TURKTRUST Unauthorized CA Certificates
Although unrelated to Entrust, I thought you might be interested in the news about TURKTRUST.
On October 2, 2012, the National Institute of Standards and Technology (NIST) announced that the winner of the new SHA-3 hash function competition was Keccak. The plan is SHA-3 will eventually replace SHA-1 and the SHA-2 hash families. To support digital certificates, the hashing function is used by the certification authority (CA) to put its [Read More...]
Adobe Code-Signing Certificate Compromised
Adobe announced they received two malicious utilities signed by a valid Adobe code-signing certificate. The code-signing certificate was compromised though an attack on their code-signing system. The code-signing certificate will be revoked on October 4, 2012, and will impact all code being signed after July 12, 2012. A supporting security advisory has been issued. The [Read More...]
Certificate revocation is a current SSL industry issue. There are many causes to the problem. Some end-users do not have certificate-revocation checking turned on. Browsers support CRL or OCSP, but in some cases not both. The certification authorities (CA) may not provide reliable revocation responses. And what if there are no revocation responses from a [Read More...]
Alan Turing Notes on Cryptography Released
Are there any insights left to be wrung from the code breaker’s papers?
Chris Vallance of the BBC reports that GCHQ has released some of Alan Turing’s papers on the theory of code breaking. They’re not on display at the National Archives at Kew. I’ve checked the web pages of the Archives and GCHQ, and there is as of my writing nothing up there, yet.
The two papers are titled, The Applications of Probability to Crypt” and Paper on the Statistics of Repetitions. They discuss the use of mathematics to cryptanalysis. This might seem a bit obvious now, but at the time cryptanalysis was largely done by smart people and not by machines. A code-breaker was more likely someone who was good at solving complex crossword puzzles than working with numbers. It was unusual to bring in someone like Turing to a cryptology lab.
There Weren’t Really Chinese Backdoors in Military Chips
Blogmaster Note: This was originally posted on July 12, 2012 to ComputerWorld UK’s Security Spotlight Blog. What happened and unsolicited advice In March, Cambridge researcher Sergei Skorobogatov and Quo Vadis Labs researcher Christopher Woods put up a draft paper on a cool new technique they used to ‘disable all the security’a security-enabled chip. It sat [Read More...]
SSL Certificate Baseline Requirements 1.0
The CA/Browser Forum has completed release 1.0 of the Baseline Requirements for the Issuance and Management of Publicly Trusted (SSL) Certificates. This document, fondly referred to as the BRs, is a major step forward for the SSL certificate industry. The leading browser vendors and the SSL CAs have come together to set a minimum standard [Read More...]
Smelling a RAT on Duqu
I have been doing research on Duqu and talking to security researchers I know who have also been working on it themselves. The bottom line is that Duqu is little more than hype. It’s also malware, but it’s easily fought malware. Mostly, though, it’s hype and hype that the perpetrators of which should be ashamed. [Read More...]
New Attack on Low-Cost Contactless Smartcard
Cryptographers David Oswald and Christof Parr published a great paper at this week’s CHES 2011 conference, “Breaking Mifare DESFire MF3ICD40: Power Analysis and Templates in the Real World.” In this paper, they used differential power analysis to break the DESFire contactless smartcard. It builds upon previous work published in CHES 2002 on Template Analysis, a [Read More...]
What is PIV-I?
I have been involved with credentialing in the Federal Government for many years, coming on multiple decades to be honest, and it has been an interesting ride. Over the last few years there has been a substantial change, starting with the signing of HSPD-12 in 2004. What HSPD-12 did was to codify credential issuance within the Federal Government. HSPD-12 brought in not just [Read More...]