source: wiki/Summary.wiki @ 76

Last change on this file since 76 was 59, checked in by tmorgan, 11 years ago

.

File size: 2.1 KB
RevLine 
[54]1Cryptography is hard.  Most software developers realize this.  Security dogma of "don't invent your own crypto; use standard algorithms" has been a "best practice" for some time.  But what does this mean?  Use AES?  As cryptographers know, and history has shown, this alone is insufficient.  Using otherwise safe cryptographic primitives in custom protocols and message formats requires an understanding of cryptography that most programmers lack.  As a result, many implementations are sorely insecure due to the way cryptographic primitives are combined and applied in real world contexts.
2
3As a software penetration tester, your job is to identify security flaws in custom software.  However, when black-box testing an application that misuses cryptographic primitives, how do you identify and exploit these issues efficiently?  The task is fraught with engineering difficulties which frustrate the process and cause you to expend valuable testing time on trivial matters that are specific to the implementation.  Bletchley was created to assist with the detection, analysis, and exploitation of cryptographic flaws and aims to help automate the tedious aspects of this analysis while leaving the security expert in control of the process.
4
5Bletchley is currently in the early stages of development and consists of tools which provide:
[57]6  * Automated token encoding detection (36 encoding variants)
7  * Passive ciphertext block length and repetition analysis
8  * Script generator for efficient automation of HTTP requests
9  * A flexible, multithreaded padding oracle attack library with CBC-R support
[54]10
11As the framework matures, the following additional features are currently anticipated:
[57]12  * Passive binary structure detection
13  * Automated chosen ciphertext probes
14  * Tools to analyze and exploit other flaws, such as asymmetric algorithm and hash misuse
[55]15
16
[59]17For more information on the specific tools, see the <a href="https://code.google.com/p/bletchley/wiki/Overview">documentation</a>.  Bletchley is maintained by
[55]18<a href="http://vsecurity.com/">VSR</a>, though code/testing contributions are greatly appreciated.
Note: See TracBrowser for help on using the repository browser.