In a 2014 article “Why does cryptographic software fail?”, Lazar et al. took the most recent 269 CVEs marked as “cryptographic issues” and classified the site of the failure. While 17% of the failures were in crypto libraries, 83% were in the way the applications use the libraries. Up until now, Cryptosense Analyzer for Java applications only treated the 83%. Today that’s changing as we’ve added provider vulnerability testing.
Cryptographic Vulnerabilities, News & Research
Cryptosense is delighted to announce that we have received funding from BPI France (the Banque Publique d’Investissement) for an exciting new project.
After a competitive selection process, our project was one of 68 selected for funding from a pool of 252 entrants to the 7th edition of BPI France’s Digital Innovation Competition.
This is part two of our series looking at the cloud crypto services offered by the big three hosting companies: Amazon, Google and Microsoft. In part 1, we looked at what kinds of keys and secrets the providers will let you store, and what crypto operations you can do with them. Here, we’re going to look at the way access to keys is controlled for users and services.
With more and more sensitive applications being migrated to the public cloud, we’ve received several requests from our users to help them evaluate how the major cloud providers support crypto and key-management. In a series of posts, we’ll be taking a look at the cloud crypto APIs of AWS, Google, and Microsoft (Azure).
Today Hanno Böck, Juraj Somorovsky and Craig Young announced details of new work testing TLS implementations in the wild for Bleichenbacher’s attack on RSA PKCS#1v1.5 encryption. The short summary is the attack, first made public at CRYPTO ’98, still works on almost 3% of the Alexa top million most visited websites thanks to minor details in the way they implement countermeasures.
As well as supplying Cryptosense Analyzer to our customers so they can test their applications, we frequently apply the tool ourselves to widely-used open source software including the Java JDK. The Oracle Critical Patch Update (CPU) of 17th October contained patches for two CVEs discovered at Cryptosense in collaboration with our partners at University of Venice Ca’ Foscari.
After several vendor announcements last week, the details of Infineon’s RSA key generation vulnerability finally became available today. The attack calculates the value of the private key and requires only knowledge of the public key.
The vulnerable chips are pervasive and not necessarily sold directly by Infineon Technologies AG, as the chips can be embedded inside devices of other manufacturers.
This summer we’ve updated our guide to crypto security in Java from beginning to end, with new sections on crypto library bugs, frameworks, JDK and Bouncy Castle keystores, and more.
Password-based key derivation functions (PBKDFs) are used in crypto for two reasons: to store passwords in a secure way, and to derive keys for use in other bits of crypto. We’ve written before about how they work and what parameters to use.
In our Analyzer tool for auditing application crypto, we have to solve the problem the other way round – how good are the parameters selected by a particular application? Just saying they are “not best practice” is not satisfactory for our users – they want to know if this is a critical issue needing an immediate fix or something that can wait until the next release.