Browse archive

Latest news

APT1 is back, attacks many of the initial U.S. corporate targets

Aurora attackers were looking for Google's surveillance database

U.S. DOJ accuses journalist of espionage

A closer look at Mega cloud storage

CISOs need to engage with the board

Wi-Fi client security weaknesses still prevalent

"NATO vacancies" phishing email also leads to malware

Find TrueCrypt and BitLocker encrypted containers and images

Sourcefire goes beyond the sandbox

The CSO perspective on healthcare security and compliance

Jailed hacker designs device to thwart ATM card skimming

U.S. Congress has questions about Google Glass and privacy

Over 45% of IT pros snitch on their colleagues

Hacking charge stations for electric cars

Guidelines on unsafe cryptographic algorithms

Posted on 18 March 2009.

Experts in the security community have indicted many commonly used cryptographic algorithms as insecure. Bases for these claims of insecurity often include advances in cryptographic research that have demonstrated previously unknown weakness in algorithms and advances in the computational power of readily available hardware.

In the face of an ongoing stream of advice from an active security community, the struggle for software developers has long been to differentiate problems that introduce real risk to their systems from hypothetical research focused on attacks that wonʼt be feasible in the mainstream for years.

This document by Yekaterina Tsipenyuk OʼNeil from Fortify provides best-practice guidelines for using modern cryptography in software systems. These guidelines are backed up by the research of the security community and strive to align themselves with the practical tradeoffs between maximal security and acceptable paranoia.

Even though there are a number of cryptographic primitives we could discuss, the "Crypto Manifesto" is limited to the following: