Category Archives: Technical

TURKTRUST Unauthorized CA Certificates

January 4, 2013 by Bruce Morton     No Comments

Although unrelated to Entrust, I thought you might be interested in the news about TURKTRUST.

SHA-3

October 9, 2012 by Bruce Morton     No Comments

On October 2, 2012, the National Institute of Standards and Technology (NIST) announced that the winner of the new SHA-3 hash function competition was Keccak. The plan is SHA-3 will eventually replace SHA-1 and the SHA-2 hash families. To support digital certificates, the hashing function is used by the certification authority (CA) to put its [Read More...]

Filed Under: Secure Browsing, SSL, Technical Tagged With: Keccak, MD5, MD5MD5

Adobe Code-Signing Certificate Compromised

October 3, 2012 by Bruce Morton     No Comments

Adobe announced they received two malicious utilities signed by a valid Adobe code-signing certificate. The code-signing certificate was compromised though an attack on their code-signing system. The code-signing certificate will be revoked on October 4, 2012, and will impact all code being signed after July 12, 2012. A supporting security advisory has been issued. The [Read More...]

Short-Lived Certificates

August 21, 2012 by Bruce Morton     2 Comments

Certificate revocation is a current SSL industry issue. There are many causes to the problem. Some end-users do not have certificate-revocation checking turned on. Browsers support CRL or OCSP, but in some cases not both. The certification authorities (CA) may not provide reliable revocation responses. And what if there are no revocation responses from a [Read More...]

Alan Turing Notes on Cryptography Released

July 12, 2012 by Jon Callas     No Comments

Are there any insights left to be wrung from the code breaker’s papers?

Chris Vallance of the BBC reports that GCHQ has released some of Alan Turing’s papers on the theory of code breaking. They’re not on display at the National Archives at Kew. I’ve checked the web pages of the Archives and GCHQ, and there is as of my writing nothing up there, yet.

The two papers are titled, The Applications of Probability to Crypt” and Paper on the Statistics of Repetitions. They discuss the use of mathematics to cryptanalysis. This might seem a bit obvious now, but at the time cryptanalysis was largely done by smart people and not by machines. A code-breaker was more likely someone who was good at solving complex crossword puzzles than working with numbers. It was unusual to bring in someone like Turing to a cryptology lab.

There Weren’t Really Chinese Backdoors in Military Chips

July 12, 2012 by Jon Callas     No Comments

Blogmaster Note: This was originally posted on July 12, 2012 to ComputerWorld UK’s Security Spotlight Blog. What happened and unsolicited advice In March, Cambridge researcher Sergei Skorobogatov and Quo Vadis Labs researcher Christopher Woods put up a draft paper on a cool new technique they used to ‘disable all the security’a security-enabled chip. It sat [Read More...]

SSL Certificate Baseline Requirements 1.0

December 14, 2011 by Bruce Morton     No Comments

The CA/Browser Forum has completed release 1.0 of the Baseline Requirements for the Issuance and Management of Publicly Trusted (SSL) Certificates. This document, fondly referred to as the BRs, is a major step forward for the SSL certificate industry. The leading browser vendors and the SSL CAs have come together to set a minimum standard [Read More...]

Filed Under: Secure Browsing, SSL, Technical Tagged With: SSL

Smelling a RAT on Duqu

October 21, 2011 by Jon Callas     No Comments

I have been doing research on Duqu and talking to security researchers I know who have also been working on it themselves. The bottom line is that Duqu is little more than hype. It’s also malware, but it’s easily fought malware. Mostly, though, it’s hype and hype that the perpetrators of which should be ashamed. [Read More...]

Filed Under: Malware, Technical Tagged With: Duqu, malware, RAT

New Attack on Low-Cost Contactless Smartcard

October 14, 2011 by Jon Callas     No Comments

Cryptographers David Oswald and Christof Parr published a great paper at this week’s CHES 2011 conference, “Breaking Mifare DESFire MF3ICD40: Power Analysis and Templates in the Real World.” In this paper, they used differential power analysis to break the DESFire contactless smartcard. It builds upon previous work published in CHES 2002 on Template Analysis, a [Read More...]

Filed Under: Identity Assurance, Technical Tagged With: DPA, EAL, NXP

What is PIV-I?

June 17, 2011 by Gary Moore     No Comments

I have been involved with credentialing in the Federal Government for many years, coming on multiple decades to be honest, and it has been an interesting ride. Over the last few years there has been a substantial change, starting with the signing of HSPD-12 in 2004. What HSPD-12 did was to codify credential issuance within the Federal Government. HSPD-12 brought in not just [Read More...]