Bleichenbacher ’06 RSA Signature Forgery: What they assume you know

Landon | Dec 17, 2021

In 2006, Daniel Bleichenbacher shared a discovery in an evening session at a cryptography conference: Several implementations of RSA-based PKCS 1 v 1.5 cryptographic signature verification were fatally flawed and susceptible to signature forgery. It is as bad as it sounds. The sad part: The flaw in the signature verification algorithm is that the signature […]

RSA for those who aren’t number theorists

Landon | Oct 29, 2021

I just finished cryptopals challenge 39, in which I had to implement RSA. For me, it wasn’t enough for me to just implement the RSA algorithm. I sort of needed to understand a bit about the underlying number theory. I say that because I’ve faced instances in the past where a typo or error in […]

Secure Remote Password Demystified

Landon | Sep 16, 2021

Secure Remote Password (SRP) is a protocol by which a user in a system is able to log in to that system without the system ever knowing or storing the user’s password. Consider this description of the SRP protocol from cryptopals challenge 36: Replace A and B with C and S (client & server) C […]

Timing leaks and multi-threading

Landon | Aug 24, 2021

What if the server that verified MACs took longer to verify a correct mac than an incorrect one? Or, perhaps put differently, what if you could tell the difference between a more correct guess than an obviously wrong one? If you can, you can break MAC authentication schemes, and that’s what the cryptopals authors are […]

SHA1 and MD4 Length Extension Attacks Explained

Landon | Jul 13, 2021

Continuing my series on the cryptopals challenges… In section four, two of the challenges require you to get past a checksum test by spoofing a hash associated with a forged message. The idea is that if you can manage to pass a query string to an application (say a web application) that has been toyed […]

Spring Batch Testing: Asserting file equality after running a single step

Landon | Jan 20, 2021

For some time at SoFi, we’ve worked with Spring Batch to provide a third-party integration with a service without a robust API, but that loves to work in terms of batch files. There are a number of ways to deal with that, and we’ve taken a few different approaches. One of them is to implement […]

Beware Hibernate’s caching when using database filters

Landon | Apr 30, 2019

The stack I work in every day uses Hibernate and Spring Data JPA for its object/relational mapping framework. My company is hardly alone in using these tools to map data from a database into Java objects. They’re quite commonly used, and also quite powerful. One of the nifty features of Hibernate is Filtering. You can […]

How to add WS-Security to .NET Core SOAP Headers without WCF

Landon | Jul 06, 2018

If you’ve ever enjoyed the wonderful experience that is consuming a web service that’s at least 10 years old, odds are you’ve dealt with WS-Security headers. If you’ve had to deal with that while developing in .NET Core, you probably have spent a great deal of time banging your head against the wall. I had […]

Filtering links using the WordPress ‘the_permalink’ filter

Landon | Jun 06, 2017

This morning I improved this theme by adding a filter to WordPress’s ‘the_permalink’ filter. The idea was to scan post content, pull out the first link in a post and then use that link as the permalink, so to speak. By doing this, I make it so that I can simply point my readers to […]