On June 9, I’ll be giving a talk on web crypto flaws at Yahoo Security Week. The talk is titled “When Crypto Attacks!” and will go into ways cryptography has been misapplied to solving web application problems. You can get a flavor for the talk by reviewing these recent posts.
- Timing attack in Google Keyczar library
- Amazon web services signature vulnerability
- The Debian PGP disaster that almost was
I also wanted to mention another high-level API that is pretty good: Peter Gutmann’s cryptlib. It provides a simple API with a lot of internal validation of parameters and state. For example, you can’t send messages in the wrong order and keys have types associated with them.
If you are a Yahoo employee, you can attend the talk. For everyone else, I will post slides here afterwards.