Crypto

Because not all crypto is TLS.

Logjam explained

Logjam is a downgrade attack against the TLS protocol itself which exploits EXPORT ciphersuites. I wrote a long explanation of how the attack works and its background (what Diffie-Hellman is and how exactly it's used in the TLS handshake) on the CloudFlare blog. Logjam: the latest TLS vulnerability explained | CloudFlare…

scrypt all the things!

If you take away only one thing from this post let it be this: **If you have a human password, ==scrypt it==.** [^1] The reason passwords suck is because humans are terrible at generating and storing entropy. (That and password reuse, but that's another story.) And the reason that's a…

Salt & Pepper, please: a note on password storage

Everyone will tell you that the best practice for password storage is [sb]crypt with random salt. Ok, we got that and even maybe got everyone to agree. But let me bump that up a notch: do you know what pepper is? The concept of peppering is simple: add a…

On Keybase.io and encrypted private key uploading

One thing in particular of Keybase.io attracts a lot heat recently: they support uploading your encrypted key on their servers. This usually is pointed at as a mortal sin. Well, here is my private key, the untouched output of gpg --armor --export-secret-keys filippo.io | gpg --armor --clearsign. -----BEGIN PGP…

The ECB Penguin

This is an image that has become kind of a cultural icon in the cryptography and InfoSec community. I'm speaking about "the penguin", a picture of the Tux Linux mascot encrypted with a block cipher in ECB mode that still shows clearly the outline of the original. .@solardiz…