On crypto conferences

View of the UCSB campus in Santa Barbara, CA, where CRYPTO is held since 1981 Created in 1981, CRYPTO has historically been the most important and most relevant crypto conference. But CRYPTO has also always been aimed at cryptographers whose job is to publish research papers, rather than cryptographers whose job is to actually secure … Continue reading On crypto conferences

Student Focus – WhatsApp Security

This is a guest post by Aleksandr Mylnikov, who did his semester project under JP Aumasson during his master's at EPFL, co-supervised by Prof. Arjen Lenstra. This post summarizes part of his work, thanks Alex! This part-time research project started in February 2017 and finished middle of June 2017. The goal was to understand WhatsApp's network architecture … Continue reading Student Focus – WhatsApp Security

Crypto challenge, 10 Ether of prizes

Kudelski Security is launching a new crypto challenge for Black Hat. It starts today and ends on July 25th at our private party in Las Vegas. The challenge and instructions are available at https://github.com/kudelskisecurity/cryptochallenge17. In short, here's how it works: We give you the code of a service running on some remote host. As you'll find out, … Continue reading Crypto challenge, 10 Ether of prizes

Meet Us in Vegas

For the yearly migration to the insanity of Vegas infosec and hacking conferences, we're coming with some new research that we'll present at all the three sacred sites: Black Hat, then BSides, and finally at Defcon's Crypto Village. Automated Testing of Crypto Software Using Differential Fuzzing is a joint work with Yolan Romailler, whose masters … Continue reading Meet Us in Vegas

Should Curve25519 keys be validated?

While analyzing Signal with Markus, I noticed that Signal's Curve25519-based ECDH doesn't validate public keys, and in particular will accept the 0 point as a public key—leading to a shared secret equivalent to 0 regardless of the value of the private key scalar. In contrast, libsodium will return an error if the shared secret happens … Continue reading Should Curve25519 keys be validated?

Auditing code for crypto flaws: the first 30 minutes

Auditing your code for proper crypto use is extremely important.  However, what if it's not generally your focus?  If your job today is to find flaws in the cryptographic components of application א, where should you start? I like to start an audit by checking which crypto primitives are used. This often gives you an idea of … Continue reading Auditing code for crypto flaws: the first 30 minutes

On CIA Crypto

On Tuesday, Wikileaks released a tranche of alleged Top Secret CIA documents, many involving explanations of their cryptographic requirements.   Reading through the documents turned out to be anticlimactic, the CIA’s cryptographic requirements are pretty boring, and that is how it usually works in cryptography. Quoting from the document, "These requirements are intended to ensure a … Continue reading On CIA Crypto