Geeks With Blogs
ex-blog Information security world

Well, period of silence on this blog ended. Unfortunately I couldn't post for last three months for many reasons and I'm sorry for it :((

In this post I'll try to summarize what interesting things happened in security from my point of view (actually Valery already mentioned most of them in his blog):

Peter Gutmann updated his “Godzilla crypto and security“ tutorial with excellent quote on current state of laws in Russia: “The severity of Russian law is compensated for by it’s non-mandatoryness.”

NSA announced Suite B Cryptography at RSA 2005 consisting of AES, Elliptic Curve Digital Signature and Key Exchange and SHA-256/384.

For this reason I try to describe unofficial Russian “Suite B“:

  • GOST 28147-89 for encryption
  • GOST R 34.10-2001 (Elliptic Curve Digital Signature) for DS and Key Exchange (it supersedes GOST R 34.10-94 that should be withdrawn before 1.01.2008)
  • GOST R 34.11-94 for hash function

More information about using these algorithms with X.509 certificate and CRL profile is currently available as draft (and will be accepted as informational RFC in the nearest time). Basic implementation for OpenSSL 0.9.8 could be downloaded at CryptoCom open-source site.

Bruce Schneier posted his impressions from Cryptographic Hash Workshop hosted by NIST: 1, 2, 3.

This autumn was a bad time for many IPSec ISAKMP/IKE implementations: Protos test suite from Oulu University Secure Programming Group found multiple vendor implementation vulnerabilities. And this is an exact sample of using fuzzing technique to find security flaws.

Sun Microsystem released Solaris 10 source code as OpenSolaris including Kernel Crypto Framework/Drivers, User Crypto Framework (PKCS#11) and Crypto Algorithms (more information is available at Darren J. Moffat blog)

BTW, it is interesting to compare design of future Microsoft CryptoAPI NG from previous post and The (Open)Solaris Cryptographic Framework. They are build of the same cryptoproviders separation as distinct digest, signature, etc providers and both moving to support kernel (right now it's impossible to use CryptoAPI in ipsec driver for example).

And developer part of news: two most successful Microsoft Shared Source projects released as WiX 2.0 and WTL 7.5 - and MSFT could be really proud of them (we use them extensively in our projects).

Windows kernel developers also received new development framework - Kernel Mode Driver Framework 1.0 (unfortunately it didn't support Windows 2000 in version 1.0, but I hope it will due to feedback from developers community) and  updated Driver Install Framework Tools 2.01. And best of all - WDF contains Windows Server 2003 SP1 DDK with Static Driver Verifier for free ;-) If you're interested in Windows Kernel development - watch for OSR NTDEV and Steve Dispensa blog.

Well, it's enough for today - thank you for reading =)

Posted on Wednesday, December 14, 2005 10:03 PM Security , Development | Back to top

Copyright © John Doe | Powered by: