The mess that is our public-key infrastructure:
- The Internet is broken, can we please fix it? On Trustwave & MITM attacks.
- TACK, a proposal for dynamically ‘pinning’ certificates.
High-level intro posts:
- It’s the end of the world as we know it, and I feel fine. Post-quantum crypto from 30,000 feet.
- What is the random oracle model and why should I care? An early series, a little embarrassing.
- What’s TLS Snap Start? and So long False Start. On two (now withdrawn) TLS extensions.
- The future of electronic currency. On anonymous e-cash.
- Offline security through CAPTCHAs. A neat old idea for preventing dictionary attacks.
- Poker is hard, especially for cryptographers. All about mental poker.
- Fully-Homomorphic Encryption. Unfortunately this is still unfinished…
- Indifferentiability. On proofs of security for hash functions.
How to use cryptography (in)securely:
- How (not) to use symmetric encryption. A few of the worst pitfalls.
- What’s the deal with RC4? A history of attacks on an old stream cipher.
- How to choose an authenticated encryption mode. Very important!
- Random number generation, an illustrated primer. A look under the hood.
- Surviving a bad RNG. What to do if your (P)RNG isn’t carrying its weight.
- Format preserving encryption. Or: how to encrypt a credit card number with AES.
- Circular security. A wonkier, more theoretical subject.
- On multiple encryption. Are you safer if you encrypt twice?
Crypto attack(s) of the week:
- A bad couple of years for the token industry. Padding attacks on cryptographic tokens.
- On the BEAST attack. Note: written before the details were made public.
- XML Encryption. Why you should authenticate your ciphertexts.
- Side-channel attacks on DESFire. Neat.
- Datagram TLS. Alfardan & Paterson show that timing attacks are (still) practical.
- 2011 Redux. A quick summary of a whole year.
- Satellite phone encryption is terrible. Attacks on two satphone ciphers.
- The story of EAX(prime). And why security proofs are like Knight Rider.
- A tale of two patches. Analyzing two recent OpenSSL bugs.
- Digital Fortress: I read it so you don’t have to. Dan Brown embarrasses cryptography.
- Bram Cohen corrected. In which I randomly flame Bram Cohen.
- Bram Cohen corrects me? Bram turns out to be a good sport.
- Why Antisec matters. The security industry is a joke?
- Four theories on the cryptography of Star Trek. No explanation required.
When I though this blog was a book: