Breaking homegrown crypto(kivikakk.ee)
kivikakk.ee
Breaking homegrown crypto
https://kivikakk.ee/cryptography/2016/02/20/breaking-homegrown-crypto.html
21 comments
This is probably one of the most concise and easy to follow articles I've read on this subject. Thanks for the great post!
I wonder how long he worked to craft the excellent analysis and crack software? I know an attacker would be motivated to do this but he spent the effort just for a blog post? I'm very happy he did.
This is an excellent write-up.
In case anyone is concerned, this bears repeating: This attack broke CodeIgniter 2's poorly designed Encrypt class, but CodeIgniter 3's Encryption class offers authenticated encryption.
If you're still using CodeIgniter 2, upgrade.
If you're using CodeIgniter 3, make sure you're not using Encrypt.
In case anyone is concerned, this bears repeating: This attack broke CodeIgniter 2's poorly designed Encrypt class, but CodeIgniter 3's Encryption class offers authenticated encryption.
If you're still using CodeIgniter 2, upgrade.
If you're using CodeIgniter 3, make sure you're not using Encrypt.
Sounds like it might be safest not to use CodeIgniter.
What tool to use is a decision that developers and companies have to make for themselves. I can't make it for them, so I usually don't try.
Exception: Don't use mcrypt. It's abandonware.
Exception: Don't use mcrypt. It's abandonware.
Excellent article.
Reads almost like a walk through.
Side note: Why is a .ee (Estonia) domain site hosted in Japan (Tokyo)?
Reads almost like a walk through.
Side note: Why is a .ee (Estonia) domain site hosted in Japan (Tokyo)?
I was thinking it was part of the site's name, as in "kivi-kak-kee" or they just dislike .com/.co's.
Similar to many start-ups and tech projects being hosted <everywhere> on .io (Indian Ocean) domains.
Similar to many start-ups and tech projects being hosted <everywhere> on .io (Indian Ocean) domains.
Well-written, worth the read.
[deleted]
HN doesn't treat posts as dupes when a story hasn't had significant attention yet. See https://news.ycombinator.com/newsfaq.html.
This is because we want good stories to have multiple chances at making the front page. The current story is a great example. In fact, we invited tdurden to repost it, as we sometimes do when we notice an article that we think the community might find interesting, but which fell through the cracks.
We're working on a better duplicate handling system that will reduce the number of reposts in the story stream, but getting it right is surprisingly subtle, and we'd rather take longer than get it wrong.
This is because we want good stories to have multiple chances at making the front page. The current story is a great example. In fact, we invited tdurden to repost it, as we sometimes do when we notice an article that we think the community might find interesting, but which fell through the cracks.
We're working on a better duplicate handling system that will reduce the number of reposts in the story stream, but getting it right is surprisingly subtle, and we'd rather take longer than get it wrong.
I wonder if it would be sufficient to show the author the other posts and ask if they still want to post it. Let them self select if they think someone else said it better or sooner.
And my thanks for doing so with this story, which I'm glad to have had a second chance at discovering.
[deleted]
[deleted]
Reading this on an iPhone is a terrible way to spend my Saturday afternoon with a jumpy page scrolling all over the place.
here's a good rule of thumb:
If it's longer than a tweet, don't read it on your phone.
If it's longer than a tweet, don't read it on your phone.
http://cryptopals.com/sets/2/