Neilmadden.blog
Neilmadden.blog
Neil Madden – Thoughts on application security, applied crypto, philosophy and logic
Thoughts on application security, applied crypto, philosophy and logic
Thoughts on application security, applied crypto, philosophy and logic
✍️Write rieview ✍️Rezension schreiben 🏷️Get Badge! 🏷️Abzeichen holen! ⚙️Edit entry ⚙️Eintrag bearbeiten 📰News 📰Neuigkeiten
<!-- wp:paragraph --> <p>Please, don't misunderstand optimizing the code as you write (premature optimization) vs. choosing the right data structure and algorithm (right optimization) before starting to write code.</p> <!-- /wp:paragraph -->
7.12.2024 11:45Comment on The square roots of all evil by yoEvery programmer knows Donald Knuth’s famous quote that “premature optimization is the root of all evil”, from his 1974 Turing Award lecture (pdf). A fuller quotation of the surrounding context gives a rounder view: I am sorry to say that many people nowadays are condemning program efficiency, telling us that it is in bad taste. […]
3.12.2024 12:27The square roots of all evil<!-- wp:paragraph --> <p>nobody said non-repudiation is a bug.</p> <!-- /wp:paragraph --><!-- wp:paragraph --> <p>In some scenarios, users actually want to remove the non-repudiation feature, but signature leaves them with no options.</p> <!-- /wp:paragraph --><!-- wp:paragraph --> <p>BTW. i appreciate ZK, but it also has costs. </p> <!-- /wp:paragraph --><!-- wp:paragraph --> <p></p> <!-- /wp:paragraph -->
21.9.2024 08:07Comment on Digital signatures and how to avoid them by Jack<!-- wp:quote --> <blockquote class="wp-block-quote"><!-- wp:paragraph --> <p>As well as authenticating a message, they also provide third-party verifiability and (part of) non-repudiation.</p> <!-- /wp:paragraph --></blockquote> <!-- /wp:quote --><!-- wp:paragraph --> <p>I think this is a feature, not a bug. The ability to prove you received some data from some third party lets you prove things about yourself, and enables better data privacy long-term when combined with zero knowledge proofs. See: https://www.andrewclu.com/sign-everything -- you're right that post quantum signature research is still in progress, but I suspect that even then, the ability to make all your data self-sovereign and selectively prove data to the outside world (i.e. prove I'm over 18 without showing my whole passport) can be extremely beneficial, especially as we move towards a world of AI generated content when provenant proofs can be useful to third parties.</p> <!-- /wp:paragraph -->
20.9.2024 01:24Comment on Digital signatures and how to avoid them by AJ GuptaWikipedia’s definition of a digital signature is: A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature on a message gives a recipient confidence that the message came from a sender known to the recipient. —Wikipedia They also have a handy diagram of the process […]
18.9.2024 19:52Digital signatures and how to avoid themI’ve been slowly reading Brian Cantwell Smith’s “The Promise of Artificial Intelligence” recently. I haven’t finished reading it yet, and like much of BCS’s writing, it’ll probably take me 3 or 4 read-throughs to really understand it, but there’s one point that I want to pick up on. It is the idea that “Good Old-Fashioned […]
30.6.2024 08:46Machine Learning and the triumph of GOFAI<!-- wp:paragraph --> <p>Shay Gueron presented at RWC about a nonce based approach (DNDK-GCM) as you mention at the end. <a href="https://www.youtube.com/watch?v=GsFO4ZQlYS8&list=PLeeS-3Ml-rprAsk-5xAAPHB_3mhBb42jV&index=36" rel="nofollow ugc">https://www.youtube.com/watch?v=GsFO4ZQlYS8&list=PLeeS-3Ml-rprAsk-5xAAPHB_3mhBb42jV&index=36</a></p> <!-- /wp:paragraph -->
29.5.2024 11:52Comment on Galois/Counter Mode and random nonces by DavidIt turns out you can encrypt more than 2^32 messages with AES-GCM with a random nonce under certain conditions. It’s still not a good idea, but you can just about do it. #cryptography
23.5.2024 20:24Galois/Counter Mode and random noncesI see a lot of attempts to define encryption schemes for constrained devices with short authentication tags (e.g., 64 bits) using universal hashing. For example, there’s a proposal in CFRG at the moment for a version of AES-GCM with short tags for this kind of use-case. In my (admittedly limited) experience, these kinds of constrained […]
6.5.2024 18:18SipHash-based encryption for constrained devicesHappy new year! I’m hoping to write a few posts on here over the next few weeks, but probably exploring a few topics around AI and philosophy. If you’d prefer some more technical content around security and cryptography, then take a look at the newsletter I put out for my consulting company, Illuminated Security. The […]
6.1.2024 10:18NewsletterI was just reading yet another article on REST API design guidelines. Some of it is good advice, some of it I could quibble with. But several of the rules are about how to design the path hierarchy of your API: use plural nouns, don’t use nested sub-paths unnecessarily, etc. In this article I want […]
2.11.2023 08:48A controversial opinion about REST API designIn reply to <a href="https://neilmadden.blog/2023/05/31/regular-json/#comment-641">Benjamin Häublein</a>. Yeah, I’m not super keen on that spec for various reasons. My own take on fine-grained auth in OAuth is https://neilmadden.blog/2020/09/09/macaroon-access-tokens-for-oauth-part-2-transactional-auth/
31.5.2023 18:00Comment on Regular JSON by Neil Madden<blockquote> In my opinion, Rank-2 Regular JSON is a suitable target for most data formats like JWTs. I believe almost all JWTs in the wild would fit within this subset. </blockquote> If RFC 9396 is widely adopted this will not hold ;) See for example figure 20 (https://datatracker.ietf.org/doc/html/rfc9396#name-jwt-based-access-tokens)
31.5.2023 17:54Comment on Regular JSON by Benjamin HäubleinFor better or worse, depending on your perspective, JSON has become a dominant data format and shows no signs of being replaced any time soon. There are good reasons for that: on the face of it, it provides a very simple format with just enough features to cover a lot of use-cases with minimal feature […]
31.5.2023 13:28Regular JSONIf you want to learn how to store passwords securely, you could do a lot worse than looking at the OWASP Password Storage Cheat Sheet. These cheat sheets are generally pretty good, and the password storage one is particularly good. The editors do a great job of keeping it up to date and incorporating the […]
27.4.2023 11:13I still don’t really get “hash shucking”In cryptography, the process of authenticating a user (or app/service) is known as entity authentication or identification (to distinguish it from message authentication or data origin authentication). There are lots of ways to do this. In this post I’m going to talk about authentication schemes based on public key cryptography. It turns out that the […]
20.4.2023 13:05Entity authentication with a KEMMike Rosulek, Oregon State University. Draft of January 3, 2021. Online: The Joy of Cryptography. This is a freely-available book covering introductory material on cryptography. It’s suitable for anyone with undergraduate-level computer science knowledge. As is often the case in cryptography textbooks, there is a brief review of mathematical background in the first (or zeroth […]
16.2.2023 11:37Book review: The Joy of Cryptography<blockquote> quasi-literal syntax for safely constructing values in other languages: SQL, HTML, etc. </blockquote> Raku subsumes this feature as a part of a general framework: Raku has no fixed syntax. It presumes bootstrapping from a metacompiler (cf META II: https://en.wikipedia.org/wiki/META_II). The metacompiler is written in itself. The metacompiler targets a runtime that's written in itself (plus platform specific backends). There is in fact no single language at the syntax level, not even the metacompiler "language", but instead an arbitrary collection of mutually embedding languages. All of this happens ARTACT -- at run-time at compile time. (Variously known as compile-time code execution, multi stage programming, etc.) This way all code is parsed and checked and codegen'd at compile time despite being modifiable by user code written in itself. Thus nothing that should be code need be in the form of a string subject to injection attacks. Instead it's compiled code checked at compile-time. And this is unified with the module system. So users can create "slangs" (short for "sub-languages") that can be shared as modules. Thus, for example, https://raku.land/zef:tony-o/Slang::SQL It's not yet nicely polished. But there's good reason to think it will be. See also https://gist.github.com/raiph/849a4a9d8875542fb86df2b2eda89296 <blockquote> Datalog/Prolog as a sub-language </blockquote> Same deal as above. <blockquote> Teleo-Reactive Programs </blockquote> That sounds like an informal formulation of (the theory and practice of) the Actor model: https://en.wikipedia.org/wiki/Actor_model (The Wikipedia page focuses on the dry theory, but the starting point was Carl Hewitt's team at MIT considering the evolution of unbounded numbers of purpose driven autonomous agents concurrently communicating via a network of unbounded time and space dimensions in the 1960s. "Teleo-Reactive Programs", and the description you wrote, seem completely consistent with the Actor model.) <blockquote> Design by Contract… </blockquote> .oO ( Eiffel is still going strong. ) This is a simple one. <blockquote> STRIPS planner? </blockquote> I don't think it's coincidental that Carl Hewitt et al started out with PLANNER. And then, as he and his MIT students pondered what that focused them on, namely the issue of arbitrary levels and configurations of intelligence that mixed human and machine decisions, and then the unavoidable long term issues of metastability of physical systems due to the fundamental limits on logic established by quantum mechanics -- you cannot avoid the problems of time and space and uncertainty just because you think you're dealing with logic -- they arrived at the need to first refocus on getting right what became the Actor model.)
20.1.2023 23:20Comment on A few programming language features I’d like to see by ralph mellor``A “microfeature” is essentially a small convenience that makes programming in that language a bit easier without fundamentally changing it.'' This is called a macro. The syntactic parts can be covered by a programmable program reader. Common Lisp provides both of these things, properly and trivially.
20.1.2023 08:08Comment on A few programming language features I’d like to see by VerisimilitudeI enjoyed Hillel Wayne’s recent newsletter about microfeatures they’d like to see in programming languages. A “microfeature” is essentially a small convenience that makes programming in that language a bit easier without fundamentally changing it. I love this idea. I’m partial to a bit of syntactic sugar, even if it can cause cancer of the […]
18.1.2023 00:04A few programming language features I’d like to seeGREAT article! I have not researched very much to understand PBKDF2 or really encryption. :-( I have used KeePass at home since about late 2007 and now on KP 2.53. About 5 years ago I finally had the courage to change AES-DEF by using the “1 Second Delay” and it came up with 23,037,696 iterations. So, is that iteration result good/bad/average/makes-n0-sense ? THANKS!!
17.1.2023 14:22Comment on On PBKDF2 iterations by RustyThere has been a lot of discussion recently around the LastPass breach, especially with regards to the number of PBKDF2 iterations applied to the master password to derive the vault encryption key. Other people have already dissected this particular breach, but I want to more generally talk about PBKDF2 iterations and security models. (I’m not […]
9.1.2023 12:45On PBKDF2 iterationsThanks for these clarifications! Related to ASN.1(r,s) format it seems that 3006020100020100 easily triggers vulnerability at Oracle Java SE 17.0.2+, but Exception is dropped if full length ASN.1(r,s) is set such as 3044022000..00022000..00 And if ASN.1(r,s) works, I assume a malformed certificate could also be created (under e.g. "Microsoft ECC Product Root Certificate Authority 2018" in the Windows certificate store). And even an SSL/TLS man-in-the-middle could work in case vulnerable Java client is used...
27.4.2022 20:15Comment on A few clarifications about CVE-2022-21449 by AronJust a few quick notes/updates to correct some potentially inaccurate statements that are floating around on Reddit/Twitter etc: The bug only impacts Java 15 and above. The original advisory from Oracle incorrectly listed earlier versions (like 7, 8 and 11) as being impacted. They have since corrected this. Note that they now only list 17 […]
25.4.2022 20:03A few clarifications about CVE-2022-21449[…] Madden, a researcher at security firm ForgeRock found vulnerabilitiesLikened to a blank identity card are a regular appearance in a sci-fi show Doctor Saha. The […]
20.4.2022 19:46Comment on CVE-2022-21449: Psychic Signatures in Java by Major crypto blunder in Java enables “psychic paper” forgeries - All Tech News[…] Madden, the researcher at security firm ForgeRock who discovered the vulnerability, likened it to the blank identity cards that make regular appearances in the sci-fi show Doctor […]
20.4.2022 19:45Comment on CVE-2022-21449: Psychic Signatures in Java by Major crypto blunder in Java enables “psychic paper” forgeries - Exclusive Global News[…] Entwickler hat Madden noch einen weiteren Tipp parat: Oft nutzen Programme beziehungsweise Protokolle digitale […]
20.4.2022 18:25Comment on CVE-2022-21449: Psychic Signatures in Java by Bug in Java macht digitale Signaturen wertlos | Technische Nachrichten, Gadget-Testberichte, ...[…] bugs, officially known as CVE-2022-21449, but jokingly dubbed the Psychic Signatures in Java bug by researcher Neil Madden, who uncovered it and disclosed it responsibly to Oracle in November […]
20.4.2022 17:50Comment on CVE-2022-21449: Psychic Signatures in Java by Critical cryptographic Java security blunder patched – update now! – Naked Security – Mass Bl...[…] Pengembang di Madden Trik siap lainnya: Program atau protokol sering menggunakan tanda tangan digital untuk menjamin […]
20.4.2022 17:43Comment on CVE-2022-21449: Psychic Signatures in Java by Bug di Java membuat tanda tangan digital tidak berharga[…] bugs, officially known as CVE-2022-21449, but jokingly dubbed the Psychic Signatures in Java bug by researcher Neil Madden, who uncovered it and disclosed it responsibly to Oracle in November […]
20.4.2022 17:07Comment on CVE-2022-21449: Psychic Signatures in Java by Critical cryptographic Java security blunder patched – update now! – Security-Vision[…] bugs, officially known as CVE-2022-21449, but jokingly dubbed the Psychic Signatures in Java bug by researcher Neil Madden, who uncovered it and disclosed it responsibly to Oracle in November […]
20.4.2022 16:45Comment on CVE-2022-21449: Psychic Signatures in Java by Critical cryptographic Java security blunder patched – update now! - BEKER[…] The vulnerabilities were discovered by ForgeRock security researcher Neil Madden and documented here. […]
20.4.2022 16:30Comment on CVE-2022-21449: Psychic Signatures in Java by Java 15 introduced a cryptographic vulnerability - Cybersecurenessabsolutely embarassing for oracle
20.4.2022 15:38Comment on CVE-2022-21449: Psychic Signatures in Java by donaldo trumpetIn reply to <a href="https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/#comment-260">Neil Madden</a>. So 17.0.2 is affected, but it is fixed in 17.0.3.
20.4.2022 13:06Comment on CVE-2022-21449: Psychic Signatures in Java by skagedalIn reply to <a href="https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/#comment-260">Neil Madden</a>. So, no – 17.0.2 is affected while 17.0.3 is fixed.
20.4.2022 13:05Comment on CVE-2022-21449: Psychic Signatures in Java by Simon[…] Entwickler hat Madden noch einen weiteren Tipp parat: Oft nutzen Programme beziehungsweise Protokolle digitale […]
20.4.2022 12:54Comment on CVE-2022-21449: Psychic Signatures in Java by Bug in Java macht digitale Signaturen wertlos - BlogIn reply to <a href="https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/#comment-258">Bob</a>. The OpenJDK advisory is clearer: https://openjdk.java.net/groups/vulnerability/advisories/2022-04-19
20.4.2022 12:37Comment on CVE-2022-21449: Psychic Signatures in Java by Neil Madden[…] https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/ […]
20.4.2022 12:15Comment on CVE-2022-21449: Psychic Signatures in Java by CVE-2022-21449: Psychic Signatures in Java – Neil Madden – Library 11: Antigonish Project Edi...I am having trouble finding the actual Java Versions where this issue is fixed. E.g. is 17.0.2 affected yes or no?
20.4.2022 12:14Comment on CVE-2022-21449: Psychic Signatures in Java by BobIn reply to <a href="https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/#comment-254">Alice</a>. I think the CVE versions are taken from the advisory, which covers multiple vulnerabilities beyond this one.
20.4.2022 08:57Comment on CVE-2022-21449: Psychic Signatures in Java by Neil Madden[…] jeśli już machnęliście ręką, warto zapoznać się z tym wpisem: CVE-2022-21449: Psychic Signatures in […]
20.4.2022 08:37Comment on CVE-2022-21449: Psychic Signatures in Java by Tajemnicza podatność w Javie, która... może okazać się katastrofalna. Błąd kryptograficzny zw...In reply to <a href="https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/#comment-249">Neil Madden</a>. That CVE says: "Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,..." Is the CVE definitely wrong?
20.4.2022 07:41Comment on CVE-2022-21449: Psychic Signatures in Java by Alice[…] из проблем (CVE-2022-21449) позволяет сгенерировать фиктивную цифровую подпись ECDSA, […]
20.4.2022 07:21Comment on CVE-2022-21449: Psychic Signatures in Java by Возможность генерации фиктивных подписей ECDSA в Java SE. Уязвимости в MySQL, VirtualBox и So...[…] The vulnerabilities were discovered by ForgeRock security researcher Neil Madden and documented here. […]
20.4.2022 03:55Comment on CVE-2022-21449: Psychic Signatures in Java by Java 15 introduced a cryptographic vulnerability - Best TechnologiesThe long-running BBC sci-fi show Doctor Who has a recurring plot device where the Doctor manages to get out of trouble by showing an identity card which is actually completely blank. Of course, this being Doctor Who, the card is really made out of a special “psychic paper“, which causes the person looking at it […]
19.4.2022 20:10CVE-2022-21449: Psychic Signatures in JavaDatalog is a logic programming language, based on Prolog, which is seeing something of a resurgence in interest in recent years. In particular, several recent approaches to authorization (working out who can do what) have used Datalog as the logical basis for access control decisions. On the face of it, this seems like a perfect […]
19.2.2022 17:00Is Datalog a good language for authorization?I was catching up on the always excellent Security. Cryptography. Whatever. podcast, and enjoyed the episode with Colm MacCárthaigh about a bunch of topics around TLS. It’s a great episode that touches a lot of subjects I’m interested in, so go ahead and listen to it if you haven’t already, and definitely subscribe. I want […]
20.1.2022 14:48Why the OAuth mTLS spec is more interesting than you might thinkWhen working with Message Authentication Codes (MACs), you often need to authenticate not just a single string, but multiple fields of data. For example, when creating an authenticated encryption mode by composing a cipher and a MAC (like AES-CBC and HMAC), you need to ensure the MAC covers the IV, associated data, and the ciphertext. […]
27.10.2021 16:25Multiple input MACsThis is the third part of my series on Key Encapsulation Mechanisms (KEMs) and why you should care about them. Part 1 looked at what a KEM is and the KEM/DEM paradigm for constructing public key encryption schemes. Part 2 looked at cases where the basic KEM abstraction is not sufficient and showed how it […]
8.4.2021 13:56From KEMs to protocolsIn “Towards a standard for bearer token URLs”, I described a URL scheme that can be safely used to incorporate a bearer token (such as an OAuth access token) into a URL. That blog post concentrated on the technical details of how that would work and the security properties of the scheme. But as Tim Dierks […]
24.3.2021 15:43How do you use a bearer URL?In XSS doesn’t have to be Game Over, and earlier when discussing Can you ever (safely) include credentials in a URL?, I raised the possibility of standardising a new URL scheme that safely allows encoding a bearer token into a URL. This makes it more convenient to use lots of very fine-grained tokens rather than one […]
20.3.2021 10:57Towards a standard for bearer token URLsIn my previous post, I described the KEM/DEM paradigm for hybrid encryption. The key encapsulation mechanism is given the recipient’s public key and outputs a fresh AES key and an encapsulation of that key that the recipient can decapsulate to recover the AES key. In this post I want to talk about several ways that […]
16.2.2021 13:14When a KEM is not enoughIf you know a bit about public key cryptography, you probably know that you don’t directly encrypt a message with a public key encryption algorithm like RSA. This is for many reasons, one of which being that it is incredibly slow. Instead you do what’s called hybrid encryption: first you generate a random AES key […]
22.1.2021 14:29Hybrid encryption and the KEM/DEM paradigmI made my daughter a toy tree house thing for Christmas out of old firewood (and a slice of cedar donated by a neighbour). It’s a bit clunky in places — “rustic” shall we say? But I probably enjoyed making this, over a few weeks of lunchtimes and evenings, more than anything I’ve done for […]
29.12.2020 17:45Making thingsThere’s a persistent belief among web security people that cross-site scripting (XSS) is a “game over” event for defence: there is no effective way to recover if an attacker can inject code into your site. Brian Campbell refers to this as “XSS Nihilism”, which is a great description. But is this bleak assessment actually true? […]
10.12.2020 13:01XSS doesn’t have to be game overThere’s a fantastic article from last year titled Parse, don’t validate. I’d highly recommend it to any programmer (along with the more recent follow up Names are not type safety). The basic idea is that there are two ways to check that some input to a function is valid: A validator checks that the input […]
25.11.2020 14:56Parse, don’t type-checkI wasn’t expecting it so quickly, so it caught me a little off guard, but API Security in Action is now finally published. PDF copies are available now, with printed copies shipping by the end of the month. Kindle/ePub take a little bit longer but should be out in a few weeks time. My own […]
20.11.2020 21:29API Security in Action is published!I saw another article on Gödel’s incompleteness theorems linked from Reddit today. It’s a topic I’ve wanted to write about for some time. Although many articles do a decent job in giving an idea of what the big deal is (and this one is pretty good), they can sometimes give a misleading impression of what […]
17.11.2020 11:32Some incomplete thoughts about GödelIn part 1, I showed how Macaroon access tokens in ForgeRock Access Management 7.0 can be used as a lightweight and easy-to-deploy alternative to proof of possession (PoP) schemes for securing tokens in browser-based apps. The same techniques can be adapted to secure tokens in microservice architectures and IoT applications, and I hope to expand […]
9.9.2020 15:49Macaroon access tokens for OAuth: Part 2 – transactional authAfter a flurry of last-minute corrections and updates in response to review feedback, my book has now been handed over to Manning’s production team. That means a few weeks of copy editing and graphics polish, then indexing and typesetting to produce the final version around October time at a guess. I’m not sure how long […]
5.8.2020 08:42API Security in Action handed over to production