Archive for the 'Security' Category

As3Crypto is now open. Well, *more* open.

Sunday, June 22nd, 2008

As3Crypto has been open-source from the start, but the development, iteration and feedback process isn’t quite as open and collaborative as it should be.
There is this one guy controlling every aspect of it, hiding his precious source code until he deems it ready for another release, and generally being way too slow at moderating blog (…)

Flash 10 API Explorer

Wednesday, May 28th, 2008

A couple years ago, I wrote this little Java Explorer script that used Liveconnect to inspect available Java classes. It included a little console that made it easy to play with those classes and their members to see what they seemed to do.
More recently, when the Flash Player 10 beta came out, I ended up (…)

Backport of some As3Crypto stuff to As2

Thursday, November 29th, 2007

Apparently, ActionScript 2 isn’t dead yet.
While I anxiously await the day popular gizmos like the Wii or the iPhone get to run as3 bytecode, there are apparently still legitimate reasons to want to code with As2.
There already are various chunks of code out there to encrypt stuff with As2, the most popular being probably still (…)

As3Crypto 1.3 is out, TLS support is in.

Monday, November 19th, 2007

There we go, Flash now has a TLS 1.0 implementation written entirely in ActionScript.
In spite of my previous post, I didn’t feel right releasing something that didn’t have a shot at protecting against Man-in-the-middle attacks, so I took a few more days to implement some X.509 certificate parsing and validating.
This release ships with a number (…)

Badness in, plus TLS update

Tuesday, November 6th, 2007

Right now, any ByteArray you feed to MD5 will get messed with, in 2 ways:

Some padding will be added to the end of it
The endianness of the array will be forced to little-endian.

You see, TLS has this “finished” message as part of its handshake that requires to compute an MD5 hash and a SHA-1 hash (…)

Coming out of hibernation

Saturday, November 3rd, 2007

I need a better comment spam system.. I just had to go through 1075 comments, to extract the few that weren’t spam.
16 comments approved
1058 comments marked as spam
1 comment unchanged
Now, you could argue I should just moderate those things as they come in, and you’d be right.
Anyway.. not too long after my previous comment, my (…)

As3Crypto 1.2: now with less bugs

Sunday, April 29th, 2007

So my 1.2 release ends up being less awesome than hoped.
I had a bunch of bug fixes I was sitting on, hoping I’d release them at the same time as some new neat thing, but the new neat thing is taking longer than planned, and the blog comments make it clear you guys are already (…)

Actionscript Encryption Library Update

Sunday, March 4th, 2007

I’ve just pushed version 1.1 of the as3 crypto library out.
New stuff (from the release notes):
- secret key: DES, 3DES, BlowFish
- mode: CTR, SimpleIV
- demo UI: Added unit tests
- added toString() to each algorithm
- added dispose() to each algorithm. dispose() attempts to clear keys and states from the memory, but it is not guaranteed to (…)

An AS3 Cryptography Library

Tuesday, February 20th, 2007

ActionScript 3 has several new features such as ByteArray and uint, that make number crunching on the web less slow than you’re used to.
So it seemed like having a crypto library for as3 would make a lot of sense.
For as2, there was Meychi’s ASCrypt library, and while it would be easy to port them (…)