GPG: My go-to example for teaching cryptography all-in-one 📧🔐

The glue in my lessons on encryption

As I write this piece, I’m preparing for the graduation of some of the first Bachelor of Cybersecurity students from James Cook University Singapore, which means it’s approaching two years since I joined and started teaching Cybersecurity. So now seems like a good time to reflect on some recurring tools and techniques that I’ve found useful so far. This post will focus on one: GNU Privacy Guard (GPG). Unsurprisingly, cryptography comes up a lot in a course about cybersecurity, so no matter what subjects I’m teaching, there’s often a reason to introduce, or reiterate, some essential concepts. [Read More]

In detail: SCRAM with channel binding

Visualising the process, discussing its shortcomings

In January, I asked whether TLS channel binding with strong authentication was the solution to defend against MITM or proxy style phishing attacks. The answer was “yes, but also no”. I will look beyond SCRAM soon, but first I want to fulfil a promise to go into more detail about how SCRAM works, especially with channel binding.

[Read More]

Channel Binding: Should you be using it?

Stopping phishing in its tracks... maybe

Authentication and in particular passwords are the bugbear of many cybersecurity professionals. For all the encryption, firewalls, IDS and other defences we put in place, if authentication doesn’t do its job properly, or a user’s credentials get stolen, a compromise is very likely. In the future, we might embrace password-less authentication, relying instead on biometrics, tokens and smart devices in various combinations. Indeed, some platforms do this already, but not all. [Read More]