March 24, 2017

Use Cryptography Like The CIA

A recent wikileaks dump of CIA material included a file called “Network Operations Division Cryptographic Requirements“. Assuming it’s genuine, this 17-page PDF describes crypto policy that must be followed by developers of “tools used to advance the CIA’s intelligence collection activities”.

Since a government security agency has insight into the state of the art in non-public cryptanalysis, it’s interesting to see what government spies recommend as a secure policy for crypto usage. Here I’ve picked out a few of the highlights that were interesting to me, in particular in the ways they’re different from other public crypto standards like PCI or ECRYPT.

Continue reading

February 23, 2017

Google Announces Full SHA-1 Collision: What It Means

Today Google announced the first public full SHA-1 collision, i.e. the first pair of distinct values that when hashed with the SHA-1 function produce the same digest. This should not come as a surprise – it follows the free-start collisions announced at the end of 2015, and many cryptographers had been anticipating full SHA-1 collisions imminently.

To understand what this means, it helps to look at what happened after collisions were found in the MD5 hash function.

Continue reading

October 24, 2014

Algorithm Choice in PKCS#11 (part 6) – MAC modes

In previous posts we covered the state of the art cryptanalysis results on the RSA mechanisms, hash functions, block ciphers and block cipher modes available in PKCS#11. In this post we look at the message authentication code (MAC) mechanisms available.

Return of the MAC

There are essentially two ways to produce a MAC from a message and a shared secret: one is to use a block cipher in an appropriate MAC mode, the other is to used a keyed hash function (HMAC). During the 1990s, it was hard for US-based companies to export technology containing strong block ciphers, and the state of the art block ciphers were a lot slower than the widely used hash functions. Hence the HMAC construction became very popular.

Continue reading

Try a Free 14-day Trial

Cryptosense Analyzer audits your applications and infrastructure to find vulnerabilities and understand your crypto landscape. Use it to optimise bug-fix resources and demonstrate compliance.
Start free trial