Published in ASecuritySite: When Bob Met Alice·PinnedMember-onlyThe Strange Tale of Dual_EC_DRBGJulian Assange being arrested recently brought back memories of how he leaked Edward Snowden’s memos around the possible existence of an NSA-sourced cryptographic backdoor — the Dual EC standard (Dual_EC_DRBG). So let’s dive into the method and the trap door, and see the “magic” behind it. With Elliptic Curve methods…Security5 min readSecurity5 min read
Published in ASecuritySite: When Bob Met Alice·10 hours agoASCON is a Light-weight ChampionSnce 2016, NIST has been assessing light-weight encryption methods, and, in 2022, NIST published the final 10: ASCON, Elephant, GIFT-COFB, Grain128-AEAD, ISAP, Photon-Beetle, Romulus, Sparkle, TinyJambu, and Xoodyak (Table 1). …Cryptography5 min readCryptography5 min read
Published in ASecuritySite: When Bob Met Alice·21 hours agoWhat’s Holding You Back From Encrypting By Default? Meet Envelope Encryption and the CloudWhy can’t data in the public cloud be even more secure than an on-premise solution? — Keeping Your Secrets To Yourself — Introduction Increasingly we see an encryption tick-box for data storage in the Cloud. S3 buckets, RDS, DynamoDB and EBS are just four storage services that can be enabled for encryption. With this, we either use the AWS-generated key or the customer-generated in the KMS (Key Management Store). The KMS stores the…Cryptography4 min readCryptography4 min read
Published in ASecuritySite: When Bob Met Alice·1 day agoDigital Sovereignty: Hold Your Own Keys (HYOKs)There’s a feeling that on-premise Cloud based systems are always more secure. This is just not the case, and where a data infrastructure running in a public cloud environment can be even more secure. Why? Well, few companies properly run data encryption and strong access control on their on-premise systems…Cryptography3 min readCryptography3 min read
Published in ASecuritySite: When Bob Met Alice·1 day agoBeware of the Latest Ransomware Attack on ESXi ServersA vulnerability - tracked as CVE-2021–21974 — on the OpenSLP service is being used to attack unpatched VMWare ESXi servers. At the current time there are hundreds of servers affect, and where France seems to be particularly badly affected. If you use Shodan, then try ‘html:”We hacked your company successfully”…Cybersecurity2 min readCybersecurity2 min read
Published in ASecuritySite: When Bob Met Alice·1 day agoBack on the Cybersecurity Demo Road …Well, that was a strange three years. The last major hands-on demonstration I gave at a live event was at 9 Nov 2019 [here]:Cybersecurity2 min readCybersecurity2 min read
Published in ASecuritySite: When Bob Met Alice·2 days agoThe Strange Tale of the Disappearing Salt … Meet OpenSSLWouldn’t it be annoying if you did a calculation on your calculator and got a certain answer, and then someone with a different calculator go a different answer? Well, that’s what has happened with OpenSSL. So with OpenSSL, you can’t live with it, and you can’t live without it. For…Cybersecurity3 min readCybersecurity3 min read
Published in ASecuritySite: When Bob Met Alice·3 days agoSchnorr and Bernstein joins Rivest, Johnson and Kravitz: EdDSA Joins The Digital Signature Hall of FameThis week NIST published a new update to its FIPS 186 standard with Version 5, and officially adopted the EdDSA signature in the world of DSS (Digital Sigure Standard) [here]:Cybersecurity9 min readCybersecurity9 min read
Published in ASecuritySite: When Bob Met Alice·5 days agoSay Hello To The EdDSA Standard and FIPS 186–5 (And A Long Goodbye to DSA)In you are into cybersecurity, what standards should you be audited to? Well, the US government defines a number of standards that many companies comply with, and one of the strongest is FIPS (Federal Information Processing Standard) 140. This standard defines a number of levels that define the security level…Cybersecurity7 min readCybersecurity7 min read
Published in ASecuritySite: When Bob Met Alice·5 days agoRFC 9116: File Format to Aid in Security Vulnerability DisclosureIn 2022, Foudil and Shafranovich published [here]:Cybersecurity2 min readCybersecurity2 min read