Under Permanent Construction: I’ll be adding more to this page in the next few weeks.

• More on finding MD-5 collisions: Recently, Vlastimil Klima refined Wang’s method and is able to find MD-5 collisions on a laptop (1.6 GHz. Intel Pentium) in about a minute. Klima’s paper is available from the IACR ePrint Archive . Update (3/29/06): Klima has refined his method, and can now find MD-5 collisions in an average of 31 seconds. Paper and source code are available from Klima’s Web site.
• The original breakthrough on finding MD-5 collisions was due to the work of Xiaojun Wang and her colleagues from Shandong University. The Information Security Laboratory at Shandong University has other related papers concerning cryptography.
• In VPNs Illustrated, I mostly used tcpdump for analysis, but there are several great security tools available. Here is a list of 100 security tools that are very useful. This page has added 25 additional tools, so it’s worth revisting if you haven’t been there recently. It’s also worth noting that ethereal, which I mentioned in Appendix B of VPNs Illustrated, has been renamed wireshark. Some of these security tools are mentioned in my Useful TCP/IP Links list.
• Anyone who runs a firewall and keeps logs, as I do, will often wonder what an attempted connection to port X means. DShield tracks a variety of attack information, including a link to check if attacks are originating from your machine. If you want the latest information on intrusion attacks, this is the place to look.
• Chapter 6 of VPNs Illustrated discussed stunnel and used it to link non-SSL aware applications with an SSL tunnel. Stunnel.org has the latest releases and information about stunnel.
• Anyone debugging SSL connections or applications will want a copy of Eric Rescorla’s ssldump. The ssldump home page has the latest information and releases.
• Chapter 3 of VPNs Illustrated discussed a trivial cipher in which a (relatively) short key is repeatedly XORed into the plaintext. I described this cipher as “horribly insecure” and very easy to break. Thomas Habets has written a program, xor-analyze, that shows how this is done.
• The two best general references on cryptography that I have found are Schneier’s Applied Cryptography and the Handbook of Applied Cryptography (HAC) by Menezes, Oorschot, and Vanstone. CRC Press, the publisher of HAC, has generously made this important resource available on-line for free.
• ASD Laboratory has put up an interesting Web site Algebraic Structure Defectoscopy, which compares the security of several ciphers and hash functions. Their comparisons are the result of automated testing and, therefore, slightly controversial. See their Background page for a description and defense of their methods.
• Here's a Web page with some useful suggestions for making your SSH daemon more secure.
• Passwords: Here is a list of bad passwords that you should never use. It’s amazing how often you see these on supposedly secure systems. On the other hand, there are several good tutorials on choosing strong passwords. SANS offers this Simple Formula for Strong Passwords tutorial. HANetworks has a password strength meter that checks your passwords against best practices and a password dictionary. Be sure to observe the safety warning about using your exact password. You can find other suggestions for strong passwords here, here, and here.
• Bruce Schneier, one of the most well known people in security and cryptography, has several valuable resources available online. In addition to Web pages on the blowfish and twofish algorithms that I mentioned in VPNs Illustrated, Schneier has a blog, Schneier on Security, which discusses recent items concerning security and cryptography. The blog serves as a compliment to his longstanding newsletter, The Cryptogram.
• The weakest link: You can have all the greatest crypto, firewalling, and filtering in the world, but you can’t, it appears, do anything about your users. Here’s a frightening account of how a security audit team tricked several employees of a credit union into loading a Trojan horse onto their system even though the employees were aware of the audit.
• A Puzzle: Project Euler from Mathschallenge.net has an interesting problem that asks you to find a brute force solution to an example of the trivial cipher from Chapter 3 of VPNs Illustrated. Although simple in principle, the problem nicely illustrates some of the difficulties that a cryptanalyst must overcome. One such problem is how to (programmatically) recognize a correct decryption. The requirement to be able to sift through large amounts of data is simulated by invoking the one-minute rule, which requires that the computation be complete in under a minute on a “normal” computer.
• Need some advice on what key lengths you should use? I found a link to a page full of key length recommendations on Eric Rescorla’s blog.
• CryptoDox is a Wiki devoted to cryptography and information security.