Tootfinder

Opt-in global Mastodon full text search. Join the index!

@qbi@freie-re.de
2026-02-19 07:29:44

Reuse,
gut für die Fischerei
schlecht in der Kryptografie
blog.trailofbits.com/2026/02/1

Carelessness versus craftsmanship in cryptography
Two popular AES libraries (aes-js and pyaes) provide dangerous default IVs that lead to key/IV reuse vulnerabilities affecting thousands of projects. One maintainer dismissed the issue, while strongSwan’s maintainer exemplified proper security response by comprehensively fixing the vulnerability in their VPN management tool.

@stf@chaos.social
2026-01-06 13:05:38

#Applied #cryptography cannot solve a #security problem. It can only convert a security problem into a key-management problem.
Corollary: If you aren’t actually solving the key-management problem, yo…

Decorative Cryptography
All encryption is end-to-end, if you’re not picky about the ends. config TCG_TPM2_HMAC bool "Use HMAC and encrypted transactions on the TPM bus" default n select CRYPTO_ECDH select CRYPTO_LIB_AESCFB select CRYPTO_LIB_SHA256 select CRYPTO_LIB_UTILS help Setting this causes us to deploy a scheme which uses request and response HMACs in addition to encryption for communicating with the TPM to prevent or detect bus snooping and interposer attacks (see tpm-security.rst). Saying Y here adds some en…

@neverpanic@chaos.social
2025-12-28 21:54:04

Good overview on where to get started to improve #cryptography code by Jade Philipoom at #39c3:

[39c3] How To Minimize Bugs in Cryptography Code
Over the last 10 years or so, using mathematical proof assistants and other formal-logic tools for cryptography code has gone from a relatively new idea to standard practice. I've been lucky enough to have a front-row seat to that transformation, ...

@mgorny@social.treehouse.systems
2026-01-15 15:58:32

> Concretely, we expect to add ML-KEM and ML-DSA APIs that are only available with #LibreSSL/#BoringSSL/AWS-LC, and not with #OpenSSL.
(from #Cryptography and #Qt simultaneously, right? (Qt rejected LibreSSL support.)
#Python

@neverpanic@chaos.social
2026-01-29 21:12:55

Emily Fox with a fun to read retrospective on what my team and a few other teams have done with post-quantum #cryptography at #RedHat and in #RHEL:

From if to how: A year of post-quantum reality
For the last 5 years, post-quantum cryptography (PQC) has largely been discussed as a research topic.

@neverpanic@chaos.social
2026-02-16 16:23:39

RE: #PQC