Home » Author Archives: Christopher Meyer

Author Archives: Christopher Meyer

Christopher Meyer
Chris works as a researcher and is eagerly looking for bugs in SSL/TLS, the Java platform and various applications. In addition, he is primarily interested in secure coding and exploiting coding mistakes.

Easter Hack: Even More Critical Bugs in SSL/TLS Implementations

software-development-2-logo

It’s been some time since my last blog post – time for writing is rare. But today, I’m very happy that Oracle released the brand new April Critical Patch Update, fixing 37 vulnerabilities in our beloved Java (seriously, no kidding – Java is simply a great language!). With that being said, all vulnerabilities reported by my colleagues (credits go to Juraj Somorovsky, Sebastian ...

Read More »

How to use ECC with OpenJDK

java-logo

Everyone who ever tried to use Elliptic Curve Cryptography (ECC) in Java with an OpenJDK was either forced to use Bouncy Castle or fumble with the SunEC provider. The SunEC provider offers the following algorithms according to the documentation (quote): AlgorithmParameters EC KeyAgreement ECDH KeyFactory EC KeyPairGenerator EC Signature NONEwithECDSA SHA1withECDSA SHA256withECDSA SHA384withECDSA SHA512withECDSA Unfortunately, this provider is not shipped ...

Read More »

Safely Create and Store Passwords

java-logo

Nearly every time when it comes to user profiles it is necessary to manage user credentials and thus be able to create and store user passwords. It should be common practice to use hashed and salted passwords to be prepared for database disclosure and hash reversing by the use of rainbow tables. However, it is (sadly) not uncommon to find ...

Read More »

Weaknesses in Java Pseudo Random Number Generators (PRNGs)

java-logo

This will be a sum up of a Paper written by Kai Michaelis, Jörg Schwenk and me, which was  presented at the Cryptographers’ Track at RSA Conference 2013. You can get the slides of my presentation here and our full Paper here. We performed an analysis on the random sequences generated by common Java libraries shipping with PRNGs (mostly SecureRandom) ...

Read More »

A brief chronology of SSL/TLS attacks

software-development-2-logo

I haven’t had a substantial post for quite a long time, so it’s time for something useful and interesting. Although not Java-specific, this post might still be interesting to some of  you. A brief warning before reading: This is a very lengthy post, but – believe it or not – this is just the brief summary of an even longer ...

Read More »

Hash Length Extension Attacks

java-logo

In this post I will try to leave the summer slump behind and focus on more interesting things than complaining about the weather – hash length extension attacks. Hash length extension attacks are nothing complicated or high sophisticated, to be honest it is just about how to use hash functions. As discussed in one of my former posts there are ...

Read More »

How to deal with {conservative, intractable, annoying} APIs

software-development-2-logo

Have you ever been fighting with an, at least for your current purpose, inflexible API? I picked up one of the trickier scenarios – calling super( … ) with parameters. Sometimes there will be APIs defining constructors that force to be called with instances of Objects. So far so good, but what if the handled parameter is stored private inside ...

Read More »

Using the final keyword on method parameters

java-logo

After some own confusion which specific meaning final declared method parameters have this blog entry will try to clarify this. At least the final keyword on method parameters can be seen as an indicator for the Java compiler that this parameter can not be reassigned to another reference. Java parameter handling is always Call by Value (yes, even when dealing ...

Read More »

Investigating the HashDoS issue

java-logo

Nearly one month ago I have written some thoughts on how the HashDoS problem presented at the 28C3 or other code defects could perhaps be fixed temporarily without interaction of vendors. Now it’s time to deeper investigate the complexity attack and have at look at the sources. I quitely assume that java.util.HashMap and java.util.Hashtable are the most common used data ...

Read More »
Want to take your Java Skills to the next level?
Grab our programming books for FREE!
  • Save time by leveraging our field-tested solutions to common problems.
  • The books cover a wide range of topics, from JPA and JUnit, to JMeter and Android.
  • Each book comes as a standalone guide (with source code provided), so that you use it as reference.
Last Step ...

Where should we send the free eBooks?

Good Work!
To download the books, please verify your email address by following the instructions found on the email we just sent you.