Categories
Cryptography

Guidance for Choosing an Elliptic Curve Signature Algorithm in 2022

A cartoon wild canid on the Internet provides general guidance on elliptic curve cryptography parameter choices.

Categories
Cryptography Software Security

Using RSA Securely in 2022

If you really must support RSA in 2022, here’s some things to keep in mind.

Categories
Cryptography

Understanding HKDF

HKDF has poorly-understood subtleties. Let’s explore them in detail.

Categories
Cryptography

Programmers Don’t Understand Hash Functions

Programmers don’t understand hash functions, and I can demonstrate this to most of the people that will read this with a single observation: When you saw the words “hash function” in the title, you might have assumed this was going to be a blog post about password storage. (Passwords are the most common knee-jerk reaction […]

Categories
Cryptography Software Security

Canonicalization Attacks Against MACs and Signatures

Canonicalization Attacks occur when a protocol that feeds data into a hash function used in a Message Authentication Code (MAC) or Digital Signature calculation fails to ensure some property that’s expected of the overall protocol. The textbook example of a canonicalization attack is the length-extension attack against hash functions such as MD5–which famously broke the […]

Categories
Cryptography

Understanding Extended-Nonce Constructions

How and why XSalsa20/XChaCha were designed, and why they’re secure.

Categories
Cryptography Software Security

Cryptography Interface Design is a Security Concern

Cryptographers and cryptography engineers love to talk about the latest attacks and how to mitigate them. LadderLeak breaks ECDSA with less than 1 bit of nonce leakage? Raccoon attack brings the Hidden Number attack to finite field Diffie-Hellman in TLS? And while this sort of research is important and fun, most software developers have much […]

Categories
Cryptography Software Security

Please Stop Encrypting with RSA Directly

RSA is for encrypting symmetric keys, not entire messages. Pass it on.

Categories
Cryptography

Cryptographic Wear-Out for Symmetric Encryption

As we look upon the sunset of a remarkably tiresome year, I thought it would be appropriate to talk about cryptographic wear-out. What is cryptographic wear-out? It’s the threshold when you’ve used the same key to encrypt so much data that you should probably switch to a new key before you encrypt any more. Otherwise, […]

Categories
Cryptography Software Security

The Subtle Hazards of Real-World Cryptography

Imagine you’re a software developer, and you need to authenticate users based on a username and password. If you’re well-read on the industry standard best practices, you’ll probably elect to use something like bcrypt, scrypt, Argon2id, or PBKDF2. (If you thought to use something else, you’re almost certainly doing it wrong.) Let’s say, due to […]

Categories
Cryptography

Going Bark: A Furry’s Guide to End-to-End Encryption

Governments are back on their anti-encryption bullshit again. Between the U.S. Senate’s “EARN IT” Act, the E.U.’s slew of anti-encryption proposals, and Australia’s new anti-encryption law, it’s become clear that the authoritarians in office view online privacy as a threat to their existence. Normally, when the governments increase their anti-privacy sabre-rattling, technologists start talking more […]

Categories
Cryptography

Designing New Cryptography for Non-Standard Threat Models

Since the IETF’s CFRG decided to recommend OPAQUE as a next-generation Password Authenticated Key Exchange, there has been a lot of buzz in the cryptography community about committing authenticated encryption (known to the more academically inclined as Random Key Robustness), because OPAQUE requires an RKR-secure AE scheme. Random Key Robustness is a property that some […]

Categories
Cryptography Software Security

Soatok’s Guide to Side-Channel Attacks

If you’re ever tasked with implementing a cryptography feature–whether a high-level protocol or a low-level primitive–you will have to take special care to ensure you’re not leaking secret information through side-channels. The descriptions of algorithms you learn in a classroom or textbook are not sufficient for real-world use. (Yes, that means your toy RSA implementation […]

Categories
Cryptography

Comparison of Symmetric Encryption Methods

There seems to be a lot of interest among software developers in the various cryptographic building blocks (block ciphers, hash functions, etc.), and more specifically how they stack up against each other. Today, we’re going to look at how some symmetric encryption methods stack up against each other. If you’re just looking for a short […]

Categories
Cryptography

Why AES-GCM Sucks

If you’re reading this wondering if you should stop using AES-GCM in some standard protocol (TLS 1.3), the short answer is “No, you’re fine”. I specialize in secure implementations of cryptography, and my years of experience in this field have led me to dislike AES-GCM. This post is about why I dislike AES-GCM’s design, not […]

Categories
Cryptography

A Furry’s Guide to Digital Signature Algorithms

Let’s talk about digital signature algorithms. Digital signature algorithms are one of the coolest ideas to come out of asymmetric (a.k.a. public-key) cryptography, but they’re so simple and straightforward that most cryptography nerds don’t spend a lot of time thinking about them. Even though you are more likely to run into a digital signature as […]