Today's communications are, as frequently requested by users, more and more secure. In this first part of the blogpost, we will detail some key features of instant messaging applications, in the setting where (only) two parties want to communicate.

Post-quantum cryptography is an active field of research, especially since the NIST Call for Submissions in 2016 to design new standards for asymmetric key cryptography. The aim of post-quantum cryptography is to mitigate the risk of a large-scale quantum computer which may break all the asymmetric cryptography that is deployed today. This blogpost will present the activity state of the post-quantum cryptography field and sketch the challenges for the deployment of post-quantum safe standards for the industry, both in term of internal infrastructures and security products.

This blog post introduces a plugin that provides end-to-end encryption (E2EE) to Mattermost.

This post is a noob-friendly introduction to whiteboxes along with the presentation and explanation of a (not-new) collision-based attack. The attack is demonstrated against a public whitebox, using QBDI to instrument and analyze the target in order to produce traces of execution.

On how we used LIEF to lift an Android x86_64 library to Linux to perform our usual white-box attacks on it.

In recent weeks, Confide, a secure instant messaging application, has gained popularity in some circles. This article presents a quick assessment of the security of this application. The official website boasts the confidentiality provided by the product through three qualifiers: encrypted, ephemeral and screenshot protected. Each of these aspects will be studied.

The encryption protocol will be particularly detailed because it is tagged as battle tested, military grade cryptography. We already knew about military grade cryptography, which seems to be a synonym of put AES-256 somewhere, no matter how you use it in many applications, but we had never heard of battle tested cryptography. This article is an opportunity to present this technology.

Developing properly end-to-end communication systems is complex. As we have seen in the past with iMessage, even if cryptographic primitives are correctly implemented and encryption keys are correctly generated and protected, the design is critical to forbid the service operator from being able to eavesdrop messages.

With the Differential Computation Analysis (DCA) presented at CHES 2016, we have shown that side-channel techniques developed to break hardware cryptographic implementations can be adapted successfully to break white-box implementations. In this post, we will explore another class of hardware attacks: fault injections and how to apply them on white-box implementations.

Quarkslab made a security assessment of VeraCrypt 1.18. The audit was funded by OSTIF and was performed by two Quarkslab engineers between Aug. 16 and Sep. 14, 2016 for a total of 32 man-days of study. A critical vulnerability, related to cryptography, has been identified. It has been introduced in version 1.18, and will be fixed in version 1.19.

When appointing computation of private data to a third party, privacy is an issue. How can one delegate computation without giving up one's secrets? This gets trickier when multiple parties are involved. Several works on Multi-Party Computation (MPC) addressed this issue, but a new approach has started to emerge: Fully Homomorphic Encryption (FHE).

Linux 4.1 has arrived with a new feature for its popular ext4 filesystem: filesystem-level encryption!