March 14, 2019 by P.I.E. Staff

A lot has been written about cryptography key lengths from academics (e.g. Lenstra's equation) and various standard committees (ECRYPT-CSA, Germany's BSI, America's NIST, etc.) over the years.

Despite the abundance of coverage on this material on the Internet, these resources lack the clarity that we look for when drafting recommendations for software developers and system administrators. Additionally, many of them are showing their age and desperately need to be brought up to speed with a modern understanding of real world cryptography.

Continue Reading this Blog Post »

January 28, 2019 by Scott Arciszewski

Back in 2017, we outlined the fundamentals of searchable encryption with PHP and SQL. Shortly after, we implemented this design in a library we call CipherSweet.

Our initial design constraints were as follows:

1. Only use the cryptography tools that are already widely available to developers.
2. Only use encryption modes that are secure against chosen-ciphertext attacks.
3. Treat usability as a security property.
4. Remain as loosely schema-agnostic as possible, so that it's possible to use our design in NoSQL contexts or wildly different SQL database layouts.
5. Be extensible, so that it may be integrated with many other products and services.

Today, we'd like to talk about some of the challenges we've encountered, as well as some of the features that have landed in CipherSweet since its inception, and how we believe they are beneficial for the adoption of usable cryptography at scale.

If you're not familiar with cryptography terms, you may find this page useful.

Continue Reading this Blog Post »

January 4, 2019 by P.I.E. Staff

Since our inception, we've typically published retrospective blog posts every year:

• Year 2015 retrospective
• Year 2016 retrospective
• Year 2017 retrospective

A recurring theme of these posts has been, "We have an ambitious plan to make the Internet more secure."

At the end of 2015 looking towards 2016, we wanted to emphasize "secure-by-default" as the best attitude towards security.

Our goal for 2017 was to get libsodium into the PHP core (which we did! The vote passed 37 to 0) and write a pure-PHP polyfill library we call sodium_compat.

Our goal in 2018 was to kickstart an ecosystem-wide clean-up effort to address the discoverability problem: It's much easier for new PHP developers to discover bad security advice than good security advice. We wanted to flip the script on this problem and make new developers learn tools and techniques that are, at a base, far more conducive to developing secure applications.

This was somehow even more ambitious than our 2017 goal, and unsurprisingly, we didn't have the same measure of success this time around. But the campaign is still young, and may take several years to play out in full, and we believe a recent announcement from another organization shines a light of hope on our efforts. More on that in a minute.

Continue Reading this Blog Post »

November 27, 2018 by Scott Arciszewski

Today, we answer some reader questions about secure credential management, the benefits of ChaCha and BLAKE2 over AES and SHA2, and fault attacks on EdDSA.

Continue Reading this Blog Post »

September 17, 2018 by Scott Arciszewski

Astute readers have noticed that our blog posts have decreased in frequency this year. We put a heavy emphasis on quality, not so much on quantity.

At the same time, we field a lot of questions on social media, where our answers (and, sometimes, the questions themselves) are difficult to locate, especially when people close or lock their accounts.

With both of these thoughts in mind, I asked my Twitter followers if they'd be interested in a Q&A-style blog series. I expected maybe a 55:45 split on yes/no responses, but the final tally was overwhelmingly "Yes".

So with that in mind, I'd like to introduce the pilot for our new series, Slice of PIE.

Slice of PIE

Continue Reading this Blog Post »