Trail of Bits’ Post

https://lnkd.in/d7FrxNnJ We all know 3DES (Triple DES) has security weaknesses and is deprecated for new applications. But did you know NIST now discourages its use altogether? Despite this, many environments continue using 3DES, leaving them vulnerable to attacks.   Free Tools Available: Use Nmap (nmap.org) to identify enabled ciphers on your systems. For IIS servers, leverage the IIS Crypto tool by Nartac Software (www.nartac.com) to manage ciphers. SSL Server Test from Qualys SSL Labs (www.ssllabs.com) can also be used to remotely test the ciphers used on a website.     Migrate to Stronger Encryption: Consult your IT team to disable 3DES and prioritise robust encryption algorithms like AES.   By actively migrating away from 3DES, we can significantly improve our systems' security posture and protect sensitive data.  #encryption #networksecurity 

Is your cryptography actually secure? If you're using RSA encryption with an older implementation it very likely isn't. For the past few years my team at Red Hat has been working on looking for side-channel attacks, fixing them, verifying those fixes and shipping them. In total, we've found nearly 40 vulnerable implementations or components using RSA encryption, from bugs in OpenSSL, through frameworks like .NET, Node.js, to applications that use RSA encryption directly like iperf3 or gpg. Only two tested implementations turned out to be safe: BearSSL and BoringSSL, every other implementation tested turned out to be vulnerable. You can read more about it at the Red Hat blog: https://lnkd.in/dbVN4fcm

To assure confidentiality, integrity, identity, and non-repudiation in non-secured context, we use cryptography, which is where we meet with mathematics, for that you know that cryptography is such a headache. One protocol that is used to build a trust relationship between two actors is Kerberos, originated in MIT, and is now one of the standard network authentication protocols. It uses two layers of protection: an authentication server to which users log on, and a ticket granting server to allow access to certain resources. In a university, students will log in, then demand access to books and whatnot. Let A be the client (you), B be the resource you want to access, S be the server. After logging in, you ask for permission to access a certain resource B from the server S, the server responds with a message that contains the session's timestamp, the session's lifetime, B's identifier, your identifier, and a session key K, all encrypted so only the resource can read it, you're also provided with a copy of these information that only you can read. Next, you take the copy that can only be read by the B, and send it to B, along with your ID and a new session timestamp. If the resource was online, and could successfully decrypt the message, it replies to you by re-sending the (timestamp + 1). The protocol has some vulnerabilities, it is a Trusted Third Party protocol (because of the server), if that third party is targeted (whether by a hacker or by the police) then the system is compromised. Another vulnerability is the clocks that are used to generate the timestamps, if they are desynchronized (intentionally or unintentionally), the system is also compromised and services are denied.

JSON Web Tokens (JWTs) have become a cornerstone for securely transmitting information in web applications, especially for authentication and authorization. However, improper JWT configuration can expose your application to significant security risks. The article below from Truffle Security Co. shows a prevalent issue which is the use of easily guessable symmetric keys like "secret," "123456789," and "password" to sign JWTs, instead of employing randomly generated keys. This vulnerability often stems from insufficient developer training. To address this, consider the following steps: Generate Random Keys: Ensure that symmetric keys are securely and randomly generated. Upgrade to Asymmetric Keys: Consider RSA/ECDSA for enhanced security. Invest in Training: Regularly train your development teams on secure coding best practices and the critical aspects of JWT configuration. By focusing on security training and following best practices, you can substantially improve the security of your applications. #Security #AppSec #Coding

🔐 Understanding DER Format in Cryptography 🔐 If you've worked with digital signatures or certificates, you've probably encountered the term DER format. But what exactly is it? DER (Distinguished Encoding Rules) is a binary encoding method commonly used in X.509 certificates, public keys, and digital signatures. It's part of the ASN.1 (Abstract Syntax Notation One) standard, which ensures data is structured in a consistent way across systems. Key Features of DER: Binary format: More compact and efficient compared to text-based formats like PEM. Structured encoding: Data is encoded as TLV (Tag-Length-Value), ensuring each element is identifiable and appropriately sized. Widely used: Essential in protocols like SSL/TLS, PKI, and digital certificates. Example: Here’s an example of an ECDSA signature in DER format (hex representation): 30 44 # SEQUENCE, length 0x44 (68 bytes) 02 20 # INTEGER, length 0x20 (32 bytes) - r value 59 5A C7 B3 ... BE 34 02 20 # INTEGER, length 0x20 (32 bytes) - s value 4B 32 5A 72 ... E3 77 In this example, the two INTEGER values represent r and s — essential components of the ECDSA signature. The SEQUENCE tag 0x30 encapsulates the entire structure. Whether you’re verifying certificates, handling encrypted data, or implementing cryptographic systems, understanding DER format is crucial! #Cryptography #DERFormat #Security #Cybersecurity #PKI #DigitalSignatures #SSL #TLS #X509

Do you know the encryption types at your disposal on IBM Z? With digital advancement and interconnectedness, safeguarding sensitive information is critical. Cryptography, an age-old practice of clandestine communication, serves as the foundation of contemporary security protocols. At its essence, cryptography encompasses a range of methods and algorithms tailored to ensure secure communication, validate users, and defend data against unauthorized access or alteration." Check out JB Mills & Devonte' Hawkins explanation on encryption types at your disposal on the IBM Z platform: https://lnkd.in/grF5tM5y.

FIPS 140: For Those Companies Who Are Serious About Cybersecurity In cybersecurity, there’s a big difference between doing it, and doing it right If I have learnt anything from cryptography development is that creating cryptography code that is secure requires considerably more effort than just getting it to work. In fact, the time spent understanding and testing the code can be over 10 times as much as just getting the code to work. I often have to analyse the core of the implementation of a single method and dive into GitHub pages of the associated code — and then run tests of its operation. In fact, each line of code, and each operation of the processor needs to be analysed in detail. This is because a single flaw in any part of the operation of the code could bring a whole infrastructure down. Doing cryptography right is not an easy task, and companies who are serious about it, will invest a considerable amount of resources to make sure everything works well. And we have to be careful in the libraries that we use and how we implement our methods. So, how do we make sure we are using the right code integration for our applications? Well, one way is to make sure the cryptography functions that we integrate are Federal Information Processing Standard (FIPS)-140 compliant. The two main standards are FIPS 140–2 and FIPS 140–3 (and which is superseeding FIPS 140–2). These test the design and implementation of a cryptographic modules.

National Institute of Standards and Technology (NIST) unveils first three post-quantum encryption standards and encryption algorithms to combat future cyber threats. Learn more: https://lnkd.in/ewEd8e6u #Cybersecurity #EncryptionAlgorithms #PostQuantumCryptography

I keep reading papers that use Order-preserving encryption (OPE) for encrypted searches using symmetric key encryption, so I wanted to cover it in an article. Overall, OPE is a symmetric key encryption method that can be used to create an order on encrypted content. Obviously, we will lose some information in supporting the ordering of the cyphers, but the security level should still stay acceptable for the application area. If we encrypt a value of A with a key of k to get Ek(A), and then encrypt B to get Ek(B). Then if A<B, then: Ek(A)<Ek(B) Read more here:

Just shared a new post exploring the critical role of cryptography in today's tech landscape. Join me as I unravel the secrets behind secure communication and data protection. #Cryptography #CyberSecurity #Encryption #Decryption #FHE #AES #DES #RSA #ECC #Homomorphic Encryption #ZKP Link: https://lnkd.in/gR2p9mj4 Topics Available in Blog!!! 1. Classical Encryption Techniques 2. Block Cipher and Data Encryption Standards 3. Basic Algebra Theory for AES 4. Advanced Encryption Standards (AES) 5. Multiple Encryption and Triple DES 6. Block Cipher Operation 7. Pseudorandom Number Generation and Stream Cipher 8. Public Key Cryptography and RSA 9. Diffie-Hellman Key Exchange 10. Elgamal Cryptographic System 11. Elliptic Curve Cryptography 12. Cryptographic Hash Function 13. Background of Secure Hash Function (SHA) and SHA-512 14. Secure Hash Function-3 (SHA-3) 15. Basics of Message Authentication Code (MAC) 16. MACs Based on Hash Function (HMAC) 17. MAC Based on Block Ciphers: DAA and CMAC 18. Counter with Cipher Block Chaining Message Authentication Code (CCM) 19. Key Wrapping and Unwrapping in Message Authentication Code 20. Pseudo-Random Number Generation Using Hash Functions and MACs 21. Basic Understanding Regarding Digital Signatures and Attacks 22. Elliptic Curve (Conversation of Una, and Jammu) 23. Byzantine Agreement 24. Zero Knowledge Proof of Knowledge 25. Sigma Protocol 26. Hybrid Cryptosystem