzer Platform (CAP). In this example we show how we can move an enterprise Tomcat Java application to Amazon's AWS KMS.
Read moreOctober 21, 2020
A lot of people are concerned that their encryption keys stored in cloud services such as AWS KMS, Azure Keyvault, or GCP KMS, are not really secure...
Read moreJuly 31, 2020
In financial cryptography and PCI standards, a Key Block is an encrypted key stored with its metadata in a cryptographically secure way. That means that the key's usage information...
Read moreJune 3, 2020
This may seem obvious, but in large organizations where the inventory is required by multiple teams for different reasons, conflicts can easily arise....
Read moreMay 7, 2020
Cryptosense Discovery now provides a new standard, "ANSSI", based on the recent new version of the security recommendations for TLS by ANSSI, the French government cybersecurity agency.
Read moreApril 7, 2020
If you use Zoom video-conferencing software, you probably be aware of the recent controversy about the security of their encryption protocols...
Read moreApril 3, 2020
We have had a number of queries recently from people trying to figure out what FIPS 140-3 is, and how they can supply a FIPS 140-3 compliant solution to their customers. To make sense of this question we first need to understand a little background...
Read moreMarch 20, 2020
Identifying the cryptographic keys an application really uses, what they are used for, and how they are stored, is a critical step towards many transformation projects...
Read moreMarch 6, 2020
Cryptographic inventory has become a hot topic for enterprises over the last 12 months. Business drivers include reducing security risk, automating compliance, achieving crypto agility, and preparing for cloud crypto migration.
Read moreFebruary 16, 2020
The importance of cryptographic key management increases as companies begin to move sensitive applications to the public or hybrid cloud. Understanding exactly which keys are carrying out which operations, what data each key is protecting, and how they are generated and stored, is more critical than when all keys were only used and stored on-premise.
Read moreNovember 12, 2019
On 29th July 2019 CapitalOne Financial Corp announced a data breach affecting 140 000 of their customer's social security numbers and 80 000 bank account numbers. CapitalOne is a major user of AWS cloud, and in this case the stolen data was stored in AWS S3 buckets. Why didn't encryption save us?
Read moreDecember 5, 2019
Azure Storage is one of the most widely used services in the Microsoft Azure cloud, and is the Azure equivalent of the AWS S3 service. Most users of the service know that it is wise to encrypt sensitive data before storing it in the cloud. In this post, we will look at how that can be done using the Azure Java SDK, and will use the Cryptosense Analyzer Platform to gain insight into how the Azure SDK encrypts your data.
Read moreNovember 8, 2019
Cryptosense Discovery is our free tool to test a host’s usage of cryptography for common configuration mistakes and vulnerabilities. Discovery's new version discovers more hosts and more vulnerabilities, and improves the visual representation of attacks. We achieve this by using a well-known visualization method called attack trees.
Read moreSeptember 20, 2019
Containers are often designed to be stateless. That means all state changes made by the application happen in the database, or some external storage. They don't happen on the container filesystem...
Read moreAugust 26, 2019
A cryptographic inventory is a strategic cybersecurity asset much like other hardware and software inventories. It enables an organisation to enforce a secure cryptographic policy across IT infrastructure, react quickly to security issues, and efficiently carry out strategic transformations such as migrating crypto services to the cloud or deploying post-quantum cryptography. In order to do achieve this, an inventory needs to have the following properties:
Read moreAugust 1, 2019
What's the difference between cryptography in .NET Framework and .NET Core? A large part of the .NET APIs are common to both .NET Core and .NET Framework. Microsoft even released the .NET Standard, a subset of .NET APIs provided by all .NET implementations, to simplify things for cross-implementation developers. However, there are still significant differences between Core and Framework, and cryptography is one of them.
Read moreJune 20, 2019
A recent success story for Cryptosense is our roll-out with a large global player in the ATM (cash machine) network. Since this firm is considered a Service Provider in the PCI regulations, they have regular audits to pass which contain a lot of requirements on cryptography: full cartography of applications, compliance with NIST standards etc.
Read moreJune 8, 2019
The announcement yesterday of this talk about HSM hacking on the BlackHat 2019 program has caused a stir, and for good reason: the authors claim to have discovered remote unauthenticated attacks giving full control of an HSM and complete access to keys and secrets stored on it...
Read moreJune 20, 2019
As well as treating applications in Java and .NET, Cryptosense Analyzer can also check the cryptographic security of PKCS#11 implementations in HSMs and elsewhere. We recently added a few of improvements requested by our users.
Read moreApril 23, 2019
Including passwords or cryptographic key material in source code is a major security risk for a number of reasons. In the worst case, if the code is public, everyone can read the key. Even if not, access to the code is often easier for an attacker to achieve than direct compromise of the application - the entire development team becomes part of the attack surface...
Read moreApril 23, 2019
One question we're often asked by teams considering our Analyzer software is, how common are the kind of "rubber hits the road" deployment of crypto flaws that it detects?
Read moreMarch 22, 2019
A first step of many cryptography projects - preparation for Cloud migration, crypto agility, or improving application security, is to map out the cryptography actually in use in an application. A naive approach would be to just review the source code and search for cryptographic calls. However, this is both time-consuming and error-prone...
Read moreFebruary 28, 2019
Oracle are now putting some very serious investment into their cloud in an effort to capitalise on their enterprise customer base. Several of our own large customers are looking at OCI as a possible alternative or complement to other CSPs. OCI recently launched a cloud crypto service, so how does it measure up to the others in our cloud crypto comparison?
Read moreJanuary 21, 2019
A recent NIST paper recommending which steps to take to prepare for the advent of quantum computers proposes that users of cryptography look to achieve 'crypto agility' as soon as possible. The idea was further expanded by Gartner in a recent research note, and now crops up regularly. It's sometimes described as 'crypto-agnosticism', but what does it mean, and how does one achieve it?
Read moreDecember 17, 2018
IAST has grown to about 20% of the AST market and is predicted to gain a larger share of this rapidly growing market in the coming years. However, in my opinion, the way IAST is understood and deployed today means that the acronym needs a tweak...
Read moreJanuary 8, 2019
Modern versions of IAST (like ours) can detect flaws even when the application is executing standard functional tests - there is no need to simulate attacks. This enables these tools to be deployed early in the development lifecycle and integrated into CI toolchains. However, there's one key feature that doesn't figure on most IAST checklists: coverage checking...
Read moreNovember 30, 2018
When we started testing the cryptography in Java applications using our Analyzer software, one of the first results we found was the use of a 512-bit RSA key for signature verification. At first this looks rather alarming since 512-bit RSA keys are easily breakable by brute force factorisation now.However, inspecting the stacktrace our Analyzer provides traces this back to a method called testSignatures...
Read moreDecember 7, 2018
Amazon Simple Storage Service (S3) is one of the most widely-used cloud services. Most users of the service know it's wise to encrypt sensitive data before storing it in S3. In this post we'll look at how to do that securely using the AWS Java SDK, and how Cryptosense Analyzer will help you spot if you've done it wrong...
Read moreNovember 13, 2018
At Cryptosense, we wanted to build a tool that would effectively identify and help fix vulnerabilities related to cryptography - something no other tool makes a good job of...
Read moreOctober 17, 2018
Yesterday's Oracle Critical Patch Update contains a credit to Cryptosense for CVE-2018-3210, a flaw found by one of our users while they were testing a Java application with our Analyzer software...
Read moreAugust 27, 2018
Our recent work to add coverage of the Microsoft .NET API to Cryptosense Analyzer has led us into a dark and dangerous part of the internet: C# crypto tutorials...
Read moreOctober 3, 2018
Computers that exploit quantum mechanical properties offer the promise of (supposedly) unbreakable cryptography and other exciting applications, but they will also cause a huge, immediate problem: the day a large, practical quantum computer is developed, all existing widely-used asymmetric cryptography will be broken.
Read moreJuly 26, 2018
Hardware Security Modules (HSMs) are generally viewed as expensive and painful to maintain. It's not surprising that a lot of HSM users are looking for a cloud-based solution that would allow them to hand over maintenance to a third party and move to an opex instead of capex model...
Read moreJune 25, 2018
Jenkins is a popular tool for managing continuous integration (CI), i.e. coordinating builds, tests and deployment of a software project in an automated way.In an enterprise context Jenkins has some security requirements, like ensuring that only users with the right permissions can access certain projects and carry out certain tasks, protecting sensitive data such as tokens for access to APIs, etc.
Read moreApril 6, 2018
Continuous Integration or CI is a more and more widely adopted software engineering practice. A best practice for CI is to make the build self-testing, and recently this has started to include security testing. Cryptosense Analyzer, our tool for testing crypto security in applications, now integrates into CI.
Read moreMarch 28, 2018
This is the third post in a series about cloud crypto functionality provided by the "big three" cloud providers - Amazon Web Services, Microsoft Azure, and Google Cloud Platform...
Read moreFebruary 22, 2018
In a 2014 article “Why does cryptographic software fail?”, Lazar et al. took the most recent 269 CVEs marked as “cryptographic issues” and classified the site of the failure. While 17% of the failures were in crypto libraries, 83% were in the way the applications use the libraries.
Read moreJanuary 19, 2018
This is part two of our series looking at the cloud crypto services offered by the big three hosting companies: Amazon, Google and Microsoft...
Read moreDecember 11, 2017
Today Hanno Böck, Juraj Somorovsky and Craig Young announced details of new work testing TLS implementations in the wild for Bleichenbacher's attack on RSA PKCS#1v1.5 encryption.
Read moreDecember 18, 2017
With more and more sensitive applications being migrated to the public cloud, we've received several requests from our users to help them evaluate how the major cloud providers support crypto and key-management. In a series of posts, we'll be taking a look at the cloud crypto APIs of AWS, Google, and Microsoft (Azure).
Read moreNovember 29, 2017
Here at Cryptosense we've recently been working on adding the last few algorithms to our Java Crypto Analyzer to cover 100% of the standard (SunJCE) provider. The last one we treated was the mysterious-sounding DESede Wrap. What exactly does it do, and is it secure?
Read moreNovember 15, 2017
We frequently apply Analyzer to widely-used open source software including the Java JDK. The Oracle Critical Patch Update (CPU) of 17th October contained patches for two CVEs discovered at Cryptosense in collaboration with our partners at University of Venice Ca' Foscari...
Read moreAugust 14, 2017
Password-based key derivation functions (PBKDFs) are used in crypto for two reasons: to store passwords in a secure way, and to derive keys for use in other bits of crypto. We've written before about how they work and what parameters to use.
Read moreJuly 26, 2017
JKS is the default keystore in all current versions of Java and still the only kind available in several widely-used application frameworks, despite issues with its security...
Read moreJuly 21, 2017
The US National Institute of Standards and Technology (NIST) has just announced withdrawal of approval for triple DES (also known as 3DES, TDEA and sometimes DES EDE) in common protocols such as TLS and IPSec. In other applications, they propose a restriction to just 8MB of data before changing keys. Why are they doing this and what are the consequences?
Read moreJune 29, 2017
An interesting article at the recent IEEE Security & Privacy symposium carried out a usability study on Python crypto APIs. Participants with varying degrees of Python experience were given crypto programming tasks for which they had to use a given API (cryptography.io, Keyczar, PyNaCl, M2crypto or PyCrypto).
Read moreApril 7, 2017
In January 2017 Oracle released a Java update with a number of improvements to its crypto security. These included increasing minimum parameters (1024 bits for RSA XML signatures and DSA certificates, 256 bits for Elliptic curve keys used in TLS,..),
Read moreMarch 24, 2017
A recent wikileaks dump of CIA material included a file called "Network Operations Division Cryptographic Requirements". Assuming it's genuine, this 17-page PDF describes crypto policy that must be followed by developers of "tools used to advance the CIA’s intelligence collection activities".
Read moreFebruary 23, 2017
Today Google announced the first public full SHA-1 collision, i.e. the first pair of distinct values that when hashed with the SHA-1 function produce the same digest. This should not come as a surprise - it follows the free-start collisions announced at the end of 2015, and many cryptographers had been anticipating full SHA-1 collisions imminently.
Read moreJanuary 31, 2017
At our crypto service discovery site discovery.cryptosense.com you don't have to enter the qualified domain name of a server to test (like www.mydomain.com) - you can just enter a partial name like mydomain.com and the tool will query DNS records to look for machines.
Read moreDecember 21, 2016
Google recently announced a project to produce tests for cryptographic libraries to detect common weaknesses. Piloted by star cryptographers Daniel Bleichenbacher and Thai Duong, this is an exciting development for us at Cryptosense, and not just because they cite our CRYPTO '12 paper in their RSA tests.
Read moreNovember 29, 2016
Unchanged default access passwords are a pervasive problem in computer security. A recent high-profile example is the Mirai botnet that spread by using 61 common default login credentials.In programs using crypto, passwords are often used to generate cryptographic keys. For example, they are used to generate the "key encrypting keys" that are used to protect private keys stored in keystores, or the master key used to protect persistent application data written to storage.
Read moreOctober 20, 2016
Our Java Crypto Analyzer tool works by tracing calls to the cryptographic library from all parts of the application under test, including libraries, framework components and dependencies.We recently tested the Analyzer on a large web application which uses a whole host of different libraries including PrimeFaces, a popular open-source library for graphics and UI elements in web applications.
Read moreOctober 3, 2016
PrimeKey Solutions develops and supports the most downloaded open source enterprise public-key infrastructure (PKI) software available, EJBCA. You can find out why they use Cryptosense Analyzer for Java in a case study we're releasing today...
Read moreAugust 16, 2016
Like the Oracle provider, keystores in BC rely on password-based encryption for confidentiality, i.e. deriving an encryption key from a password and then using that to encrypt the keys for writing to a file. BC offers three keystore types: BKS (bouncy castle keystore)...
Read moreAugust 8, 2016
In 2014 I wrote a piece for this blog on RSA PKCS#1v1.5 encryption and why we need to get rid of it. At the time, the list of algorithms and padding modes to be included in the W3C WebCrypto API was under discussion, and I wanted to argue for the exclusion of this mode from the API. In the end it was indeed left out.
Read moreJuly 19, 2016
In collaboration with the University of Venice Ca' Foscari, we've been researching the protocols smartcards and authentication tokens use to communicate underneath the PKCS#11 API that's exposed to applications. These protocols tend to be quite different for each device.
Read moreJune 22, 2016
In the standard API for HSMs and other cryptographic hardware, PKCS#11, key-wrapping refers to the process of encrypting one key stored in hardware with another in order to send the first key somewhere else in a secure way. This operation has been the source of a whole series of security vulnerabilities, in particular because the encryption modes are often vulnerable to padding oracle attacks.
Read moreJune 9, 2016
When strong cryptography was introduced into Java, the legacy JKS keystore with its "SHA-1 and XOR" encryption method was replaced by JCEKS, which uses Triple-DES (3DES) encryption to protect serialized keys when they are written to disk.There is a lot of JCEKS still around. So how exactly does the encryption work?
Read moreMay 31, 2016
The new version (3.2) of the PCI DSS compliance requirements for the payment card industry was released a few weeks ago. While the PCI definition of strong cryptography remains unchanged, the new version contains some other interesting new measures around secure use of cryptography
Read moreMay 19, 2016
As trailed back in September 2015, Google are turning off SSLv3 and RC4 support from their TLS servers. For the vast majority of people, this will have no noticeable impact at all. However, there is one place where the deprecated protocol and insecure cipher still lurk: mailservers. In particular, according to the google blog post, "inbound/outbound gateways, third-party emailers, and systems using SMTP relay."
Read moreApril 28, 2016
Cryptosense software is designed to give our users visibility on the crypto their applications are using. We have tracing tools for PKCS#11 and Java, and recently we've been working on one for the OpenSSL crypto library (libssl and libcrypto). We'd like to share a couple of early results.
Read moreApril 21, 2016
If you write a Java application that uses cryptography, chances are you'll have to store some cryptographic keys. The Java crypto APIs provide an abstraction for dealing with this called keystores. In this post, we're going to look into how Java keystores are protected when written out as files.
Read moreMarch 16, 2016
The DROWN attack on SSL/TLS has by now been pretty comprehensively covered both here and elsewhere. But two weeks after its announcement, it's clear that it's not being fixed very fast, at least compared to other recent SSL vulnerabilities like Heartbleed. Why not?
Read moreMarch 1, 2016
Today sees the public release of details of DROWN, another "full-stack" crypto vulnerability in TLS, involving new mathematical insights into the Bleichenbacher attack on PKCS#1v1.5 encryption, implementation bugs, failure to turn off old versions and real-world implementation data from Internet-wide scans showing that DROWN affects as many as 35% of HTTPS servers.
Read moreFebruary 11, 2016
Welcome to the Golden Age of Applied Crypto ResearchThe year 2015 saw the publication of an unprecedented number of practical attacks on real cryptographic systems. Attacks like FREAK and LOGJAM which combine model-based testing of crypto code with state-of-the-art numerical algorithms for cryptanalysis give a taste of the kinds of capabilities that are available to sophisticated adversaries.
Read moreFebruary 14, 2016
National and international standards bodies like NIST, ENISA and PCI already make recommendations about key-lengths and algorithms, so why write another set? At Cryptosense we've been working on a simple web-based tool to discover external-facing crypto services, and we needed a pragmatic set of best-practice standards for evaluating the results. If we used the ENISA "future application" standards, for example, pretty much the whole Internet would get an F.
Read moreDecember 15, 2015
Cryptography is sufficiently complex to make writing a single compliance document that ensures security impossible. There are nonetheless various industry compliance guidelines that try to ensure the biggest mistakes are avoided. The PCI-DSS standard, now in version v3.1, describes security requirements for processing electronic payments and includes some interesting crypto advice.
Read moreNovember 23, 2015
Recent news about the discovery of free-start collisions for the SHA-1 hash function has attracted plenty of attention. But what does this mean for the security of SHA-1, and what should you do if you're using it?
Read moreNovember 10, 2015
How many iterations, what salt and what hash function should I use with PBKDF2?To answer this, we need to look a little at what password-based key derivation function (PBKDF)2 does, and how it works.
Read moreNovember 3, 2015
The recent key-extraction attack on the SafeNet Luna HSM (CVE-2015-5464) led to a lot of discussion about HSM security. If an HSM has "one job", it's to make sure that keys that are marked "unextractable" really are "unextractable".
Read moreAugust 14, 2015
The vast majority of the Cryptosense code base is built using OCaml. We're excited to announce that we're releasing a couple of the OCaml libraries we developed as free software: records and enumerators. Here we'll describe what the two libraries do and what we use them for.
Read moreJuly 16, 2015
In April 2015, following its transfer to OASIS, the PKCS#11 standard for device crypto APIs got its first official update in ten years. There is always some lag time between a new standard and vendor adoption. Here are five good reasons you should be nagging your crypto hardware vendor to upgrade:
Read moreJune 17, 2015
The latest firmware update (v11.72) for the Thales eSecurity-nCipher net HSM includes a fix for a security issue found by the Cryptosense PKCS#11 compliance tester.
Read moreMay 5, 2015
This question is the subject of a podcast interview with Cryptosense founder, Graham Steel, in which he talks to Karen Webster, CEO of PYMTS.com.
Read moreMay 1, 2015
Growth in cloud computing, smartphone use and interconnected devices means that even more of our private data is now at risk from hackers. Cryptography is being used more and more to secure this data, however it is notoriously hard to implement correctly.
Read moreMarch 30, 2015
For the next instalment in our compliance testing series, we interviewed the creators of Caml Crush, an open source PKCS#11 project. Caml Crush is a filtering proxy that inserts itself between a PKCS#11 device and the calling application. As well as its inherent client/server architecture be it local or remote, Caml Crush can also apply filters which deal with some of the major security issues that affect PKCS#11 interfaces. We will take a look at how it works and how it affects the Compliance Checker results on a device. The developers of Caml Crush (Ryad Benadjila, Thomas Calderon, and Marion Daubignard at the ANSSI) agree that “The PKCS#11 standard is not easy to use“, so how does Caml Crush help?
Read moreFebruary 4, 2015
Since we wrote this post our compliance criteria have been extended to over 100 covering PKCS#11 v2.40 and used to find a host of issues with live HSMs. Recently we've been trying out our PKCS#11 compliance tester on a number of open-source PKCS#11 implementations. We'll be publishing the results here over the next few weeks, as well as sending the reports from our tools to the project developers.
Read moreJanuary 5, 2015
Since we wrote this post three years ago, several HSMs have added support for modern elliptic curves like curve25519. The yet-to-be-finalised PKCS#11v3.0 will likely have a number of new algorithms using this curve and variationsOriginal post:If you read the last post about choice of key lengths in PKCS#11, you may have been struck by the fact that the recommended key lengths for RSA, if you want to be secure in the future, are rather long. This is one of several reasons for moving to elliptic curve cryptography. But which curve to choose?
Read moreDecember 29, 2014
In a series of articles on the blog this year we've covered cryptographic algorithm choice in PKCS#11, taking into account recent cryptanalytic results. This post will complete the picture by discussing the choice of key-length and other parameters for these algorithms. As usual, our main source is the ENISA Algorithm and Key Length Report, recently updated for 2014.
Read moreNovember 24, 2014
Hardware Security Modules (HSMs) are tamper-resistant special-purpose computers that protect the most sensitive cryptographic key material in an organisation. They are used for security-critical applications such as electronic payment, PKI, inter-bank transfers, and PIN management in the cash machine network.
Read moreNovember 5, 2014
We originally published our compliance criteria for PKCS#11v2.20 back in 2014. We recently completed an update for v2.40, which contains new criteria for the extra attributes added in the new version, as well as revised references that take you directly to the right section of the HTML document of PKCS#11v2.40. Since we started applying these criteria to commercially available PKCS#11 devices using our Analyzer, we have found multiple vulnerabilities and non-compliances in several major manufacturer's products, all of which had FIPS/CC certifications.
Read moreOctober 24, 2014
In previous posts we covered the state of the art cryptanalysis results on the RSAmechanisms, hash functions, block ciphers and block cipher modes available in PKCS#11. In this post we look at the message authentication code (MAC) mechanisms available.
Read moreOctober 2, 2014
This is the latest in our series analysing the state of the art cryptanalysis results on the RSAmechanisms, hash functions and block ciphers available in PKCS#11.We've seen that PKCS#11 makes available a range of block ciphers ranging from dubious to recommended options. Additionally, for most block ciphers, several modes are available. What are the security consequences of the mode choice?Here we survey the block cipher modes available, giving a brief summary of their security.
Read moreSeptember 22, 2014
Cryptosense, the leading supplier of security analysis software for cryptography, raises 700 000€ in a seed round from Elaia Partners and IT-Translation.
Read moreSeptember 18, 2014
Following on from our popular review of RSAmechanisms and hash functions, this post reviews the block ciphers and modes available in PKCS#11 v2.20 and the state of the art in their cryptanalysis. We'll also look at what's changing in version 2.40.The first version of PKCS#11 came out in 1995, and since then no mechanisms have been removed, though this will change when version 2.40 comes out. Reading the mechanism list for block ciphers is therefore something of an exercise in cryptographic archaeology.
Read moreOctober 8, 2014
Some standards come with compliance criteria built in - you can't say you've implemented the standard until your code can pass the tests. With PKCS#11, a 407-page standard specifying the most widely used API in cryptographic hardware, there are no such tests. So how can a would-be PKCS#11 user discriminate between a good implementation of the API and a bad one? And how can a manufacturer find compliance bugs and then demonstrate the quality of their product?
Read moreAugust 7, 2014
A tracer is a simple but important tool for auditing crypto security that allows the analyst to see the calls made by an application to a crypto interface. This is especially useful if the application and/or the crypto provider are only available in binary or black-box form (e.g. an HSM), but the crypto API is known. Even if source code is available, a simple tracer can save a lot of time compared to instrumenting code or manually setting trace points.
Read moreJune 30, 2014
A hash function is a basic building block of many cryptographic protocols. Cryptanalysis of hash functions has made great progress in the last decade, so how do the hash functions provided by PKCS#11 measure up?
Read moreJune 19, 2014
A video of my recent talk at QCon London on crypto API security, How I Learned to Stop Worrying and Trust Crypto Again, is now online. Questions and feedback welcome.
Read moreJune 16, 2014
This post follows on from the previous one describing the range of RSA mechanisms supported in PKCS#11, and their security properties (or lack of). One big change to the standard in the upcoming version 2.40 is a separation of the mechanisms in to "Historic" and "Current" mechanisms.
Read more