Matasano Chargen » Blog Archive » Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!
http://www.matasano.com/log/1749/typing-the-letters-a-e-s-into-your-code-youre-doing-it-wrong/

A-E

UTF8Encoding

Professional crypto people don’t even get this stuff right. But if you have to encrypt something, you might as well use something that has already been tested.

Matasano Chargen

"list of recommendations for using cryptography which, if followed, will make sure you get things right in the vast majority of situations"

Thanks to my background as FreeBSD Security Officer, as a cryptographic researcher, and as the author of the Tarsnap secure online backup system, I am frequently asked for advice on using cryptography as a component in secure systems. While some people argue that you should never use cryptographic primitives directly and that trying to teach people cryptography just makes them more likely to shoot themselves in their proverbial feet, I come from a proud academic background and am sufficiently optimistic about humankind that I think it's a good idea to spread some knowledge around. In light of this, I've put together a list of "Cryptographically Right Answers" -- which is to say, a list of recommendations for using cryptography which, if followed, will make sure you get things right in the vast majority of situations.

Recommendations about cryptography

In short words jCryption is a javascript HTML-Form encryption plugin, which encrypts the POST/GET-Data that will be sent when you submit a form. It uses the Multiple-precision and Barrett modular reduction libraries for the calculations and jQuery for the rest.

** Posted using Viigo: Mobile RSS, Sports, Current Events and more **

In short words jCryption is a javascript HTML-Form encryption plugin, which encrypts the POST/GET-Data that will be sent when you submit a form. It uses the Multiple-precision and Barrett modular reduction libraries for the calculations and jQuery for the rest. jCryption is completly free and dual licensed under the MIT and GPL licenses like jQuery.

Educational hacking comic from Korea that writes up how to solve a DEFCON challenge.

Advanced Encryption Standard (AES)

good explanation of AES Rijndael.

Timing Attacks

Encrypt data sentback to a server - quickly

We offer a fast, small symmetric encryption library written in Javascript. Though several such libraries exist, jsCrypto offers several advantages.

ink is really cool, though, is that the photo also shows the agent’s worksheet:

German

I know very little about cryptography, but I do find it fascinating. This article seems to have solid, real-world advice, yet it is written in a way that even I can understand it. People who can write like this impress me.

why hash is not security

Excised

http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB260/index.htm Very interesting history of a once "black" agency.

The Sectéra® Edge™ smartphone converges secure wireless voice and data by combining the functionality of a wireless phone and PDA — all in one easy-to-use handheld device. Developed for the National Security Agency’s Secure Mobile Environment Portable Electronic Device (SME PED) program, the Sectéra Edge is certified to protect wireless voice communications classified Top Secret and below as well as access e-mail and websites classified Secret and below. The Sectéra Edge is the only SME PED that switches between an integrated classified and unclassified PDA with a single key press.

General Dynamics C4 Systems is a leading integrator of network-centric command, control, communication and computing solutions from space to ground - core to edge. The company’s focus is on engineering and integrating secure communication, information and technology solutions that facilitate the delivery of relevant information to speed the decision cycle, so our customers can see, hear, decide and act with absolute confidence - faster and more effectively.

Obama's new Blackberry - Sectera Edge by General Dynamics, the only smart phone NSA rated for Top Secret communications. http://is.gd/fZqn [from http://twitter.com/eighteyes/statuses/1139490924]

Obama's new NSA-approved phone

A tool that forces people to commit a crime if they want to prove an archive contains stolen content. Turning the DMCA against those who try to use it. Cute in a contrarian activist sort of way.

staple is a program that inseparably binds together the data in a file using a cryptographic mechanism known as an All-or-nothing transform. In its most basic form (when executed as staple 0), the transformation is keyless; that is, no key is required to reverse it, however all the data is required. Thus, running unstaple on the output .staple file yields the original file, but running it on any subset of the .staple file yields nothing.

[...]It has been suggested that this scenario occurs if Alice is a content producer/owner, Bob is a content piracy group, and Charlie is a user unconcerned about copyright infringement. Taking their last example: Alice could pretend to have brute-forced the key k rather than recovered from B and r, no? And is all-or-nothing so hard to do? what about making c=k xor H(Ek(m)) | Ek(m) ? You need the full data to compute the hash on the encrypted message to recover the key and decrypt the message. And you can throw away part of the key also in this scheme UPDATE: hum actually it appears that it's precisely what he's doing :-)

all or nothing cryptographic transform

"staple is a program that inseparably binds together the data in a file using a cryptographic mechanism known as an All-or-nothing transform. In its most basic form (when executed as staple 0), the transformation is keyless; that is, no key is required to reverse it, however all the data is required. Thus, running unstaple on the output .staple file yields the original file, but running it on any subset of the .staple file yields nothing. staple can also be asked to do something slightly strange: in the process of executing the All-or-nothing transform, a random key is used for encryption of the data - staple can be instructed to throw away part of that key. (The only argument staple takes is the number of key bytes to throw away; only 0, 2, and 4 are accepted currently.)"

Encrypted VOIP and SMS for Android phones.

crypto apps for the Android phone: voip and secure text

RedPhone provides end-to-end encryption for your calls, securing your conversations so that nobody can listen in. It's easy to use, and functions just like the normal dialer you're accustomed to. RedPhone uses your normal mobile number for addressing, so there's no need to have yet another identifier or account name; if you know someone's mobile number you know how to call them using RedPhone. And when you receive a RedPhone call your phone will ring just like normal, even if it is asleep.