Featured Posts

All Blog Posts

  • Cryptography

Cryptographic Right Answers: Post Quantum Edition

  • icon Jul 29, 2024
  • icon 23 minutes read
  • icon 4741
One of our favorite blog posts is our “crypto right answers” post. It’s intended to be an easy-to-use guide to help engineers pick the best cryptography choices without needing to go too far down a rabbit hole. With post-quantum …
Read more
  • Cryptography

A case for password hashing with delegation

  • icon Dec 22, 2023
  • icon 9 minutes read
  • icon 1911
When people talk about PBKDFs (Password Based Key Derivation Functions), this is usually either in the context of secure password storage, or in the context of how to derive cryptographic keys from potentially low-entropy passwords. The Password …
Read more
  • Cryptography

How (not) to sign a JSON object

  • icon Jul 24, 2019
  • icon 12 minutes read
  • icon 2363
Last year we did a blog post on interservice auth. This post is mostly about authenticating consumers to an API. That’s a related but subtly different problem: you can probably impose more requirements on your internal users than your customers. The …
Read more
  • Cryptography

Analyzing a simple encryption scheme using GitHub SSH keys

  • icon Sep 30, 2018
  • icon 6 minutes read
  • icon 1185
(This is an introductory level analysis of a scheme involving RSA. If you’re already comfortable with Bleichenbacher oracles you should skip it.) Someone pointed me at the following suggestion on the Internet for encrypting secrets to people based on …
Read more
  • Cryptography

ROCA vs. ROBOT: An Eternal Golden Braid

  • icon Aug 08, 2018
  • icon 7 minutes read
  • icon 1328
The ROCA RSA key generation flaw or ROBOT, the “Return Of Bleichenbacher” attack: which is most deserving of the “Best Cryptographic Attack” Pwnie award at the 2018 Black Hat USA conference? Only one can survive. Let us consider. Assume for the …
Read more
  • Cryptography

The default OpenSSH key encryption is worse than plaintext

  • icon Aug 03, 2018
  • icon 4 minutes read
  • icon 814
Update: I don’t know if we can take credit for it or if it’s random chance, but I note OpenSSH changed its default in the release after this blog post. The system works! The eslint-scope npm package got compromised recently, stealing npm …
Read more