You are here

AES

RC4, SSL, and deck chairs on the Titanic

ChromeChrome has sensibly increased the key sizes it expects in public-key transactions (see here and here). However, Chrome still silently accepts RC4 encryption, even though RC4 has been vulnerable to attack for over a decade. 

This is like putting a heavy padlock on a cardboard box.

Even so, 7 out of the top 10 US web sites still use RC4. This includes sites with a lot to lose like Amazon and eBay as well as Google itself. The other weaklings in the Top 10 are LinkedIn, Wikipedia, Twitter, and Google's Youtube (as weak as their owner).

Wordpress tag: 
Post category: 

Internet crypto cracking is no real surprise

Old Lock LogoThe Guardian has recently published a report on how the NSA and the UK's GCHQ have been routinely cracking cryptography used on the Internet. Seriously, this is no surprise. Lots and lots of sites routinely use "RC4" encryption, whose vulnerablility has been well known for over a decade

I also hadn't realized the extent to which American citizens in general are considered "the enemy" by the NSA. Their duplicitous role in Internet standards is breathtaking. It may be the grandest example of social engineering. Ever.

Post category: 

AES in Cartoon Form!

I've always been a fan of graphic presentations. More people understand graphs and diagrams than understand equations. While this is a bad thing in some ways, it remains a fact. So it's always great to see a graphical representation of a really difficult set of concepts.

Jeff Moser Fisher has posted A Stick Figure Guide to the Advanced Encryption Standard (AES). He has wisely structured it in layers.

Wordpress tag: 
Post category: 

Crypto bypass on the iPhone 3GS

Cousin Jon sent me this Wired link: how to bypass iPhone's 3GS encryption using jailbreaking tools. I haven't paid serious attention to the iPhone (AT&T hasn't had a strong signal in my town) but crypto bypass always gets my attention.

In fact, the weakness has nothing to do with protecting personal information on an iPhone. It's all about third parties: Apple, the cell provider, and possibly an employer who provides/manages the iPhone.

If you're not troubled by being limited to the iPhone Apps Store, then the threat's relatively small, especially compared to desktop systems. Moreover, I doubt we'll see real iPhone viruses as long as most people are happy with Apple's app restrictions.

Post category: 

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer