cryptography
Safeguard articles tagged "cryptography" — guides, analysis, and best practices for software supply chain and application security.
57 articles
Implementing TLS in Java applications: keystores, trust managers, and protocol pinning done right
One overridden checkServerTrusted() method disables certificate validation for an entire Java app — and it still ships to production more often than most teams admit.
Why Math.random() is a security bug waiting to happen
A 2008 Debian OpenSSL patch cut key entropy to ~32,768 values; a 2012 scan found 0.75% of TLS certs shared keys. Weak PRNGs still cause real breaches.
Detecting weak cryptographic algorithms in code
SHAttered proved a SHA-1 collision for ~$110,000 in 2017. NIST retires SHA-1 entirely by Dec 31, 2030 — here's how to find and fix MD5/SHA-1 in your code now.
Inside CVE-2023-46233: How crypto-js Shipped a 1.3-Million-Times-Weaker Key Derivation
crypto-js versions before 4.2.0 defaulted PBKDF2 to SHA1 with a single iteration — NVD calls it 1,300,000 times weaker than modern standards. Here's the fix.
CTF writeup patterns: serialization and cryptographic puzzles, decoded
CVE-2013-0156 let attackers RCE Rails by feeding YAML into a parameter parser — the same insecure-deserialization pattern CTF players train on every weekend.
Getting AES right in Java: JCA/JCE mistakes that break your encryption
Call `Cipher.getInstance("AES")` in Java and you silently get ECB mode — no warning, no error, just plaintext patterns leaking through.
Symmetric vs asymmetric file encryption in Python, done correctly
AES-GCM needs a unique 96-bit nonce every single time — reuse one under the same key and GCM's authentication guarantee collapses entirely, not just confidentiality.
Secure password hashing in Go: bcrypt, Argon2, and the mistakes in between
Go's bcrypt package caps input at 72 bytes and returns ErrPasswordTooLong instead of silently truncating — one of several Go-specific quirks that trip up password hashing code.
Symmetric vs Asymmetric Encryption in Python: A Practical Guide
One key or two? A working comparison of Fernet and RSA in Python's cryptography library — with the OAEP-vs-PKCS1v15 mistake that still causes padding-oracle bugs.
C# Cryptography Best Practices in .NET
The right way to do cryptography in C#: authenticated encryption with AesGcm, secure randomness, PBKDF2 password hashing, constant-time comparison, and the legacy APIs to stop using.
Symmetric vs Asymmetric Encryption: What's the Difference?
Symmetric encryption uses one shared key for both locking and unlocking. Asymmetric encryption uses a key pair, one public and one private. One is fast; the other solves the key-sharing problem.
Encryption vs Hashing: What's the Difference?
Encryption scrambles data so it can be unscrambled later with a key. Hashing turns data into a fixed fingerprint that can never be reversed. One protects secrets; the other verifies them.