Cossack Labs
Cossack LabsBlog archive
2017
11 Jul 2017
Replacing OpenSSL with BoringSSL in a Complex Multi-Platform Layout
To provide better mult-platform support in Themis, we've built multi-donor support abstraction layer for cryptographic primitives, called Soter. This is the first article in a series of three that will cover our experiments with different sources of crypto primitives, this time - BoringSSL.
8 Mar 2017
Presenting Acra
Today we're revealing Acra: a database security suite, built to provide selective encryption and intrusion prevention for modern microservice-rich products and web apps.
6 Mar 2017
Importing with ctypes in Python: fighting overflows
Best cases of boring technical debt are understood when reflected properly. This post addresses a simple one: inelegant flags in core C library ended up breaking Python tests. This is no small case to us: tests breaking sometimes might end up in things seeming to work, but not really working. Not something you can afford yourself when you're doing cryptography, do you?
28 Feb 2017
Plugging leaks in Go memory management
Investigating memory leaks can be fun, sometimes. Sometimes it might even teach you a few lessons in how the language you know and like actually works.
2016
30 Dec 2016
This year at Cossack Labs
Bright and full of new 2016 year insensibly came to an end. Sharing the summary of our work!
21 Dec 2016
Themis database modules
In an ongoing effort to make Themis functions available anywhere we (and potential users) might need them, we're starting to release Themis wrappers for popular databases. This post outlines the first two - for Redis and PostgreSQL databases.
13 Dec 2016
12 and 1 ideas how to enhance backend data security
Previously, we’ve talked about classic design patterns in backend data security, then about key management goals and techniques. In the last article, we will discuss how modern approaches differ and shed light on our solutions.
23 Nov 2016
Themis 0.9.4 release
Glad to announce Themis 0.9.4! Minor changes for stable new version.
26 Oct 2016
Why making Internet safe is everyone’s responsibility
... not the security vendors, nor government or big corporations can solely fix the current state of things. It's everybody's duty and the earlier we understand it - the better.
21 Sep 2016
Backend data security: Key management 101
Second article in series, Key Management 101 will talk about basic key management concepts, goals and methods to achieve them.
15 Aug 2016
Classic backend security design patterns
In upcoming series of articles, we'll ascend from classic database security techniques to modern technologies, including some of the cutting edge research and our own experiments in the field.
27 Jul 2016
Zero Knowledge Protocols without magic
In this post, we talk about Zero-Knowledge Proofs, tie ZKP authentication to traditional security models and help you understand better how authentication, in general, should work.
20 Jul 2016
Perimeter security: avoiding disappointment, shame and despair
Lighter reading: general thoughts on how the familiar mindset of 'protect the perimeter' changed over time.
26 May 2016
Introducing Themis 0.9.3
Themis 0.9.3 released: new wrappers for Go, NodeJS, C++, Google Chrome and much more.
23 May 2016
Choose your Android crypto (Infographic)
This blog post features infographic on how to choose cryptographic frameworks when developing Android apps and adds a few notes about Native/Java crypto.
21 Apr 2016
Building Sesto, in-browser password manager
Sesto is one of PoC tools we've developed while working on WebThemis - the cryptographically sane front-end framework for Google Chrome. Sesto enables web users to store any secrets (for example, login credentials) on the server and use them from any computer that has Google Chrome installed.
7 Apr 2016
Benchmarking Secure Comparator
This post summarizes our experiences of testing Secure Comparator as an authentication mechanism for HTTP.
While we were planning, designing and implementing Comparator, real infrastructure in which it has to function (letting Toughbase instances without shared trust to be able to exchange records and request personal data safely) was very far from being ready, but we wanted to understand how good it was for some practical applications. So we chose the obvious - seeing how SC could work as HTTP authentication mechanism.
30 Mar 2016
Crypto in iOS: Choose your destiny (Infographic)
This blog post features infographic on how to choose crypto when developing iOS apps. It's always useful to put tool choice in context of causes (goals) and effects. This is what we've tried to do in this post.
17 Mar 2016
Building secure end-to-end webchat with Themis
While doing some protocol design for front-end clients with WebThemis services, we wanted to try it in real-world situations first: how easily could we deploy complicated cryptographic behavior into web apps? Turns out, quite easily. This post describes one of such web apps, designed to illustrate some zero-server-trust design patterns we're using in other developments.
14 Mar 2016
Building LibreSSL for PNaCl
As we are still using LibreSSL as a donor for some of the cryptographic primitives, with every new architecture we have to make sure that LibreSSL compiles well. This post describes our challenges with PNaCl.
9 Mar 2016
Introducing Themis Server
Themis Server is interactive debugging environment for Themis: an easy way to try what Themis can do, debug your working code, get easy-to-test examples (specifically cooked to talk to Themis Server).
8 Mar 2016
Building and Using Themis in PNaCl
This post outlines our experience of porting typical C/C++ library (which is obviously Themis, in our case) to PNaCl module. A few challenges, a number of interesting riddles and Themis suddenly has a new home!
3 Mar 2016
What's wrong with Web Cryptography
Threats you may face when implementing cryptography within your web application JS way.
1 Mar 2016
WebThemis: proper crypto for modern Web
Introducing WebThemis: a Google Chrome library to develop secure web applications.
11 Feb 2016
Fixing Secure Comparator
After publishing Secure Comparator paper, we've received a number of concerns from the cryptographic community about possible security breach, in case, where one of the parties is intentionally falsifying the protocol. We've adressed these concerns, and, in this blog post and paper update would like to elaborate how and why.
2015
9 Dec 2015
Introducing Secure Comparator
Secure Comparator is a novel authentication technique we're proposing the cryptographic community to evaluate. It can be used as any id/secret pair authenticator in environments, where no trust relationships exist between two parties.
26 Nov 2015
Why we need novel authentication schemes?
Current technological advancements in authenticating users seems to be sufficient for most cases. However, taking a more detailed look reveals weaknesses and tradeoffs in all existing authentication schemes. Before explaining the methodology and cryptography behind Secure Comparator, our authentication protocol, we wanted to outline reasons for developing it in a brief review of existing authentication methods.
20 Nov 2015
WeakDH/LogJam vs Secure Session
Being asked several times 'Is Secure Session prone to attacks similar to WeakDH/LogJam', we've decided to outline some principal differences, which render Secure Session really secure from these attacks.
18 Nov 2015
Armoring ed25519 to meet extended security challenges
When developing new, advanced features of Themis library, we had to extend some ECC cryptography available in open source with our own implementation to provide simple point multiplication with random (unknown in advance) point. To achieve that, we've extended Daniel J. Bernstein's implementation of ed25519 with our own math and code. This blog post outlines our direction of thinking.
4 Nov 2015
Introducing Themis 0.9.2
Introducing updated and polished Themis, release 0.9.2.
28 Oct 2015
Why you should avoid SSL for your next application
TL;DR: SSL is huge, inefficient, complex and presents many vulnerabilities. If you can avoid it - you should.M
1 Oct 2015
Building encrypted chat service with Themis and mobile websocket example
This tutorial shows simple ways of integrating cryptographic services presented by Themis cryptographic library into your already existing multi-platform application.
22 Sep 2015
Notes on adding cutting edge features
Some important notes on intruducing experimental, bleeding edge features to Themis, changes in Themis build system in the regard of these features, and a tease of new things to come.
3 Jun 2015
Releasing Themis into public: usability testing
How we did usability testing for Themis when releasing the open source library into public.
Being ready to release Themis, we've gathered a few colleagues and decided to make a test run on unsuspecting developers - how would the library blend into their workflows?
18 May 2015
Introducing Themis
We are proud to present Themis, a novel cryptographic services library.
Every good work of software starts by scratching a developer's personal itch. (The Cathedral and the Bazaar)
