Changeset 103 for README.wiki


Ignore:
Timestamp:
07/13/16 11:14:42 (8 years ago)
Author:
tim
Message:

.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • README.wiki

    r85 r103  
    1 Cryptography is hard.  Most software developers realize this.  Security dogma of "don't invent your own crypto; use standard algorithms" has been a "best practice" for some time.  But what does this mean?  Use AES?  As cryptographers know, and history has shown, this alone is insufficient.  Using otherwise safe cryptographic primitives in custom protocols and message formats requires an understanding of cryptography that most programmers lack.  As a result, many implementations are sorely insecure due to the way cryptographic primitives are combined and applied in real world contexts.
    2 
     1<p>Cryptography is hard.  Most software developers realize this.  Security dogma of "don't invent your own crypto; use standard algorithms" has been a "best practice" for some time.  But what does this mean?  Use AES?  As cryptographers know, and history has shown, this alone is insufficient.  Using otherwise safe cryptographic primitives in custom protocols and message formats requires an understanding of cryptography that most programmers lack.  As a result, many implementations are sorely insecure due to the way cryptographic primitives are combined and applied in real world contexts.
     2</p>
     3<p>
    34As a software penetration tester, your job is to identify security flaws in custom software.  However, when black-box testing an application that misuses cryptographic primitives, how do you identify and exploit these issues efficiently?  The task is fraught with engineering difficulties which frustrate the process and cause you to expend valuable testing time on trivial matters that are specific to the implementation.  Bletchley was created to assist with the detection, analysis, and exploitation of cryptographic flaws and aims to help automate the tedious aspects of this analysis while leaving the security expert in control of the process.
    4 
     5</p>
     6<p>
    57Bletchley is currently in the early stages of development and consists of tools which provide:
    6 * Automated token encoding detection (36 encoding variants)
    7 * Passive ciphertext block length and repetition analysis
    8 * Script generator for efficient automation of HTTP requests
    9 * A flexible, multithreaded padding oracle attack library with CBC-R support
    10 
     8<ul>
     9<li>Automated token encoding detection (36 encoding variants)</li>
     10<li>Passive ciphertext block length and repetition analysis</li>
     11<li>Script generator for efficient automation of HTTP requests</li>
     12<li>A flexible, multithreaded padding oracle attack library with CBC-R support</li>
     13</ul>
     14</p>
     15<p>
    1116As the framework matures, the following additional features are currently anticipated:
    12 * Passive binary structure detection
    13 * Automated chosen ciphertext probes
    14 * Tools to analyze and exploit other flaws, such as asymmetric algorithm and hash misuse
    15 
    16 
    17 For more information on the specific tools, see the <a href="https://github.com/ecbftw/bletchley/blob/master/wiki/Overview.wiki">documentation</a>.  Bletchley was created by penetration testers at <a href="http://vsecurity.com/">VSR</a> and is now maintained by <a href="https://blindspotsecurity.com/">Blindspot Security</a>.  Note that contributions (patches, testing, bug reports) are greatly appreciated.
     17<ul>
     18<li>Passive binary structure detection</li>
     19<li>Automated chosen ciphertext probes</li>
     20<li>Tools to analyze and exploit other flaws, such as asymmetric algorithm and hash misuse</li>
     21</p>
     22<p>
     23For more information on the specific tools, see the <a href="https://code.blindspotsecurity.com/trac/bletchley/wiki/Overview">documentation</a>.  Bletchley was created by penetration testers at <a href="http://vsecurity.com/">VSR</a> and is now maintained by <a href="https://blindspotsecurity.com/">Blindspot Security</a>.  Note that contributions (patches, testing, bug reports) are greatly appreciated.
Note: See TracChangeset for help on using the changeset viewer.