A TEXT POST

Anonymous said: What do you think about the Password Hashing Competition (PHC) ? Are you waiting for a better 'scrypt' ?

We like it, and not just because my partner in crime is on the committee. We need better password hashing standards.

A TEXT POST

Anonymous said: I want to sign data with elliptic curve signatures because they're small, but I heard ECDSA is a shit algorithm. What do?

ECDSA is a fine algorithm, just make sure to use good, fresh randomness for every keygen and every signature. That’s just good crypto hygiene, but is particularly good advice in the case of DSA.

A TEXT POST

Anonymous said: Is using an RSA public exponent of 3 a bad idea if using OAEP padding? Is it more efficient?

Yes, it’s faster to use a public exponent of 3, but it’s not the tradeoff I would make, even with OAEP padding.

A TEXT POST

Anonymous said: Do I need to store my salts as far from my hashes as possible, or is there some value in a salt even if an attacker manages to steal both the salt and the hash?

There is great value in salts even if stored right next to your hashes, as long as your hashing is using an appropriately slow algorithm like bcrypt with 8+ rounds. Now, if you can robustly store the hashes separately, that’s a nice defense-in-depth measure, but it wouldn’t be my first priority.

A TEXT POST

Anonymous said: Is using SHA512/HMAC-SHA512 for speed on 64-bit processors and then truncating to 256bits a bad idea?

it’s a fine idea, NIST has even defined an official way to do this.

A TEXT POST

Anonymous said: I am using PBKDF2 with 100,000 iterations and a random salt to store passwords. Do I need to switch to bcrypt?

Nah, you’re good. Now stop showing off.

A TEXT POST

Anonymous said: If a bear exponentiates a 4096-bit number in the forest but there's no one there to hear it, does it make a sound?

yes.

A TEXT POST

How do I avoid the Lucky13 attack on TLS?

Lucky13 is a timing attack on certain implementations of CBC mode encryption in SSL/TLS. The best way to avoid this attack is to upgrade your server’s OpenSSL to the very latest version.

A TEXT POST

Someone told me I should use scrypt for storing passwords.

scrypt is an alternative to bcrypt that takes both time and lots of memory. Again, that’s a feature. Too few implementations and too high server side memory usage to recommend it for password storage for now.

A TEXT POST

What RSA encryption padding scheme should I use?

Always use RSA-OAEP padding as defined in the RSA-PKCS#1v2.1 specification. Never ever use the obsolete RSA-PKCS#1v1.5 encryption padding scheme, as it’s vulnerable to practical chosen ciphertext attacks.