Published in ASecuritySite: When Bob Met Alice·PinnedMember-onlyThe Strange Tale of Dual_EC_DRBGJulian Assange being arrested recently brought back memories of how he leaked Edward Snowden’s memos around the possible existence of an NSA-sourced cryptographic backdoor — the Dual EC standard (Dual_EC_DRBG). So let’s dive into the method and the trap door, and see the “magic” behind it. With Elliptic Curve methods…Security5 min read
Published in ASecuritySite: When Bob Met Alice·16 hours agoMember-onlySatoshi Selected ECDSA with The Secp256k1 Curve and SHA-256. Are Other Options Available?Over 10 years ago, Satoshi Nakamoto wrote a classic white paper on Bitcoin, and the rest is history:Cryptography4 min read
Published in ASecuritySite: When Bob Met Alice·1 day agoMember-onlyThe State of TLS … ECDSA Nonce ReuseSatoshi Nakamoto selected ECDSA for Bitcoin transactions, and the rest is history. Ethereum has since adopted it too. But, it has weaknesses, and one of the core weaknesses is that we should NOT reuse the same nonce value. The signature is:Cryptography4 min read
Published in ASecuritySite: When Bob Met Alice·1 day agoMember-onlyECDSA Signatures Can Be Cracked With One Good Signature and One Bad OneI have been reading an excellent paper [1] and it outlines the usage of the fault attack on ECDSA signatures. With this we just need one good signature and a bad one, and where they both a sign the same message, and with the same nonce, and the same private…Cryptography4 min read
Published in ASecuritySite: When Bob Met Alice·1 day agoMember-onlyGetting Rid of TLS 1.2: The Weaknesses of PKCS#v1.5 and The Fault AttackTLS is truly one of the worst and the best protocols. When it works well, it protects data like no other method, but its implementation has often been buggy, and it copes with so many options. One of its greatest weaknesses is that Eve can select the weakest cipher suite…Cybersecurity4 min read
Published in ASecuritySite: When Bob Met Alice·3 days agoMember-onlyFor The Love of Random Numbers: And A Bit of PowerShell RandomizationYou wouldn’t believe the number of code reviews that I have done, where I had to point out that the keys that were being generated were not actually random and would always be created in a predictable way. The usage of random numbers can cause many problems, as developers often…Cybersecurity5 min read
Published in ASecuritySite: When Bob Met Alice·4 days agoMember-onlyThe Proper Way To Hash A Password, Or Derive a Key From a Password: Meet PBKDF2All those charts that show you how long it will take to crack a hashed version of a password are defined wrong. Most will take the cracking speed of a fast hashing method and use that. With a proper KDF (Key Derivation Function), we normally slow down the whole process…Cryptography3 min read
Published in ASecuritySite: When Bob Met Alice·5 days agoMember-onlyDoes Microsoft Powershell Do ECDSA?Overall, Microsoft has been a little sluggish in getting into elliptic curve cryptography (ECC), but now .NET and Powershell support it. In fact, Powershell is now supported on Linux, Mac OSX and Windows. Overall, we can run the pwsh command to run a Powershell script. So, let’s see if we…Cryptography2 min read
Published in ASecuritySite: When Bob Met Alice·5 days agoMember-onlyRSA Weaknesses: Powersmooth and Pollard’s p-1 MethodRSA is used in many areas of cybersecurity and is often key in proving the identity of a person or a remote Web site. But, the strength of RSA depends on the prime numbers (p and q) selected to provide the modulus (n=p.q). If there are weaknesses in the selection…Cybersecurity5 min read
Published in ASecuritySite: When Bob Met Alice·6 days agoMember-onlyRSA: Continued Fractions — The Wiener AttackIn 1990, Michael Wiener defined a crack on RSA which involved a short decryption exponent and which used continued fractions [1]:Cryptography4 min read