Matasano Chargen » Blog Archive » Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!
Professional crypto people don’t even get this stuff right. But if you have to encrypt something, you might as well use something that has already been tested.
Matasano ChargenCryptographic Right Answers
"list of recommendations for using cryptography which, if followed, will make sure you get things right in the vast majority of situations"
Thanks to my background as FreeBSD Security Officer, as a cryptographic researcher, and as the author of the Tarsnap secure online backup system, I am frequently asked for advice on using cryptography as a component in secure systems. While some people argue that you should never use cryptographic primitives directly and that trying to teach people cryptography just makes them more likely to shoot themselves in their proverbial feet, I come from a proud academic background and am sufficiently optimistic about humankind that I think it's a good idea to spread some knowledge around. In light of this, I've put together a list of "Cryptographically Right Answers" -- which is to say, a list of recommendations for using cryptography which, if followed, will make sure you get things right in the vast majority of situations.
Recommendations about cryptographyCrypTool - Educational Tool for Cryptography and Cryptanalysis
** Posted using Viigo: Mobile RSS, Sports, Current Events and more **
Educational hacking comic from Korea that writes up how to solve a DEFCON challenge.Moserware: A Stick Figure Guide to the Advanced Encryption Standard (AES)
Advanced Encryption Standard (AES)
good explanation of AES Rijndael.A Lesson In Timing Attacks (or, Don't use MessageDigest.isEquals) | codahale.com
Encrypt data sentback to a server - quickly
ink is really cool, though, is that the photo also shows the agent’s worksheet:
GermanBenlog » Don’t Hash Secrets
I know very little about cryptography, but I do find it fascinating. This article seems to have solid, real-world advice, yet it is written in a way that even I can understand it. People who can write like this impress me.
why hash is not securityNational Security Agency Releases History of Cold War Intelligence Activities
http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB260/index.htm Very interesting history of a once "black" agency.Product Details - Sectéra® Edge™ SME PED - Overview
The Sectéra® Edge™ smartphone converges secure wireless voice and data by combining the functionality of a wireless phone and PDA — all in one easy-to-use handheld device. Developed for the National Security Agency’s Secure Mobile Environment Portable Electronic Device (SME PED) program, the Sectéra Edge is certified to protect wireless voice communications classified Top Secret and below as well as access e-mail and websites classified Secret and below. The Sectéra Edge is the only SME PED that switches between an integrated classified and unclassified PDA with a single key press.
General Dynamics C4 Systems is a leading integrator of network-centric command, control, communication and computing solutions from space to ground - core to edge. The company’s focus is on engineering and integrating secure communication, information and technology solutions that facilitate the delivery of relevant information to speed the decision cycle, so our customers can see, hear, decide and act with absolute confidence - faster and more effectively.
Obama's new Blackberry - Sectera Edge by General Dynamics, the only smart phone NSA rated for Top Secret communications. http://is.gd/fZqn [from http://twitter.com/eighteyes/statuses/1139490924]
Obama's new NSA-approved phonestaple / unstaple
A tool that forces people to commit a crime if they want to prove an archive contains stolen content. Turning the DMCA against those who try to use it. Cute in a contrarian activist sort of way.
staple is a program that inseparably binds together the data in a file using a cryptographic mechanism known as an All-or-nothing transform. In its most basic form (when executed as staple 0), the transformation is keyless; that is, no key is required to reverse it, however all the data is required. Thus, running unstaple on the output .staple file yields the original file, but running it on any subset of the .staple file yields nothing.
[...]It has been suggested that this scenario occurs if Alice is a content producer/owner, Bob is a content piracy group, and Charlie is a user unconcerned about copyright infringement. Taking their last example: Alice could pretend to have brute-forced the key k rather than recovered from B and r, no? And is all-or-nothing so hard to do? what about making c=k xor H(Ek(m)) | Ek(m) ? You need the full data to compute the hash on the encrypted message to recover the key and decrypt the message. And you can throw away part of the key also in this scheme UPDATE: hum actually it appears that it's precisely what he's doing :-)
all or nothing cryptographic transform
Encrypted VOIP and SMS for Android phones.
crypto apps for the Android phone: voip and secure text
RedPhone provides end-to-end encryption for your calls, securing your conversations so that nobody can listen in. It's easy to use, and functions just like the normal dialer you're accustomed to. RedPhone uses your normal mobile number for addressing, so there's no need to have yet another identifier or account name; if you know someone's mobile number you know how to call them using RedPhone. And when you receive a RedPhone call your phone will ring just like normal, even if it is asleep.