I hereby claim:
- I am defuse on github.
- I am defuse (https://keybase.io/defuse) on keybase.
- I have a public key whose fingerprint is BFAE 45EB D356 1D91 E3E2 56C2 DFA8 209C E967 8D5D
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
Sketch of a security proof for BCRYPT(H(X)). This probably contains errors. | |
UPDATE: Only assume BCRYPT is collision resistant for X <= 72. | |
Define the BCRYPT-H(S, X) algorithm as follows: | |
UPDATE: Gah... the whole 'byte' thing isn't necessary at all. I originally | |
intended to pass *either* the actual X (with a zero byte prefix) or H(X) with | |
a 0x01 byte prefix, to bcrypt. I forgot to do that, and instead always passed | |
the hash with the byte prefix based on the length. The proof is still valid, |
<?php | |
// WARNING: THIS IS EXPERIMENTAL CODE. DO NOT USE IT. | |
// --- binary to hex encoding --- | |
function sc_bin2hex($binary) | |
{ | |
$encoded = ''; | |
for ($i = 0; $i < strlen($binary); $i++) { |
<?php | |
// THIS CODE IS EXPERIMENTAL. DO NOT USE IT. | |
// ALSO NOTE THERE IS NO ERROR CHECKING! | |
function side_channel_safe_encode($binary_string) | |
{ | |
// We only use 5 bits from every byte, so for 256 bits we need 52 bytes. | |
$random = mcrypt_create_iv(52, MCRYPT_DEV_URANDOM); | |
$printable_blind_key = ''; |
<?php | |
// [LIB - Crypt Functions] | |
// (c) 2005-2013 unix-world.org - all rights reserved | |
// code release 2013-05-30 | |
//##################################################### PREVENT S EXECUTION | |
if(A_HEADER_EXEC_RUNTIME != 'NetVisionOpenSource') { | |
die('This PHP script: `'.htmlspecialchars(@basename(__FILE__)).'` cannot be executed directly !'); | |
} //end if | |
//##################################################### |
#!/usr/bin/env ruby | |
# @DefuseSec's TrueCrypt Challenge Generator! | |
# | |
# This script generates a set of TrueCrypt "challenges." Volumes are created in | |
# different ways using secure 128-bit passwords to provide a challenge for | |
# anyone claiming TrueCrypt is backdoored. If there is a backdoor, then one | |
# should be able to use one of the published challenges to prove it. | |
# | |
# There are 5 different types of challenges: |
str = "D0 1D 00 00 00 02 02 00 30 82 1D BD 06 09 2A 86 48 86 F7 0D 01 07 02 A0 82 1D AE 30 82 1D AA 02 01 01 31 0B 30 09 06 05 2B 0E 03 01 1A" | |
binary = str.split(" ").map { |x| x.to_i(16).chr }.join("") | |
0.upto(binary.length - 1) do |start| | |
code = binary[start...binary.length] | |
File.open("/tmp/foo.bin", "w") do |f| | |
f.write(code) | |
end | |
print `objdump -D -b binary -m i8086 -M intel /tmp/foo.bin` |
lines = [ | |
"ABCDEFGHIJFG", | |
"ABIKLAKGCMAIHDJACKNKCKNMDH", | |
"MADHDPACLDHIKH", | |
"AILDQIGCRIPACKNGHPACLDSDKLDPD", | |
"ALCIHPIQTIDCEAPAHIG" | |
] | |
ct = lines.join("") |
<?php | |
/* | |
* This is the decoded version of Ballast Security's shell decoding challenge: | |
* http://ballastsec.blogspot.ca/2013/01/first-of-many-encrypted-php-shell.html | |
* | |
* Original: http://pastebin.com/W92Q0Q9j | |
* | |
* Decoding was done by @DefuseSec with a bit of help from @RiptideTempora. | |
*/ | |
@error_reporting(0); |
<?php | |
/* Escaping Challenge: Make a PHP script that (Z:) generates JavaScript code | |
* that generates an HTML page containing a PHP script that (goto Z) */ | |
/* The purpose of this challenge is to demonstrate how complicated escaping can | |
* get when you're trying to combine 4 different languages (PHP, JavaScript, | |
* HTML, and string literals). */ | |
function js_string_escape($data) |