After twenty-six years, Microsoft is finally upgrading the last remaining instance of the encryption algorithm RC4 in Windows. > of the most visible holdouts in supporting RC4 has been Microsoft. Eventually, > Microsoft upgraded Active Directory to support the much more secure AES > encryption standard. But by default, Windows servers have continued to respond > to RC4-based authentication requests and return an RC4-based response. The RC4 > fallback has been a favorite weakness hackers have exploited to compromise > enterprise networks. Use of RC4 played a ...

Here’s a fun paper: “The Naibbe cipher: a substitution cipher that encrypts Latin and Italian as Voynich Manuscript-like ciphertext“: > Abstract: In this article, I investigate the hypothesis that the Voynich > Manuscript (MS 408, Yale University Beinecke Library) is compatible with being > a ciphertext by attempting to develop a historically plausible cipher that can > replicate the manuscript’s unusual properties. The resulting cipher­a verbose > homophonic substitution cipher I call the Naibbe cipher­can be done entirely > by hand with 15th-century materials, and when it encrypts a wide range of > Latin and Italian plaintexts, the resulting ciphertexts remain fully > decipherable and also reliably reproduce many key statistical properties of > the Voynich Manuscript at once. My results suggest that the so-called > “ciphertext hypothesis” for the Voynich Manuscript remains viable, while also > placing constraints on plausible substitution cipher structures...

The International Association of Cryptologic Research—the academic cryptography association that’s been putting conferences like Crypto (back when “crypto” meant “cryptography”) and Eurocrypt since the 1980s—had to nullify an online election when trustee Moti Yung lost his decryption key. > For this election and in accordance with the bylaws of the IACR, the three > members of the IACR 2025 Election Committee acted as independent trustees, > each holding a portion of the cryptographic key material required to jointly > decrypt the results. This aspect of Helios’ design ensures that no two > trustees could collude to determine the outcome of an election or the contents > of individual votes on their own: all trustees must provide their decryption > shares...

Signal has just rolled out its quantum-safe cryptographic implementation. Ars Technica has a really good article with details: > Ultimately, the architects settled on a creative solution. Rather than bolt > KEM onto the existing double ratchet, they allowed it to remain more or less > the same as it had been. Then they used the new quantum-safe ratchet to > implement a parallel secure messaging system. > > Now, when the protocol encrypts a message, it sources encryption keys from > both the classic Double Ratchet and the new ratchet. It then mixes the two > keys together (using a cryptographic key derivation function) to get a new > encryption key that has all of the security of the classical Double Ratchet > but now has quantum security, too...

Here’s the summary: > We pointed a commercial-off-the-shelf satellite dish at the sky and carried > out the most comprehensive public study to date of geostationary satellite > communication. A shockingly large amount of sensitive traffic is being > broadcast unencrypted, including critical infrastructure, internal corporate > and government communications, private citizens’ voice calls and SMS, and > consumer Internet traffic from in-flight wifi and mobile networks. This data > can be passively observed by anyone with a few hundred dollars of > consumer-grade hardware. There are thousands of geostationary satellite > transponders globally, and data from a single transponder may be visible from > an area as large as 40% of the surface of the earth...

I wrote about this in 2023. Here’s the story: > Three Dutch security analysts discovered the vulnerabilities­—five in > total—­in a European radio standard called TETRA (Terrestrial Trunked Radio), > which is used in radios made by Motorola, Damm, Hytera, and others. The > standard has been used in radios since the ’90s, but the flaws remained > unknown because encryption algorithms used in TETRA were kept secret until > now. There’s new news: > In 2023, Carlo Meijer, Wouter Bokslag, and Jos Wetzels of security firm > Midnight Blue, based in the Netherlands, discovered vulnerabilities in > encryption algorithms that are part of a European radio standard created by > ETSI called TETRA (Terrestrial Trunked Radio), which has been baked into radio > systems made by Motorola, Damm, Sepura, and others since the ’90s. The flaws > remained unknown publicly until their disclosure, because ETSI refused for > decades to let anyone examine the proprietary algorithms...

Well, this is interesting: > The auction, which will include other items related to cryptology, will be > held Nov. 20. RR Auction, the company arranging the sale, estimates a winning > bid between $300,000 and $500,000. > > Along with the original handwritten plain text of K4 and other papers related > to the coding, Mr. Sanborn will also be providing a 12-by-18-inch copper plate > that has three lines of alphabetic characters cut through with a jigsaw, which > he calls “my proof-of-concept piece” and which he kept on a table for > inspiration during the two years he and helpers hand-cut the letters for the > project. The process was grueling, exacting and nerve wracking. “You could not > make any mistake with 1,800 letters,” he said. “It could not be repaired.”...

Good tutorial by Micah Lee. It includes some nonobvious use cases.

A Florida bill requiring encryption backdoors failed to pass.

Last month, the UK government demanded that Apple weaken the security of iCloud for users worldwide. On Friday, Apple took steps to comply for users in the United Kingdom. But the British law is written in a way that requires Apple to give its government access to anyone, anywhere in the world. If the government demands Apple weaken its security worldwide, it would increase everyone’s cyber-risk in an already dangerous world. If you’re an iCloud user, you have the option of turning on something called “advanced data protection,” or ADP. In that mode, a majority of your data is end-to-end encrypted. This means that no one, not even anyone at Apple, can read that data. It’s a restriction enforced by mathematics—cryptography—and not policy. Even if someone successfully hacks iCloud, they can’t read ADP-protected data...