Reading your SSL Web Traffic
Consider SSL. The web client and web server exchange keys and establish an encrypted tunnel, which they then use to communicate over. The person sees the reassuring padlock and begins entering...
View Article2008 US Presidential Elections Predicted
Hashing functions such as MD5 are susceptible to collisions. That is, someone can take two documents and tailor them such that the resulting MD5 hashes are identical. One group showed this particularly...
View ArticleCriminal Intent and Cryptography (IANAL)
The question is back in the news: is using encryption a sign you are criminal? In May of 2005, a Minnesota court filed a ruling that upheld a conviction in part based on the presence of encryption...
View ArticleAudit for SSL/TLS renegotiation
An SSL/TLS renegotiation attack has been carried out against Twitter. The Register has some details on the Twitter attack, while Educated Guesswork has the technical details on the renegotiation...
View ArticleMicrosoft embraces and extends IPSec NULL
IPsec provides authentication, integrity, and confidentiality. In IPv4, IPsec generates an AH (Authentication Header) that provides packet header integrity using a cryptographic hash. ESP...
View ArticleNot-so-secure implementations of SecureString
Microsoft .Net has an object for safely and securely handling passwords: System.Security.SecureString. "The value of a SecureString object is automatically encrypted, can be modified until your...
View ArticleIncog: past, present, and future
I spent last summer tinkering with covert channels and steganography. It is one thing to read about a technique. It is quite another to build a tool that demonstrates a technique. To do the thing is to...
View ArticleConfiguring trusted keys and certificates (PCI-DSS)
PCI-DSS 3 requires that in-scope devices, like cash register computers or payment processing servers, accept only trusted certificates. Specifically, it states:Protect Cardholder DataRequirement 4:...
View Article
