Red Hat Security Blog: July 2014 archives

  • Controlling access to smart cards

    Smart cards are increasingly used in workstations as an authentication method. They are mainly used to provide public key operations (e.g., digital signatures) using keys that cannot be exported from the card. They also serve as a data storage, e.g., for the corresponding certificate to the key. In RHEL and Fedora systems low-level access to smart cards is provided using the pcsc-lite daemon, an implementation of the PC/SC protocol, defined by the PC/SC industry consortium. In brief the PC/SC...
    Posted 2014-07-30T13:30:32+00:00 - 0
  • Towards efficient security code audits

    Conducting a code review is often a daunting task, especially when the goal is to find security flaws. They can, and usually are, hidden in all parts and levels of the application - from the lowest level coding errors, through unsafe coding constructs, misuse of APIs, to the overall architecture of the application. Size and quality of the codebase, quality of (hopefully) existing documentation and time restrictions are the main complications of the review. It is therefore useful to have a plan...
    Posted 2014-07-16T13:30:44+00:00 - 0
  • It's all a question of time - AES timing attacks on OpenSSL

    This blog post is co-authored with Andy Polyakov from the OpenSSL core team. Advanced Encryption Standard (AES) is the mostly widely used symmetric block cipher today. Its use is mandatory in several US government and industry applications. Among the commercial standards AES is a part of SSL/TLS, IPSec, 802.11i, SSH and numerous other security products used throughout the world. Ever since the inclusion of AES as a federal standard via FIPS PUB 197 and even before that when it was known as...
    Posted 2014-07-02T13:30:15+00:00 - 0