Research Blog
Insights and research from our global cybersecurity team.
Public Report – Entropy/Rust Cryptography Review
During the summer of 2023, Entropy Cryptography Inc engaged NCC Group’s Cryptography Services team to perform a cryptography and implementation review of several Rust-based libraries implementing constant-time big integer arithmetic, prime generation, and secp256k1 (k256) elliptic curve functionality. Two consultants performed the review within 40 person-days of effort, which included…
SIAM AG23: Algebraic Geometry with Friends
I recently returned from Eindhoven, where I had the pleasure of giving a talk on some recent progress in isogeny-based cryptography at the SIAM Conference on Applied Algebraic Geometry (SIAM AG23). Firstly, I want to thank Tanja Lange, Krijn Reijnders and Monika Trimoska, who orgainsed the mini-symposium on the application…
5G security – how to minimise the threats to a 5G network
To ensure security of new 5G telecom networks, NCC Group has been providing guidance, conducting code reviews, red team engagements and pentesting 5G standalone and non-standalone networks since 2019. As with any network various attackers are motivated by different reasons. An attacker could be motivated to either gain information about…
Real World Cryptography Conference 2023 – Part II
After a brief interlude, filled with several articles from the Cryptography Services team, we’re back with our final thoughts from this year’s Real World Cryptography Conference. In case you missed it, check out Part I for more insights. Interoperability in E2EE Messaging A specter is haunting Europe – the specter…
Technical Advisory – SonicWall Global Management System (GMS) & Analytics – Multiple Critical Vulnerabilities
Multiple Unauthenticated SQL Injection Issues Security Filter Bypass – CVE-2023-34133 Description The GMS web application was found to be vulnerable to numerous SQL injection issues. Additionally, security mechanisms that were in place to help prevent against SQL Injection attacks could be bypassed. Impact An unauthenticated attacker could exploit these issues…
LeaPFRogging PFR Implementations
Back in October of 2022, this announcement by AMI caught my eye. AMI has contributed a product named “Tektagon Open Edition” to the Open Compute Project (OCP). Tektagon OpenEdition is an open-source Platform Root of Trust (PRoT) solution with foundational firmware security features that detect platform firmware corruption, recover the…
Dancing Offbit: The Story of a Single Character Typo that Broke a ChaCha-Based PRNG
Random number generators are the backbone of most cryptographic protocols, the crucial cornerstone upon which the security of all systems rely, yet they remain often overlooked. This blog post presents a real-world vulnerability discovered in the implementation of a Pseudo-Random Number Generator (PRNG) based on the ChaCha20 cipher. Discovery of…
Public Report – Penumbra Labs R1CS Implementation Review
In July 2023 Penumbra Labs engaged NCC Group’s Cryptography Services team to perform an implementation review of their Rank-1 Constraint System (R1CS) code and the associated zero-knowledge proofs within the Penumbra system. These proofs are built upon decaf377 and poseidon377, which have been previously audited by NCC Group, with a…
Demystifying Multivariate Cryptography
As the name suggests, multivariate cryptography refers to a class of public-key cryptographic schemes that use multivariate polynomials over a finite field. Solving systems of multivariate polynomials is known to be NP-complete, thus multivariate constructions are top contenders for post-quantum cryptography standards. In fact, 11 out of the 50 submissions…
Building Intuition for Lattice-Based Signatures – Part 2: Fiat-Shamir with Aborts
Introduction This two-part blog series aims to build some intuition for the main techniques that are used to construct lattice-based signatures, focusing in particular on the techniques underlying Falcon and Dilithium, the two lattice-based signature schemes selected for standardization by the National Institute of Standards and Technology (NIST). In part…
No Results Found :(
View articles by category
Most popular posts
Most recent posts
- Technical Advisory: Adobe ColdFusion WDDX Deserialization Gadgets
- Is this the real life? Is this just fantasy? Caught in a landslide, NoEscape from NCC Group
- The Spelling Police: Searching for Malicious HTTP Servers by Identifying Typos in HTTP Responses
- Public Report – WhatsApp Auditable Key Directory (AKD) Implementation Review
- Don’t throw a hissy fit; defend against Medusa