Posted on

Walking in the Forest of Curves

Elliptic Curve. For various reasons it’s probably time to stop toodling around the Internet with a 70’s era crypto algorithm inside our certificates. Seems to me Ed25519 is a rational choice to try to use. I’m walking into a discussion that’s been going on for years. This is not a news flash. I assumed it would be straightforward. “Stick it in the certs I make with OpenSSL, start testing with latest Chrome.” My worst problem should be spelling it right in the blog post. (is it “Ed25519” or “ED25519”?)

Yeah right. Welcome to the bleeding edge.
Continue reading Walking in the Forest of Curves

Posted on

RSA 2017 San Francisco

It’s RSA conference time.  In the 21st century this is yet another fairly large fairly loud security trade show.  It is — psst don’t tell anyone — also a crypto conference.  However, here in the 21st century, we apparently have to not only wonder about the next big crypto thing, we have to worry about bad crypto out there in the wild.  40 bit Crypto-1 keys in Mifare cards.  AES in CBC mode in cases that definitely should be using GCM.  Vendors shouting “we use AES!” – for their homebrew IoT protocol they think nobody’s going to attack.  RSA keys used in the most amazing variety of malformed, ill-concieved, and poorly deployed TLS certificates.

Yeah, I’m headed to the show floor.   Even though I’m often dealing with pre-quantum cryptography and not this weeks’ swoopy-cool mathematics.  After all, the show floor will be full of vendors claiming to deliver brighter white packets from bigger blacker boxes.  Only a few of them actually do crypto.