When dealing with TLS connections, it is important to understand how a client (in most cases this is a web browser) will be acting. Let’s quickly check some of the steps that are happening when a TLS connection is made.
A web server will send its certificate down to the requesting client during the TLS handshake. But it is not only a single certificate but usually a complete chain of certificates.
There is the server certificate , in many cases an intermediate CA certificate and finally a Root CA.
When you check your browser this will look like this:
Read More »
Tags: certificates, cryptography, TLS
Cisco developed Next Generation Encryption (NGE) in 2011. NGE was created to define a widely accepted and consistent set of cryptographic algorithms that provide strong security and good performance for our customers. These are the best standards that can be implemented today to meet the security and scalability requirements for network security in the years to come; or to interoperate with the cryptography that will be deployed in that time frame. Most importantly, all of the NGE algorithms, parameters, and key-sizes are widely believed to be secure. No attacks against these algorithms have been demonstrated.
Recently there has been attention on Quantum-Computers (QC) and their potential impact on current cryptography standards. Quantum-computers and quantum algorithms is an area of active research and growing interest. Even though practical quantum-computers have not been demonstrated until now, if quantum-computers became a reality they would pose a threat to crypto standards for PKI (RSA, ECDSA), key exchange (DH, ECDH) and encryption (AES-128). These standards are also used in Cisco NGE.
An algorithm that would be secure even after a quantum-computer is built is said to have postquantum security or be quantum-computer resistant (QCR). AES-256, SHA-384 and SHA-512 are believed to be postquantum secure.
Read More »
Tags: cryptography, encryption, Next Generation Encryption, postquantum cryptography
This post was written by Martin Lee
Old protocol versions are a fact of life. When a new improved protocol is released, products still need to support the old version for backwards compatibility. If previous versions contain weaknesses in security, yet their continued support is mandated, then security can become a major issue when a potential weakness is discovered to be a genuine vulnerability and an exploit is released.
The Transport Layer Security (TLS) protocol defines how systems can exchange data securely. The current version 1.2 dates from August 2008, however the protocol’s origins lie in the Secure Sockets Layer (SSL) standard first published in February 1995. As weaknesses in the cryptography and flaws in the protocol design were discovered, new versions of the protocol were released.
In order to maintain interoperability the most recent TLS standard requires that systems support previous versions down to SSL 3.0. The discovery of a cryptographic weakness in SSL 3.0 and the publication of an attack that can exploit this provide attackers with a means to attack TLS implementations by intercepting communications using the old SSL 3.0 protocol.
The vulnerability, assigned the Common Vulnerability and Exposure ID CVE-2014-3566, and referred to as POODLE, allows an attacker to modify the padding bytes that are inserted into SSL packets to ensure that they are of the correct length and replay modified packets to a system in order to identify the bytes within a message, one by one. This allows an attacker to discover the values of cookies used to authenticate https secured web sessions. Nevertheless, the vulnerability potentially affects any application that secures traffic using TLS, not only https traffic. Read More »
Tags: cryptography, CVE-2014-3566, POODLE, SSL, Talos, TLS
The rustic origins of the English language are evident in the words left to us by our agricultural ancestors. Many words developed to distinguish groups of different animals, presumably to indicate their relevant importance. A ‘flock’ of sheep was more valuable than a single sheep, a ‘pack’ of wolves posed more danger than a single wolf. With respect to security vulnerabilities, we have yet to develop such collective nouns to indicate what is important, and to indicate that which poses danger.
The world of Transport Layer Security has been rattled once again with the identification of a “swarm” of vulnerabilities in OpenSSL and GnuTLS. A total of seven new vulnerabilities ranging from a potential man in the middle attack, allowing an attacker to eavesdrop on an encrypted conversation, to vulnerabilities that could be used to allow attackers to remotely exploit code on a client have been identified in the popular open source libraries.
Read More »
Tags: cryptography, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3466, CVE-2014-3470, CVE-2014-5298, TRAC
At the height of an eventful week – Cloud and IoT developments, Open Source Think Tank, Linux Foundation Summit – I learned about the fate of my fellow alumnus, an upperclassman as it were, the brilliant open source developer and crypto genius known for the first transaction on Bitcoin.
Hal Finney is a Caltech graduate who went on to become one of the most dedicated, altruistic and strong contributors to open source cryptography. We are a small school in size, so one would think it’s easy to keep in touch; we try but do poorly, mostly a very friendly and open bunch, but easy to loose ourselves into the deep work at hand and sometimes miss what’s hiding in plain sight.
He was among the first to work with Phil Zimmermann on PGP, created the first reusable proof-of-work (POW) system years before Bitcoin, had just the right amount of disdain for noobs in my opinion, and years later, one of the first open source developers with Satoshi Nakamoto on Bitcoin, in fact the first transaction ever. There is a great story about Hal in Forbes this week, “My hunt for Bitcoin’s creator led to a paralyzed crypto genius“, thank you, Hal Finney for going through with it, and Andy Greenberg for writing it. Sometimes it is very painful, shocking to see how things turn out, I think this is one of those moments when we realize how much this is going to mean to all of us, the brilliant minds of programmers like Hal Finney, who never sought the limelight, but did so much for us without asking for anything in return, who leave behind a long lasting contributions to privacy and security in our society, he is in fact a co-creator of the Bitcoin project. Do you realize that every bitminer successfully providing the required POW, should in fact reach the very same conclusion at the end of every new transaction… forever? You’d better accurately represent who was the very first. What a legacy to remember!
I often go to Santa Barbara to see a very, very close and dear person there, my daughter. But now, there is another reason to stop by and pay tribute to one of the finest there. We will all be in search of the first transaction, eventually.
Tags: BitCoin, bitminer, Caltech, crypto, cryptography, digital currency, digital wallet, Hal Finney, open source, PGP, Phil Zimmermann, POW, privacy, proof of work, reusable POW, Satoshi, Satoshi Nakamoto, security