Collaborate Disseminate
On 2022-04-19, Neil Madden published a vulnerability in the ECDSA signature verification code of the library bundled with some editions of Java, including some recent by Oracle and in OpenJDK. That became CVE-2022-21449 (I’ve yet to unders… Continue reading Ramifications of the psychic/CVE-2022-21449 ECDSA verification vulnerability
I need a CA signed ECDSA certificate for testing purposes.
I am able to generate an ECDSA certificate and key but I have never signed one.
I use OpenSSL in a Windows environment to generate certificates.
Is there any way to generate a free… Continue reading Generate CA signed ECDSA certificate
Java versions 15, 16, 17, and 18 (and maybe some older versions) have a big problem, ECDSA signature verification is totally broken. The story is a prime example of the …read more Continue reading This Week in Security: Java’s Psychic Signatures, AWS Escape, And a Nasty Windows Bug
I’ve configured the following on my IOS XE device.
!
ip ssh rsa keypair-name my-4096rsa-ssh-key
ip ssh version 2
ip ssh server algorithm mac hmac-sha2-512 hmac-sha2-256
ip ssh server algorithm encryption aes256-gcm aes256-ctr
ip ssh server… Continue reading SSH Handshake on Cisco IOS XE
After generating an OpenSSH EC key on a hardware security key:
$ ssh-keygen -t ed25519-sk -C comment
Is it possible to use this key with Google Chrome SSH applet or Mosh, in particular on non-Linux machines where there is no ssh command a… Continue reading Is it possible to use an ed25519 security key with Google Chrome SSH applets?
Now that OpenSSH supports Elliptic curve security keys (since version 8.2), it’s possible to generate a ed25519-sk key on a hardware security key:
$ ssh-keygen -t ed25519-sk -C comment
This generates a public and a private key parts. How … Continue reading How sensitive is the primary key stub of an ed25519 security key (~/.ssh/id_ed25519_sk)?
In my situation my private key is in an HSM. I cannot access it for use with the various bitcoin golang libraries. Most of the functions require the private key "in-use". Although in my case, I can generate the signature later us… Continue reading How do I turn an 88 byte ECDSA public key into a 65 byte uncompressed or 33 byte compressed key for use with bitcoin
I’m working on a project with a client based on mbedtls and a server built with vsftpd.
I had basic RSA authentication working but am now upgrading to using the cipher TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256. And I am struggling to get it … Continue reading wrong curve error during TLS handshake with vsftpd
I am trying to manually verify the signature using a public key and signature but continue to fail.
When I try using AWS KMS API it works,
kms_boto3_client.verify(
KeyId=keyid,
Message=message,
MessageType=’RAW’,
Signature=… Continue reading ECDSA Signature Verification works with AWS KMS API but not when using OpenSSL
If I understand correctly section 4.2 in Jacques Stern, David Pointcheval, John Malone-Lee, and Nigel P. Smart’s Flaws in Applying Proof Methodologies to Signature Schemes, in proceedings of Crypto 2002, they describe an attack that allows… Continue reading Premeditated substitution of ECDSA-signed message by the signer