Cryptosense Blog

Scanning PGP Keys on Public Servers

November 29, 2021

As part of the suite of cryptography discovery tools included with Cryptosense Analyzer Platform (CAP), Cryptosense File Scanner looks for cryptographic objects including SSH keys, PGP Keys, X.509 certificates and keystores on any filesystem or container image.

At last, Secure HSMs in the Cloud

October 14, 2021

Exciting new research from Cryptosense Chief Scientist Riccardo Focardi provides a simple and proven method to remove the risk of API-level attacks and enable widespread adoption of cloud HSMs. 

Understanding Cryptography Jargon

July 21, 2021

Or ‘Wait, what does SCEP stand for again?’ Cryptography is the study of secure communication, but you would be forgiven if you thought it was a mathematician's hobby of creating unpronounceable acronyms. HSTS, really? What's wrong with something like Radar or Crispr? In this article we’ll go through some of the key terms and acronyms that pop up when working in the cryptography field.

What is Cryptography Lifecycle Management and Why do I need it?

July 6, 2021

Cryptography is an essential enabling technology for modern business: without it we would not be able to protect our sensitive data or carry out authentication. When perfectly implemented and maintained, cryptography provides security we can rely on. However, detailed errors in its usage can lead to total loss of protection, and our increasing reliance on cryptography means that these mistakes now carry significant financial and reputational risks.

The Challenge of Machine Identity Management

June 28, 2021

Many of our customers use Cryptosense Analyser Platform (CAP) to try to discover where they're using cryptography, and machine identities are an important part of that. That job just got easier thanks to a new integration with Venafi. In a recent interview with Venafi's Bridget Hildebrand, Graham explained why this integration was so interesting for many of our customers...

Cryptography is Trust as Code

June 15, 2021

It’s incredible that in this world there is any trust at all. You need only watch a nature documentary or CNBC to know deceit, treachery and malfeasance are rife. Yet, here we are. The vast majority of our transactions are secure and successful. Our passwords remain confidential, usually. Our data's integrity is preserved, more often than not

When Certificates Attack: Shadow Certificates

May 12, 2021

Shadow certificates are more likely than you think. It is as if the nails and screws used to build a house end up being what makes the house fall down. Briefly, shadow certificates refer to digital certificates that have been introduced by employees that the DevOps or SecOps teams are unaware of.

Homomorphic Encryption 

April 2, 2021

What do dragons do with their treasure anyway? As far as I can tell, their whole goal is to ensure their hoard is secure. End of list. Yet it seems to defeat the purpose of amassing a large amount of fungible assets not to put them to use. Surely, it would be better for the dragon to invest some of that treasure into seed funding for a direct-to-lair sheep delivery app. But, who am I to question the wisdom of the wyrm. Allowing for the occasional invisible hobbit, dragons have always done a good job at data security, sorry, treasure security.

Secure Multiparty Computation

February 26, 2021

Previously we talked about Zero Knowledge Proofs as an emerging way to avoid having to trust large organizations who may intentionally misuse or unintentionally compromise our data. Secure Multiparty Computation is a way for a number of parties to work together to solve a problem without revealing the information used in the computation to the other parties.

Zero Knowledge Proofs

January 25, 2021

It was typical of renaissance and early-modern scientists to use anagrams or proto-hash functions of their scientific discoveries. The anagram of a Latin sentence would be published as a way of staking a claim to a scientific discovery that still required further research or results.

Which Algorithms Are FIPS 140-3 Approved?

January 11, 2021

The new 3rd revision of the FIPS 140 standards for Cryptographic Modules is an effort to align the NIST-managed standard with its ISO counterpart ISO 19790(2012).

Is Triple DES Secure?

December 22, 2020

The short answer with supporting evidence is no, because it has been deprecated by the NIST since 2017 for new applications and for all applications by 2023.

Keep Calm and Carry On: Why you may already have the solution to Post-Quantum Cryptography

November 20, 2020

These are anxious times. For the worriers among us 2020 has been a bumper year. We’ve had a global pandemic and the rise of Fascism in democratic countries. Not content with this, the techno-literate fretful have added ‘Quantum Supremacy’ to the list of concerns....

FedRAMP and FIPS 140-2 Cryptography

October 27, 2020

If you want to supply cloud-based services to the US Federal Government, you have to get FedRAMP approval. This certification process covers a whole host of security issues, but is very specific about its requirements on cryptography: you have to use FIPS 140-2 validated modules wherever cryptography is needed...

How to use a Hardware Security Module (HSM) Securely

October 23, 2020

In this short demo, Graham explains how to use a Hardware Security Module (HSM) securely.

Migrate Keys to Cloud KMS Without Rewriting any Code

September 21, 2020

In this video Dr. Graham Steel explains how to move to cloud cryptography easily and securely using Cryptosense Analyzer Platform (CAP). In this example we show how we can move an enterprise Tomcat Java application to Amazon's AWS KMS.

Are my Encryption Keys in the Cloud Really Secure?

October 21, 2020

A lot of people are concerned that their encryption keys stored in cloud services such as AWS KMS, Azure Keyvault, or GCP KMS, are not really secure...

What is a Keyblock?

July 31, 2020

In financial cryptography and PCI standards, a Key Block is an encrypted key stored with its metadata in a cryptographically secure way. That means that the key's usage information...

Cryptography Inventory - Best Practice Tips

June 3, 2020

This may seem obvious, but in large organizations where the inventory is required by multiple teams for different reasons, conflicts can easily arise....

ANSSI TLS recommendations v1.2 in Cryptosense Discovery

May 7, 2020

Cryptosense Discovery now provides a new standard, "ANSSI", based on the recent new version of the security recommendations for TLS by ANSSI, the French government cybersecurity agency.

The Zoom Encryption Protocol - Why ECB Is Bad

April 7, 2020

If you use Zoom video-conferencing software, you probably be aware of the recent controversy about the security of their encryption protocols...

FIPS 140-3 Compliant Cryptography

April 3, 2020

We have had a number of queries recently from people trying to figure out what FIPS 140-3 is, and how they can supply a FIPS 140-3 compliant solution to their customers. To make sense of this question we first need to understand a little background...

Key Usage Detection in Cryptosense Analyzer

March 20, 2020

Identifying the cryptographic keys an application really uses, what they are used for, and how they are stored, is a critical step towards many transformation projects...

Announcing Our Crypto Inventory Whitepaper

March 6, 2020

Cryptographic inventory has become a hot topic for enterprises over the last 12 months. Business drivers include reducing security risk, automating compliance, achieving crypto agility, and preparing for cloud crypto migration.

The Importance of Cryptographic Key Management & Cryptographic Audit

February 16, 2020

The importance of cryptographic key management increases as companies begin to move sensitive applications to the public or hybrid cloud. Understanding exactly which keys are carrying out which operations, what data each key is protecting, and how they are generated and stored, is more critical than when all keys were only used and stored on-premise.

The Capital One Breach and Cloud Encryption

November 12, 2019

On 29th July 2019 CapitalOne Financial Corp announced a data breach affecting 140 000 of their customer's social security numbers and 80 000 bank account numbers. CapitalOne is a major user of AWS cloud, and in this case the stolen data was stored in AWS S3 buckets. Why didn't encryption save us?

Cloud Encryption Part Two: Client Side Encryption for Azure Storage

December 5, 2019

Azure Storage is one of the most widely used services in the Microsoft Azure cloud, and is the Azure equivalent of the AWS S3 service. Most users of the service know that it is wise to encrypt sensitive data before storing it in the cloud. In this post, we will look at how that can be done using the Azure Java SDK, and will use the Cryptosense Analyzer Platform to gain insight into how the Azure SDK encrypts your data.

Automated Attack Trees for TLS Vulnerabilities: Improving Cryptosense Discovery

November 8, 2019

Cryptosense Discovery is our free tool to test a host’s usage of cryptography for common configuration mistakes and vulnerabilities. Discovery's new version discovers more hosts and more vulnerabilities, and improves the visual representation of attacks. We achieve this by using a well-known visualization method called attack trees.

Using Cryptosense Analyzer in Containerized Applications

September 20, 2019

Containers are often designed to be stateless. That means all state changes made by the application happen in the database, or some external storage. They don't happen on the container filesystem...

What is Cryptographic Inventory?

August 26, 2019

A cryptographic inventory is a strategic cybersecurity asset much like other hardware and software inventories. It enables an organisation to enforce a secure cryptographic policy across IT infrastructure, react quickly to security issues, and efficiently carry out strategic transformations such as migrating crypto services to the cloud or deploying post-quantum cryptography. In order to do achieve this, an inventory needs to have the following properties:

New cryptography in .NET Core 3.0

August 1, 2019

What's the difference between cryptography in .NET Framework and .NET Core? A large part of the .NET APIs are common to both .NET Core and .NET Framework. Microsoft even released the .NET Standard, a subset of .NET APIs provided by all .NET implementations, to simplify things for cross-implementation developers. However, there are still significant differences between Core and Framework, and cryptography is one of them.

Cryptosense Automates PCI-DSS Cryptography Audit for a World-Leading Financial Services Firm

June 20, 2019

A recent success story for Cryptosense is our roll-out with a large global player in the ATM (cash machine) network. Since this firm is considered a Service Provider in the PCI regulations, they have regular audits to pass which contain a lot of requirements on cryptography: full cartography of applications, compliance with NIST standards etc.

How Ledger Hacked an HSM

June 8, 2019

The announcement yesterday of this talk about HSM hacking on the BlackHat 2019 program has caused a stir, and for good reason: the authors claim to have discovered remote unauthenticated attacks giving full control of an HSM and complete access to keys and secrets stored on it...

Improving PKCS#11 Vulnerability Analysis

June 20, 2019

As well as treating applications in Java and .NET, Cryptosense Analyzer can also check the cryptographic security of PKCS#11 implementations in HSMs and elsewhere. We recently added a few of improvements requested by our users.

Detecting hard-coded cryptographic keys, passwords and credentials

April 23, 2019

Including passwords or cryptographic key material in source code is a major security risk for a number of reasons. In the worst case, if the code is public, everyone can read the key. Even if not, access to the code is often easier for an attacker to achieve than direct compromise of the application - the entire development team becomes part of the attack surface...

How common is insecure cryptography?

April 23, 2019

One question we're often asked by teams considering our Analyzer software is, how common are the kind of "rubber hits the road" deployment of crypto flaws that it detects?

Crypto Cartography: Mapping the Crypto in Applications

March 22, 2019

A first step of many cryptography projects - preparation for Cloud migration, crypto agility, or improving application security, is to map out the cryptography actually in use in an application. A naive approach would be to just review the source code and search for cryptographic calls. However, this is both time-consuming and error-prone...

New Cloud Crypto Service: Oracle Cloud Infrastructure KMS

February 28, 2019

Oracle are now putting some very serious investment into their cloud in an effort to capitalise on their enterprise customer base. Several of our own large customers are looking at OCI as a possible alternative or complement to other CSPs. OCI recently launched a cloud crypto service, so how does it measure up to the others in our cloud crypto comparison?

Achieving 'Crypto Agility'

January 21, 2019

A recent NIST paper recommending which steps to take to prepare for the advent of quantum computers proposes that users of cryptography look to achieve 'crypto agility' as soon as possible. The idea was further expanded by Gartner in a recent research note, and now crops up regularly. It's sometimes described as 'crypto-agnosticism', but what does it mean, and how does one achieve it?

Why IAST should mean Instrumented Application Security Testing

December 17, 2018

IAST has grown to about 20% of the AST market and is predicted to gain a larger share of this rapidly growing market in the coming years. However, in my opinion, the way IAST is understood and deployed today means that the acronym needs a tweak...

Ensuring code coverage in IAST

January 8, 2019

Modern versions of IAST (like ours) can detect flaws even when the application is executing standard functional tests - there is no need to simulate attacks. This enables these tools to be deployed early in the development lifecycle and integrated into CI toolchains. However, there's one key feature that doesn't figure on most IAST checklists: coverage checking...

512-bit RSA Keys and MD5-Digest Signatures in Oracle JRE

November 30, 2018

When we started testing the cryptography in Java applications using our Analyzer software, one of the first results we found was the use of a 512-bit RSA key for signature verification. At first this looks rather alarming since 512-bit RSA keys are easily breakable by brute force factorisation now.However, inspecting the stacktrace our Analyzer provides traces this back to a method called testSignatures...

Auditing AWS S3 Crypto Use

December 7, 2018

Amazon Simple Storage Service (S3) is one of the most widely-used cloud services. Most users of the service know it's wise to encrypt sensitive data before storing it in S3. In this post we'll look at how to do that securely using the AWS Java SDK, and how Cryptosense Analyzer will help you spot if you've done it wrong...

Why Cryptosense is an IAST Tool

November 13, 2018

At Cryptosense, we wanted to build a tool that would effectively identify and help fix vulnerabilities related to cryptography - something no other tool makes a good job of...

Cryptosense Analyzer finds Crypto Flaw in Java EE

October 17, 2018

Yesterday's Oracle Critical Patch Update contains a credit to Cryptosense for CVE-2018-3210, a flaw found by one of our users while they were testing a Java application with our Analyzer software...

Dangerous Tutorials: How not to learn C# cryptography

August 27, 2018

Our recent work to add coverage of the Microsoft .NET API to Cryptosense Analyzer has led us into a dark and dangerous part of the internet: C# crypto tutorials...

Post-Quantum Crypto: How to Start Preparing

October 3, 2018

Computers that exploit quantum mechanical properties offer the promise of (supposedly) unbreakable cryptography and other exciting applications, but they will also cause a huge, immediate problem: the day a large, practical quantum computer is developed, all existing widely-used asymmetric cryptography will be broken.

Cloud HSMs - The New Wave

July 26, 2018

Hardware Security Modules (HSMs) are generally viewed as expensive and painful to maintain. It's not surprising that a lot of HSM users are looking for a cloud-based solution that would allow them to hand over maintenance to a third party and move to an opex instead of capex model...

Crypto Audit of the Jenkins CI System

June 25, 2018

Jenkins is a popular tool for managing continuous integration (CI), i.e. coordinating builds, tests and deployment of a software project in an automated way.In an enterprise context Jenkins has some security requirements, like ensuring that only users with the right permissions can access certain projects and carry out certain tasks, protecting sensitive data such as tokens for access to APIs, etc.

Integrating Cryptographic Security Testing into CI

April 6, 2018

Continuous Integration or CI is a more and more widely adopted software engineering practice. A best practice for CI is to make the build self-testing, and recently this has started to include security testing. Cryptosense Analyzer, our tool for testing crypto security in applications, now integrates into CI.

Cloud Crypto Providers Part III - Logging Crypto Operations

March 28, 2018

This is the third post in a series about cloud crypto functionality provided by the "big three" cloud providers - Amazon Web Services, Microsoft Azure, and Google Cloud Platform...

Testing Java Crypto Provider Vulnerabilities in Cryptosense Analyzer

February 22, 2018

In a 2014 article “Why does cryptographic software fail?”, Lazar et al. took the most recent 269 CVEs marked as “cryptographic issues” and classified the site of the failure. While 17% of the failures were in crypto libraries, 83% were in the way the applications use the libraries.

Cryptosense a Winner in the BPI Innovation Competition

February 6, 2018

Cloud Crypto Providers Part II - Controlling Access to Keys

January 19, 2018

This is part two of our series looking at the cloud crypto services offered by the big three hosting companies: Amazon, Google and Microsoft...

Bleichenbacher is Back - Again

December 11, 2017

Today Hanno Böck, Juraj Somorovsky and Craig Young announced details of new work testing TLS implementations in the wild for Bleichenbacher's attack on RSA PKCS#1v1.5 encryption.

Cloud Crypto Providers - AWS vs Google vs Azure

December 18, 2017

With more and more sensitive applications being migrated to the public cloud, we've received several requests from our users to help them evaluate how the major cloud providers support crypto and key-management. In a series of posts, we'll be taking a look at the cloud crypto APIs of AWS, Google, and Microsoft (Azure).

DESedeWrap - Completing coverage of the Java JCE

November 29, 2017

Here at Cryptosense we've recently been working on adding the last few algorithms to our Java Crypto Analyzer to cover 100% of the standard (SunJCE) provider. The last one we treated was the mysterious-sounding DESede Wrap. What exactly does it do, and is it secure?

New Java Keystore CVEs

November 15, 2017

We frequently apply Analyzer to widely-used open source software including the Java JDK. The Oracle Critical Patch Update (CPU) of 17th October contained patches for two CVEs discovered at Cryptosense in collaboration with our partners at University of Venice Ca' Foscari...

Infineon RSA Key Generation Bug: How the attack works and what to do

October 16, 2017

Measuring PBKDF strength

August 14, 2017

Password-based key derivation functions (PBKDFs) are used in crypto for two reasons: to store passwords in a secure way, and to derive keys for use in other bits of crypto. We've written before about how they work and what parameters to use.

Cracking Java Keystores with Hashcat

July 26, 2017

JKS is the default keystore in all current versions of Java and still the only kind available in several widely-used application frameworks, despite issues with its security...

The End of Triple DES

July 21, 2017

The US National Institute of Standards and Technology (NIST) has just announced withdrawal of approval for triple DES (also known as 3DES, TDEA and sometimes DES EDE) in common protocols such as TLS and IPSec. In other applications, they propose a restriction to just 8MB of data before changing keys. Why are they doing this and what are the consequences?

What makes a usable crypto API?

June 29, 2017

An interesting article at the recent IEEE Security & Privacy symposium carried out a usability study on Python crypto APIs. Participants with varying degrees of Python experience were given crypto programming tasks for which they had to use a given API (cryptography.io, Keyczar, PyNaCl, M2crypto or PyCrypto).

Java Crypto Updates Delayed

April 7, 2017

In January 2017 Oracle released a Java update with a number of improvements to its crypto security. These included increasing minimum parameters (1024 bits for RSA XML signatures and DSA certificates, 256 bits for Elliptic curve keys used in TLS,..),

Use Cryptography Like The CIA

March 24, 2017

A recent wikileaks dump of CIA material included a file called "Network Operations Division Cryptographic Requirements". Assuming it's genuine, this 17-page PDF describes crypto policy that must be followed by developers of "tools used to advance the CIA’s intelligence collection activities".

Google Announces Full SHA-1 Collision: What It Means

February 23, 2017

Today Google announced the first public full SHA-1 collision, i.e. the first pair of distinct values that when hashed with the SHA-1 function produce the same digest. This should not come as a surprise - it follows the free-start collisions announced at the end of 2015, and many cryptographers had been anticipating full SHA-1 collisions imminently.

Discover more of your servers from the Certificate Transparency log

January 31, 2017

At our crypto service discovery site discovery.cryptosense.com you don't have to enter the qualified domain name of a server to test (like www.mydomain.com) - you can just enter a partial name like mydomain.com and the tool will query DNS records to look for machines.

Cryptosense and Google Project Wycheproof

December 21, 2016

Google recently announced a project to produce tests for cryptographic libraries to detect common weaknesses. Piloted by star cryptographers Daniel Bleichenbacher and Thai Duong, this is an exciting development for us at Cryptosense, and not just because they cite our CRYPTO '12 paper in their RSA tests.

Default Cryptographic Credentials

November 29, 2016

Unchanged default access passwords are a pervasive problem in computer security. A recent high-profile example is the Mirai botnet that spread by using 61 common default login credentials.In programs using crypto, passwords are often used to generate cryptographic keys. For example, they are used to generate the "key encrypting keys" that are used to protect private keys stored in keystores, or the master key used to protect persistent application data written to storage.

Weak Encryption Flaw in PrimeFaces

October 20, 2016

Our Java Crypto Analyzer tool works by tracing calls to the cryptographic library from all parts of the application under test, including libraries, framework components and dependencies.We recently tested the Analyzer on a large web application which uses a whole host of different libraries including PrimeFaces, a popular open-source library for graphics and UI elements in web applications.

Cryptosense Java Analyzer - Case Study with Primekey

October 3, 2016

PrimeKey Solutions develops and supports the most downloaded open source enterprise public-key infrastructure (PKI) software available, EJBCA. You can find out why they use Cryptosense Analyzer for Java in a case study we're releasing today...

BouncyCastle Keystore Security

August 16, 2016

Like the Oracle provider, keystores in BC rely on password-based encryption for confidentiality, i.e. deriving an encryption key from a password and then using that to encrypt the keys for writing to a file. BC offers three keystore types: BKS (bouncy castle keystore)...

Why PKCS#1v1.5 Signature Should (Also) Be Put Out of Our Misery

August 8, 2016

In 2014 I wrote a piece for this blog on RSA PKCS#1v1.5 encryption and why we need to get rid of it. At the time, the list of algorithms and padding modes to be included in the W3C WebCrypto API was under discussion, and I wanted to argue for the exclusion of this mode from the API. In the end it was indeed left out.

APDU-level attacks on crypto tokens and smartcards

July 19, 2016

In collaboration with the University of Venice Ca' Foscari, we've been researching the protocols smartcards and authentication tokens use to communicate underneath the PKCS#11 API that's exposed to applications. These protocols tend to be quite different for each device.

Attacks on Key-Wrapping in PKCS#11 v2.40

June 22, 2016

In the standard API for HSMs and other cryptographic hardware, PKCS#11, key-wrapping refers to the process of encrypting one key stored in hardware with another in order to send the first key somewhere else in a secure way. This operation has been the source of a whole series of security vulnerabilities, in particular because the encryption modes are often vulnerable to padding oracle attacks.

Weaknesses in the Java JCEKS Keystore

June 9, 2016

When strong cryptography was introduced into Java, the legacy JKS keystore with its "SHA-1 and XOR" encryption method was replaced by JCEKS, which uses Triple-DES (3DES) encryption to protect serialized keys when they are written to disk.There is a lot of JCEKS still around. So how exactly does the encryption work?

New Crypto Requirements in PCI DSS 3.2

May 31, 2016

The new version (3.2) of the PCI DSS compliance requirements for the payment card industry was released a few weeks ago. While the PCI definition of strong cryptography remains unchanged, the new version contains some other interesting new measures around secure use of cryptography

Gmail Disabling RC4 and SSLv3 SMTP Support

May 19, 2016

As trailed back in September 2015, Google are turning off SSLv3 and RC4 support from their TLS servers. For the vast majority of people, this will have no noticeable impact at all. However, there is one place where the deprecated protocol and insecure cipher still lurk: mailservers. In particular, according to the google blog post, "inbound/outbound gateways, third-party emailers, and systems using SMTP relay."

Weak Key Derivation in OpenSSL

April 28, 2016

Cryptosense software is designed to give our users visibility on the crypto their applications are using. We have tracing tools for PKCS#11 and Java, and recently we've been working on one for the OpenSSL crypto library (libssl and libcrypto). We'd like to share a couple of early results.

Mighty Aphrodite - Dark Secrets of the Java Keystore

April 21, 2016

If you write a Java application that uses cryptography, chances are you'll have to store some cryptographic keys. The Java crypto APIs provide an abstraction for dealing with this called keystores. In this post, we're going to look into how Java keystores are protected when written out as files.

DROWNing in your own Honeypot

March 16, 2016

The DROWN attack on SSL/TLS has by now been pretty comprehensively covered both here and elsewhere. But two weeks after its announcement, it's clear that it's not being fixed very fast, at least compared to other recent SSL vulnerabilities like Heartbleed. Why not?

The Lesson From DROWN: Bad Crypto Can Be Worse Than No Crypto

March 1, 2016

Today sees the public release of details of DROWN, another "full-stack" crypto vulnerability in TLS, involving new mathematical insights into the Bleichenbacher attack on PKCS#1v1.5 encryption, implementation bugs, failure to turn off old versions and real-world implementation data from Internet-wide scans showing that DROWN affects as many as 35% of HTTPS servers.

The Golden Age of Applied Crypto Research

February 11, 2016

Welcome to the Golden Age of Applied Crypto ResearchThe year 2015 saw the publication of an unprecedented number of practical attacks on real cryptographic systems. Attacks like FREAK and LOGJAM which combine model-based testing of crypto code with state-of-the-art numerical algorithms for cryptanalysis give a taste of the kinds of capabilities that are available to sophisticated adversaries.

Cryptosense Crypto Recommendations 2016

February 14, 2016

National and international standards bodies like NIST, ENISA and PCI already make recommendations about key-lengths and algorithms, so why write another set? At Cryptosense we've been working on a simple web-based tool to discover external-facing crypto services, and we needed a pragmatic set of best-practice standards for evaluating the results. If we used the ENISA "future application" standards, for example, pretty much the whole Internet would get an F.

PCI-DSS Crypto Compliance

December 15, 2015

Cryptography is sufficiently complex to make writing a single compliance document that ensures security impossible. There are nonetheless various industry compliance guidelines that try to ensure the biggest mistakes are avoided. The PCI-DSS standard, now in version v3.1, describes security requirements for processing electronic payments and includes some interesting crypto advice.

It is SHAppening Again

November 23, 2015

Recent news about the discovery of free-start collisions for the SHA-1 hash function has attracted plenty of attention. But what does this mean for the security of SHA-1, and what should you do if you're using it?‍

Parameter choice for PBKDF2

November 10, 2015

How many iterations, what salt and what hash function should I use with PBKDF2?To answer this, we need to look a little at what password-based key derivation function (PBKDF)2 does, and how it works.

The Untold Story of PKCS#11 HSM Vulnerabilities

November 3, 2015

The recent key-extraction attack on the SafeNet Luna HSM (CVE-2015-5464) led to a lot of discussion about HSM security. If an HSM has "one job", it's to make sure that keys that are marked "unextractable" really are "unextractable".

Dynamic records and enumerators: Open-sourcing OCaml libraries

August 14, 2015

The vast majority of the Cryptosense code base is built using OCaml. We're excited to announce that we're releasing a couple of the OCaml libraries we developed as free software: records and enumerators. Here we'll describe what the two libraries do and what we use them for.

Five reasons to upgrade to PKCS#11 v2.40

July 16, 2015

In April 2015, following its transfer to OASIS, the PKCS#11 standard for device crypto APIs got its first official update in ten years. There is always some lag time between a new standard and vendor adoption. Here are five good reasons you should be nagging your crypto hardware vendor to upgrade:

Cryptosense Software Finds Key-Disabling Bug in Thales HSM

June 17, 2015

The latest firmware update (v11.72) for the Thales eSecurity-nCipher net HSM includes a fix for a security issue found by the Cryptosense PKCS#11 compliance tester.

Would you hire a Professional Hacker?

May 5, 2015

This question is the subject of a podcast interview with Cryptosense founder, Graham Steel, in which he talks to Karen Webster, CEO of PYMTS.com.

Finding Flaws in Cryptography - IEEE S&P Article

May 1, 2015

Growth in cloud computing, smartphone use and interconnected devices means that even more of our private data is now at risk from hackers. Cryptography is being used more and more to secure this data, however it is notoriously hard to implement correctly.

PKCS#11 Compliance Testing: Caml Crush

March 30, 2015

For the next instalment in our compliance testing series, we interviewed the creators of Caml Crush, an open source PKCS#11 project. Caml Crush is a filtering proxy that inserts itself between a PKCS#11 device and the calling application. As well as its inherent client/server architecture be it local or remote, Caml Crush can also apply filters which deal with some of the major security issues that affect PKCS#11 interfaces. We will take a look at how it works and how it affects the Compliance Checker results on a device. The developers of Caml Crush (Ryad Benadjila, Thomas Calderon, and Marion Daubignard at the ANSSI) agree that “The PKCS#11 standard is not easy to use“, so how does Caml Crush help?

Cryptosense PKCS#11 Compliance Testing: Opencryptoki

February 4, 2015

Since we wrote this post our compliance criteria have been extended to over 100 covering PKCS#11 v2.40 and used to find a host of issues with live HSMs. Recently we've been trying out our PKCS#11 compliance tester on a number of open-source PKCS#11 implementations. We'll be publishing the results here over the next few weeks, as well as sending the reports from our tools to the project developers.

Algorithm Choice in PKCS#11 (part 7) - Elliptic Curves

January 5, 2015

Since we wrote this post three years ago, several HSMs have added support for modern elliptic curves like curve25519. The yet-to-be-finalised PKCS#11v3.0 will likely have a number of new algorithms using this curve and variationsOriginal post:If you read the last post about choice of key lengths in PKCS#11, you may have been struck by the fact that the recommended key lengths for RSA, if you want to be secure in the future, are rather long. This is one of several reasons for moving to elliptic curve cryptography. But which curve to choose?

Key Length Choice in PKCS#11

December 29, 2014

In a series of articles on the blog this year we've covered cryptographic algorithm choice in PKCS#11, taking into account recent cryptanalytic results. This post will complete the picture by discussing the choice of key-length and other parameters for these algorithms. As usual, our main source is the ENISA Algorithm and Key Length Report, recently updated for 2014.

Real HSM Breaches

November 24, 2014

Hardware Security Modules (HSMs) are tamper-resistant special-purpose computers that protect the most sensitive cryptographic key material in an organisation. They are used for security-critical applications such as electronic payment, PKI, inter-bank transfers, and PIN management in the cash machine network.

PKCS#11 Compliance Criteria

November 5, 2014

We originally published our compliance criteria for PKCS#11v2.20 back in 2014. We recently completed an update for v2.40, which contains new criteria for the extra attributes added in the new version, as well as revised references that take you directly to the right section of the HTML document of PKCS#11v2.40. Since we started applying these criteria to commercially available PKCS#11 devices using our Analyzer, we have found multiple vulnerabilities and non-compliances in several major manufacturer's products, all of which had FIPS/CC certifications.

Algorithm Choice in PKCS#11 (part 6) - MAC modes

October 24, 2014

In previous posts we covered the state of the art cryptanalysis results on the RSAmechanisms, hash functions, block ciphers and block cipher modes available in PKCS#11. In this post we look at the message authentication code (MAC) mechanisms available.