Neil Madden

Neil Madden

The square roots of all evil Every programmer knows Donald Knuth’s famous quote that “premature optimization is the root of all...

2 months ago

19

The square roots of all evil

from Neil Madden [alt+shift+b] in technology

2 months ago

Every programmer knows Donald Knuth’s famous quote that “premature optimization is the root of all evil”, from his 1974 Turing Award lecture (pdf). A fuller quotation of the surrounding context gives a rounder view: I am sorry to say that many people nowadays are condemning...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

I still don’t really get “hash shucking” If you want to learn how to store passwords securely, you could do a lot worse than looking at the...

a year ago

14

I still don’t really get “hash shucking”

from Neil Madden [alt+shift+b] in technology

a year ago

If you want to learn how to store passwords securely, you could do a lot worse than looking at the OWASP Password Storage Cheat Sheet. These cheat sheets are generally pretty good, and the password storage one is particularly good. The editors do a great job of keeping it up to...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

Machine Learning and the triumph of GOFAI I’ve been slowly reading Brian Cantwell Smith’s “The Promise of Artificial Intelligence” recently. I...

7 months ago

12

Machine Learning and the triumph of GOFAI

from Neil Madden [alt+shift+b] in technology

7 months ago

I’ve been slowly reading Brian Cantwell Smith’s “The Promise of Artificial Intelligence” recently. I haven’t finished reading it yet, and like much of BCS’s writing, it’ll probably take me 3 or 4 read-throughs to really understand it, but there’s one point that I want to pick up...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

Multiple input MACs When working with Message Authentication Codes (MACs), you often need to authenticate not just a...

over a year ago

12

Multiple input MACs

from Neil Madden [alt+shift+b] in technology

over a year ago

When working with Message Authentication Codes (MACs), you often need to authenticate not just a single string, but multiple fields of data. For example, when creating an authenticated encryption mode by composing a cipher and a MAC (like AES-CBC and HMAC), you need to ensure the...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

Digital signatures and how to avoid them Wikipedia’s definition of a digital signature is: A digital signature is a mathematical scheme for...

5 months ago

11

Digital signatures and how to avoid them

from Neil Madden [alt+shift+b] in technology

5 months ago

Wikipedia’s definition of a digital signature is: A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature on a message gives a recipient confidence that the message came from a sender known to the...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

Galois/Counter Mode and random nonces It turns out you can encrypt more than 2^32 messages with AES-GCM with a random nonce under certain...

9 months ago

11

Galois/Counter Mode and random nonces

from Neil Madden [alt+shift+b] in technology

9 months ago

It turns out you can encrypt more than 2^32 messages with AES-GCM with a random nonce under certain conditions. It’s still not a good idea, but you can just about do it. #cryptography

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

On PBKDF2 iterations There has been a lot of discussion recently around the LastPass breach, especially with regards to...

over a year ago

11

On PBKDF2 iterations

from Neil Madden [alt+shift+b] in technology

over a year ago

There has been a lot of discussion recently around the LastPass breach, especially with regards to the number of PBKDF2 iterations applied to the master password to derive the vault encryption key. Other people have already dissected this particular breach, but I want to more...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

XSS doesn’t have to be game over There’s a persistent belief among web security people that cross-site scripting (XSS) is a “game...

over a year ago

10

XSS doesn’t have to be game over

from Neil Madden [alt+shift+b] in technology

over a year ago

There’s a persistent belief among web security people that cross-site scripting (XSS) is a “game over” event for defence: there is no effective way to recover if an attacker can inject code into your site. Brian Campbell refers to this as “XSS Nihilism”, which is a great...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

Macaroon access tokens for OAuth: Part 2 – transactional auth In part 1, I showed how Macaroon access tokens in ForgeRock Access Management 7.0 can be used as a...

over a year ago

10

Macaroon access tokens for OAuth: Part 2 – transactional auth

from Neil Madden [alt+shift+b] in technology

over a year ago

In part 1, I showed how Macaroon access tokens in ForgeRock Access Management 7.0 can be used as a lightweight and easy-to-deploy alternative to proof of possession (PoP) schemes for securing tokens in browser-based apps. The same techniques can be adapted to secure tokens in...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

API Security in Action handed over to production After a flurry of last-minute corrections and updates in response to review feedback, my book has...

over a year ago

10

API Security in Action handed over to production

from Neil Madden [alt+shift+b] in technology

over a year ago

After a flurry of last-minute corrections and updates in response to review feedback, my book has now been handed over to Manning’s production team. That means a few weeks of copy editing and graphics polish, then indexing and typesetting to produce the final version around...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

Book review: The Joy of Cryptography Mike Rosulek, Oregon State University. Draft of January 3, 2021. Online: The Joy of Cryptography....

over a year ago

10

Book review: The Joy of Cryptography

from Neil Madden [alt+shift+b] in technology

over a year ago

Mike Rosulek, Oregon State University. Draft of January 3, 2021. Online: The Joy of Cryptography. This is a freely-available book covering introductory material on cryptography. It’s suitable for anyone with undergraduate-level computer science knowledge. As is often the case in...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

CVE-2022-21449: Psychic Signatures in Java The long-running BBC sci-fi show Doctor Who has a recurring plot device where the Doctor manages to...

over a year ago

10

CVE-2022-21449: Psychic Signatures in Java

from Neil Madden [alt+shift+b] in technology

over a year ago

The long-running BBC sci-fi show Doctor Who has a recurring plot device where the Doctor manages to get out of trouble by showing an identity card which is actually completely blank. Of course, this being Doctor Who, the card is really made out of a special “psychic paper“, which...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

How do you use a bearer URL? In “Towards a standard for bearer token URLs”, I described a URL scheme that can be safely used to...

over a year ago

10

How do you use a bearer URL?

from Neil Madden [alt+shift+b] in technology

over a year ago

In “Towards a standard for bearer token URLs”, I described a URL scheme that can be safely used to incorporate a bearer token (such as an OAuth access token) into a URL. That blog post concentrated on the technical details of how that would work and the security properties of the...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

Is Datalog a good language for authorization? Datalog is a logic programming language, based on Prolog, which is seeing something of a resurgence...

over a year ago

10

Is Datalog a good language for authorization?

from Neil Madden [alt+shift+b] in technology

over a year ago

Datalog is a logic programming language, based on Prolog, which is seeing something of a resurgence in interest in recent years. In particular, several recent approaches to authorization (working out who can do what) have used Datalog as the logical basis for access control...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

Why the OAuth mTLS spec is more interesting than you might think I was catching up on the always excellent Security. Cryptography. Whatever. podcast, and enjoyed the...

over a year ago

10

Why the OAuth mTLS spec is more interesting than you might think

from Neil Madden [alt+shift+b] in technology

over a year ago

I was catching up on the always excellent Security. Cryptography. Whatever. podcast, and enjoyed the episode with Colm MacCárthaigh about a bunch of topics around TLS. It’s a great episode that touches a lot of subjects I’m interested in, so go ahead and listen to it if you...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

When a KEM is not enough In my previous post, I described the KEM/DEM paradigm for hybrid encryption. The key encapsulation...

over a year ago

10

When a KEM is not enough

from Neil Madden [alt+shift+b] in technology

over a year ago

In my previous post, I described the KEM/DEM paradigm for hybrid encryption. The key encapsulation mechanism is given the recipient’s public key and outputs a fresh AES key and an encapsulation of that key that the recipient can decapsulate to recover the AES key. In this post I...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

Towards a standard for bearer token URLs In XSS doesn’t have to be Game Over, and earlier when discussing Can you ever (safely) include...

over a year ago

9

Towards a standard for bearer token URLs

from Neil Madden [alt+shift+b] in technology

over a year ago

In XSS doesn’t have to be Game Over, and earlier when discussing Can you ever (safely) include credentials in a URL?, I raised the possibility of standardising a new URL scheme that safely allows encoding a bearer token into a URL. This makes it more convenient to use lots of...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

Hybrid encryption and the KEM/DEM paradigm If you know a bit about public key cryptography, you probably know that you don’t directly encrypt a...

over a year ago

9

Hybrid encryption and the KEM/DEM paradigm

from Neil Madden [alt+shift+b] in technology

over a year ago

If you know a bit about public key cryptography, you probably know that you don’t directly encrypt a message with a public key encryption algorithm like RSA. This is for many reasons, one of which being that it is incredibly slow. Instead you do what’s called hybrid encryption:...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

API Security in Action is published! I wasn’t expecting it so quickly, so it caught me a little off guard, but API Security in Action is...

over a year ago

9

API Security in Action is published!

from Neil Madden [alt+shift+b] in technology

over a year ago

I wasn’t expecting it so quickly, so it caught me a little off guard, but API Security in Action is now finally published. PDF copies are available now, with printed copies shipping by the end of the month. Kindle/ePub take a little bit longer but should be out in a few weeks...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

A few programming language features I’d like to see I enjoyed Hillel Wayne’s recent newsletter about microfeatures they’d like to see in programming...

over a year ago

9

A few programming language features I’d like to see

from Neil Madden [alt+shift+b] in technology

over a year ago

I enjoyed Hillel Wayne’s recent newsletter about microfeatures they’d like to see in programming languages. A “microfeature” is essentially a small convenience that makes programming in that language a bit easier without fundamentally changing it. I love this idea. I’m partial to...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

Entity authentication with a KEM In cryptography, the process of authenticating a user (or app/service) is known as entity...

a year ago

9

Entity authentication with a KEM

from Neil Madden [alt+shift+b] in technology

a year ago

In cryptography, the process of authenticating a user (or app/service) is known as entity authentication or identification (to distinguish it from message authentication or data origin authentication). There are lots of ways to do this. In this post I’m going to talk about...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

A controversial opinion about REST API design I was just reading yet another article on REST API design guidelines. Some of it is good advice,...

a year ago

8

A controversial opinion about REST API design

from Neil Madden [alt+shift+b] in technology

a year ago

I was just reading yet another article on REST API design guidelines. Some of it is good advice, some of it I could quibble with. But several of the rules are about how to design the path hierarchy of your API: use plural nouns, don’t use nested sub-paths unnecessarily, etc. In...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

Parse, don’t type-check There’s a fantastic article from last year titled Parse, don’t validate. I’d highly recommend it to...

over a year ago

8

Parse, don’t type-check

from Neil Madden [alt+shift+b] in technology

over a year ago

There’s a fantastic article from last year titled Parse, don’t validate. I’d highly recommend it to any programmer (along with the more recent follow up Names are not type safety). The basic idea is that there are two ways to check that some input to a function is valid: A...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

Some incomplete thoughts about Gödel I saw another article on Gödel’s incompleteness theorems linked from Reddit today. It’s a topic I’ve...

over a year ago

8

Some incomplete thoughts about Gödel

from Neil Madden [alt+shift+b] in technology

over a year ago

I saw another article on Gödel’s incompleteness theorems linked from Reddit today. It’s a topic I’ve wanted to write about for some time. Although many articles do a decent job in giving an idea of what the big deal is (and this one is pretty good), they can sometimes give a...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

Newsletter Happy new year! I’m hoping to write a few posts on here over the next few weeks, but probably...

a year ago

8

Newsletter

from Neil Madden [alt+shift+b] in technology

a year ago

Happy new year! I’m hoping to write a few posts on here over the next few weeks, but probably exploring a few topics around AI and philosophy. If you’d prefer some more technical content around security and cryptography, then take a look at the newsletter I put out for my...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

Making things I made my daughter a toy tree house thing for Christmas out of old firewood (and a slice of cedar...

over a year ago

8

Making things

from Neil Madden [alt+shift+b] in technology

over a year ago

I made my daughter a toy tree house thing for Christmas out of old firewood (and a slice of cedar donated by a neighbour). It’s a bit clunky in places — “rustic” shall we say? But I probably enjoyed making this, over a few weeks of lunchtimes and evenings, more than anything I’ve...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

From KEMs to protocols This is the third part of my series on Key Encapsulation Mechanisms (KEMs) and why you should care...

over a year ago

7

From KEMs to protocols

from Neil Madden [alt+shift+b] in technology

over a year ago

This is the third part of my series on Key Encapsulation Mechanisms (KEMs) and why you should care about them. Part 1 looked at what a KEM is and the KEM/DEM paradigm for constructing public key encryption schemes. Part 2 looked at cases where the basic KEM abstraction is not...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

SipHash-based encryption for constrained devices I see a lot of attempts to define encryption schemes for constrained devices with short...

9 months ago

7

SipHash-based encryption for constrained devices

from Neil Madden [alt+shift+b] in technology

9 months ago

I see a lot of attempts to define encryption schemes for constrained devices with short authentication tags (e.g., 64 bits) using universal hashing. For example, there’s a proposal in CFRG at the moment for a version of AES-GCM with short tags for this kind of use-case. In my...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

A few clarifications about CVE-2022-21449 Just a few quick notes/updates to correct some potentially inaccurate statements that are floating...

over a year ago

7

A few clarifications about CVE-2022-21449

from Neil Madden [alt+shift+b] in technology

over a year ago

Just a few quick notes/updates to correct some potentially inaccurate statements that are floating around on Reddit/Twitter etc: The bug only impacts Java 15 and above. The original advisory from Oracle incorrectly listed earlier versions (like 7, 8 and 11) as being impacted....

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

Neil Madden

Regular JSON For better or worse, depending on your perspective, JSON has become a dominant data format and shows...

a year ago

5

Regular JSON

from Neil Madden [alt+shift+b] in technology

a year ago

For better or worse, depending on your perspective, JSON has become a dominant data format and shows no signs of being replaced any time soon. There are good reasons for that: on the face of it, it provides a very simple format with just enough features to cover a lot of...

Direct Link [→] Remove from reading list Add to reading list [alt+a]

upvote [alt+ctrl+↑] downvote [alt+ctrl+↓] prev [↑] next [↓]

New here?

bored reading