Cryptographic properties of MACs and HMACs

Posted on Mo 20 August 2018 in Security, Cryptography, MAC, HMAC • Tagged with Math, MAC, HMACLeave a comment


Similarly as digital signatures, Message Authentication Codes provide message integrity and message authentication. When Alice generates a MAC and sends the message and MAC to Bob, Bob verifies that the message has integrity by calculating the MAC himself. He also authenticates the message, because only Alice could have generated the MAC.

Unlike digital signatures they do however not provide nonrepudiation, since all involved parties share the secret key \(k\). MAC's can be implemented using cryptographically secure hash functions (HMAC) or symmetric block ciphers like AES.

A MAC consists of …

Continue reading

Cryptographic Hash Functions

Posted on Sa 18 August 2018 in Security, Cryptography, Hash Functions • Tagged with Math, Integrity, Hash-Functions, Merkle-DamgårdLeave a comment


This blog post will introduce cryptographic hash functions. We are going to discuss the Merkle-Damgård construction which underlies many hash functions that were and are used nowadays. The MD4, MD5, SHA-1 and SHA-2 hash families are all functions that built on top of the Merkle-Damgård construction. Then we will introduce an alternative construction that was popularized during the publication of Keccak (SHA-3): The Sponge construction.

But what are cryptographic hash functions good for?

The general idea is to apply a unique and stable fingerprint to each input data \(x …

Continue reading

How to find large prime numbers for RSA with the Miller-Rabin Primality Test

Posted on So 12 August 2018 in Security, Cryptography • Tagged with Python, Primes, Math, RSA, asymmetric key cryptography, Miller-Rabin Primality Test, FermatLeave a comment


All sources for this blog post can be found in the Github repository about large primes. The most recent version of the sources may only be found in the Github repository.

It has been a long time since I found the energy to write a new blog post. In this article, I am going to dig into a interesting area of cryptography: The task to find large prime numbers. We hopefully are all familiar with the concept of prime numbers. Prime numbers are integers \(p\) which are dividable only …

Continue reading

Privilege Escalation Techniques

Posted on Mi 10 August 2016 in Security • Tagged with Linux, Privilege Escalation, rootLeave a comment

This blog post will serve as a cheatsheet to help in my future pentesting experiments and wargames when I am stuck and don't know how to proceed. I hope it will be of use for some people out there. This document will likely change and evolve in future revisions.

In this blog post I will discuss common privilege escalation techniques. I assume that an attack got a foothold into the server by spawning a webshell over SQL-Injections or similar web exploitation vectors.

Helpful resources

Other people have published great information …

Continue reading

Probabilistic data structures to estimate cardinalities and frequencies of massive streams

Posted on Mi 20 Juli 2016 in BigData • Tagged with LogLog-Count, Count-Min-Sketch, Linear Count, Big Data, Stream ProcessingLeave a comment

In the following blog post we will introduce three different Big Data algorithms. More specifically, we will learn about probabilistic data structures that allow us to estimate cardinalities and frequencies of elements that originate from a massive stream of data. This blog post is heavily inspired by a the well written article on probabilistic data structures for web analytics and data mining. I will not cover the mathematics behind those data structures, the beforementioned blog post does that much better. And if not, then you should probably consult the original …

Continue reading

What other package managers are vulnerable to typo squatting attacks?

Posted on Do 30 Juni 2016 in Security • Tagged with security, Typosquatting, nuget, cargoLeave a comment

In my last blog post about typosquatting package managers I discussed my findings about attacking the programming language package managers from, PyPi and

This blog contribution generated quite some interest and people subsequently asked themselves whether other package managers might also be vulnerable to this hybrid attack (typosquatting involves a technical and psychological attack vector). During the time I wrote my thesis, I encountered some other package managers. A very good overview of some of the most recent package managers gives the github showcase page about …

Continue reading