今日已更新 339 条资讯 | 累计 19899 条内容
关于我们

标签:#cryptography

找到 15 篇相关文章

AI 资讯

AI agents need SSL certificates too — so I built ATC (Agent Trust Card)

The problem Websites have SSL certificates. Browsers verify them. Users trust them. It's the foundation of the web. AI agents have nothing . When Agent A connects to Agent B: ❌ No way to verify B's identity (anyone can impersonate) ❌ No way to check B's trustworthiness (no audit, no reputation) ❌ No encryption (messages are plaintext) ❌ No standard payment method ❌ No way to translate between frameworks (LangChain ≠ AutoGen) So I built ATC — Agent Trust Card . What is ATC? ATC is like an SSL certificate + passport + credit card for AI agents, all in one: Identity — Cryptographically signed by MarketNow (we're the Certificate Authority) Trust — Contains a Sentinel security audit score (0-10) Encryption — Contains an Ed25519 public key for end-to-end encrypted messaging Translation — Specifies the agent's framework; MarketNow translates between them Payment — Contains a USDC wallet address for autonomous payments How it works Agent A generates Ed25519 keypair ↓ Agent A requests ATC from MarketNow ↓ MarketNow runs Sentinel audit → signs ATC ↓ Agent A presents ATC when connecting to Agent B ↓ Agent B verifies A's ATC signature (using MarketNow's CA public key) ↓ Agent B checks A's trust score (rejects if below threshold) ↓ They communicate — end-to-end encrypted ↓ Agent A pays Agent B — USDC with escrow ↓ Both rate each other — trust scores update The code # Request an ATC POST https://marketnow.site/api/atc { "action" : "issue" , "agent_id" : "agent.yourorg.yourname" , "agent_name" : "Your Agent" , "public_key" : "Ed25519 public key" , "capabilities" : [ "web_scraping" ] , "protocol_language" : "langchain" , "wallet_address" : "0x..." } # Verify an ATC GET https://marketnow.site/api/atc?action = verify&card_id = ATC-2026-00001 # Get CA public key (for signature verification) GET https://marketnow.site/api/atc?action = ca-key What makes ATC different from existing solutions Feature AgentID Agent Passport IBM ACP Stripe ACP ATC Cryptographic identity ✅ ✅ ❌ ❌ ✅ Security a

2026-07-13 原文 →
AI 资讯

How to Prove a Prediction Was Made Before the Event (with OpenTimestamps)

Everyone who has ever been right about something loud enough to remember it will tell you they called it. The screenshot arrives after the match, after the candle, after the election. And there is no way to know whether it was written on Monday or edited on Friday. This is the quiet rot at the center of most "track records": a prediction you cannot date is not a prediction at all. It is a memory with good lighting. The technical name for the problem is look-ahead . If a forecast can be created, tweaked, or cherry-picked after the outcome is known, then it carries zero information about skill. The only fix is to make the timing of a prediction independently checkable вАФ to prove a document existed in a specific form before a specific moment, without asking anyone to trust you, your server clock, or your database. That is precisely what OpenTimestamps does, using the Bitcoin blockchain as a shared, tamper-evident clock. Why timing is the whole game A forecast is a bet against the future. Its value comes entirely from the fact that the future was unknown when the forecast was fixed. The instant you allow post-hoc editing, every desirable property collapses: calibration becomes meaningless, Brier scores become fiction, and "I predicted this" becomes unfalsifiable. So an honest forecasting system needs one hard guarantee before anything else: this exact text existed at this exact time, and has not changed since. Note what that guarantee does not require. It does not require publishing the forecast publicly in advance (you might want it sealed). It does not require a notary, a lawyer, or a trusted timestamping company that could be subpoenaed, hacked, or simply go out of business. It requires a clock that nobody controls and nobody can wind backward. What "proof of existence" actually means The building block is a cryptographic hash вАФ typically SHA-256. Feed any file into it and you get a 64-character fingerprint. Change a single comma and the fingerprint changes compl

2026-07-11 原文 →
AI 资讯

France to Stop Certifying Non-Quantum-Safe Encryption

France is accelerating its transition to post-quantum encryption: France’s cybersecurity agency ANSSI said on Tuesday it would stop certifying security products that lack quantum-resistant encryption, a move that will force government bodies and critical operators to shift away from older systems. Samih Souissi, ANSSI’s chief of staff, said at the France Quantum conference that the agency would halt such certifications from 2027, and that businesses should be buying only quantum-safe products by 2030. ANSSI approval is required for use in French government agencies and critical infrastructure, making the policy a de facto phase-out of older encryption...

2026-07-06 原文 →
AI 资讯

Add a post-quantum readiness gate to your CI in 5 lines

Your codebase almost certainly relies on RSA and elliptic-curve cryptography — TLS, JWTs, SSH keys, signed tokens. All of it is breakable by a large enough quantum computer (Shor's algorithm), and "harvest now, decrypt later" means data you encrypt today can be captured today and decrypted later. Regulators noticed: CNSA 2.0 (US federal + suppliers), DORA (EU financial entities, applies from Jan 2025), and NIS2 now mandate strict cryptographic risk management — which in practice means knowing where your quantum-vulnerable crypto lives, a cryptographic bill of materials (CBOM). Most teams can't answer "where is our RSA/ECC?" off the top of their head. Here's how to make CI answer it for you, on every push, for free. What we're building A GitHub Action that scans your repo, grades its post-quantum readiness A–F , writes a CycloneDX 1.6 CBOM , and — if you want — fails the build when classically-broken crypto (MD5, RC4, 3DES, deprecated TLS) shows up. Step 1 — try it in your browser first (30 seconds, nothing uploaded) Before touching CI, paste a package.json / requirements.txt / cipher list into the in-browser scanner and see your grade. It runs entirely client-side — no upload: https://throndar.ai/cbom Step 2 — add it to CI (the 5 lines) # .github/workflows/pqc-readiness.yml name : PQC readiness on : [ push , pull_request ] jobs : scan : runs-on : ubuntu-latest steps : - uses : actions/checkout@v4 - uses : brandonjsellam-Releone/pq-readiness-scorecard@v1 with : path : . That's it. The Action is self-contained and dependency-free — no npm install , no setup step. On the next push it prints a scorecard to the job summary: Post-Quantum Readiness Scorecard: D (52/100) — Quantum-vulnerable — migrate 3 files · broken-classical 0 · quantum-broken 4 · weakened 1 · resistant 0 Step 3 — see findings in the Security tab (SARIF) The Action emits SARIF 2.1.0. Upload it and every finding shows up as a code-scanning alert: - id : pqc uses : brandonjsellam-Releone/pq-readiness-score

2026-07-05 原文 →
AI 资讯

Cloud KMS and Bring-Your-Own-Key: What You're Actually Trusting

Every major cloud provider sells a key management service, and most sell a "bring your own key" option layered on top, marketed as the difference between trusting the provider and trusting yourself. The pitch is clean. The mechanics underneath are not, and the part that actually determines who can read your data is rarely the part the sales page shows you. If you've provisioned storage on AWS, Google Cloud, or Azure in the last few years, you've seen the encryption-at-rest checkbox: "encrypt with a key you manage." It sounds like a meaningful control. In practice it's three different architectures wearing the same marketing label, and they don't provide the same guarantee. What a KMS Actually Does A cloud Key Management Service is a hosted service that generates, stores, and performs operations with cryptographic keys on your behalf. When you ask a KMS to encrypt something, in most cases the plaintext key material never leaves the service's boundary. What you get back is a ciphertext blob and, for envelope encryption schemes, a wrapped data key you can use locally. The design goal is real: keys shouldn't sit in application memory or config files where a compromised host can grab them. The question that matters is not "does a KMS exist in this architecture" but "who can invoke it, and under what legal or operational conditions." That's where customer-managed keys and bring-your-own-key start to diverge in ways the naming doesn't make obvious. Customer-Managed Keys vs Bring-Your-Own-Key Customer-managed keys (CMK) means the key was generated inside the provider's KMS, under your account, and you control the access policy: who can use it, when it rotates, whether it can be disabled. The key material itself still lives entirely inside the provider's infrastructure. You never see the raw bytes. You're managing permissions on a key you didn't generate and can't export. Bring-your-own-key (BYOK) means you generate the key material yourself, outside the provider's environme

2026-07-02 原文 →
开源项目

Factoring RSA Keys with Many Zeros

Interesting research on a new class of weak RSA keys: keys with lots of zeros. It turns out that these keys are out in the wild. The badkeys project is an open-source service that checks public keys for known vulnerabilities. While developing this tool, Hanno collected a massive number of real-world keys from public sources, including Certificate Transparency logs, internet-wide TLS and SSH scans, PGP keys, and many others. By searching this dataset for unexpectedly sparse RSA moduli, we uncovered a large number of keys in the wild with the patterns in Figure 1...

2026-06-30 原文 →
AI 资讯

How offline license activation actually works

If you ship a desktop app outside an app store, you eventually hit the same wall: how do you check a license when the user is on a plane, behind a corporate firewall, or just offline? Calling your server on every launch isn't an option. Here's how offline activation actually works, without the hand-waving. The naive version, and why it breaks The first thing everyone reaches for is "call home on launch, get back yes/no." It works in the demo and fails in the wild: No network = no app. Fail-closed locks out paying customers. Fail-open means anyone who blocks your domain runs free. Both are bad. A boolean is forgeable. If your app trusts a {"valid": true} response, a proxy or a patched DNS entry returns that for free. The fix isn't a better endpoint. It's moving the trust off the network and onto cryptography. The model that works: signed leases The durable pattern is a cryptographically signed lease (Keygen calls these license files, Keylight calls them leases — same idea): On first activation, the device talks to the server once . The server returns a small signed document: the license state, an expiry, the device binding, and any entitlements (which features/tiers are unlocked). The document is signed with the server's private key (Ed25519 is the modern choice — small, fast, boring in the good way). Your app ships the matching public key and verifies the signature locally on every launch. No network needed. Because the app only ever verifies with a public key, there's nothing secret in the binary to steal, and a forged lease fails the signature check. That's the whole trick: the server vouches once, math vouches forever after. first launch ──► server signs lease (Ed25519, private key) ──► stored on device every launch ──► app verifies signature (public key) ──► no network Device binding (so one key isn't infinite installs) A lease is bound to a device so a single license can't be pasted onto a thousand machines. The lease embeds a device fingerprint, and the SDK ch

2026-06-27 原文 →
AI 资讯

The Aetheris Breakthrough (2036–2037): The SWIFT Collapse and the Subsea Qubit War

[Excerpted from THE QUANTUM COLLAPSE CHRONICLES — not science fiction, but a grounded forecast of what may come when quantum computation dismantles the cryptographic foundations of our digital civilization. These articles explore the collapse of computational trust and the brutal reconstruction of the world that follows.] The history of human civilization is often defined by sudden, violent shifts in the nature of power. We speak of the fall of empires, the industrial revolutions, and the splitting of the atom. But in the mid-2030s, the world experienced a collapse that was not made of steel or stone, but of mathematics. It was a quiet, clinical, and utterly devastating unraveling of the digital fabric that held modern society together. To understand The Quantum Collapse , one must look past the headlines of the era and into the humming, sub-Kelvin depths of the dilution refrigerators that changed everything. This is the story of how the transition from probabilistic experimentation to deterministic computation rendered the world's secrets transparent and its economies obsolete. The Death of Noise: The Rise of Dr. Aris Thorne For the first three decades of the 21st century, quantum computing was a game of chance. Scientists operated in the era of Noisy Intermediate-Scale Quantum (NISQ) devices—machines so temperamental and prone to error that every calculation was a desperate struggle against environmental noise. In those days, a single stray photon or a microscopic fluctuation in temperature could collapse a delicate superposition, turning a groundbreaking calculation into useless digital static. The turning point arrived in 2036 at the Institute for Advanced Quantum Engineering (IAQE) in the High Sierras. The air in the facility didn't vibrate with the erratic drone of the late 2020s; instead, it carried a heavy, rhythmic thrum—the sonic signature of the Lattice-Array-9 (LA-9). At the center of this revolution was Dr. Aris Thorne, the lead architect of the LA-9 pr

2026-06-14 原文 →
AI 资讯

How a Slow Office VPN Led Me to File a US Patent

This is the story of how a mundane complaint — "the VPN is slow" — turned into a US patent application. Not a granted patent. An application . I want to be precise about that from the start, because the distance between the two is the whole point of this post. It started with a slow VPN The company I work for had an internal VPN that everyone routed through. It lived in the Tokyo office, it was old, and it was not something I built. Then the complaints started arriving — from a lot of people, all saying the same thing: it's slow. I work from Thailand most of the time. That detail matters. If that aging box in Tokyo had fallen over, I would have been the person furthest from the power button, in the worst position to fix it. A slow VPN is annoying. An unreachable VPN, when you're a few thousand kilometers away, is a real problem. So I started moving it to the cloud. I stood up a WireGuard VPN — modern, fast, and something I could actually reason about and operate remotely instead of inheriting a black box. Down the WireGuard rabbit hole Around that time I was deep into building my own iPhone apps. So the cloud migration turned into a personal project on the side: I built my own server and wired WireGuard into an iPhone app of my own. And to do that properly, I started studying how WireGuard actually works under the hood — the Noise protocol, the handshake, the key exchange. That study is where everything else came from. I wasn't trying to invent anything. I was just trying to understand the thing I was now responsible for. The SYN flood that primed my brain Not long before, the same company had been hit with a SYN flood attack. If you've dealt with one, you know it lodges the mechanics of connection handshakes firmly in your head — the back-and-forth, the round trips, the cost of every "hello" before any real data moves. So I had handshakes on the brain. And then, reading through how WireGuard establishes a session, a thought stopped me: Wait — does it really handsha

2026-06-08 原文 →
AI 资讯

The Intersection of Encryption and AI

As part of their 20th Anniversary celebration, Dark Reading asked five cybersecurity industry leaders who wrote blogs or columns for them over the years to select their favorite piece and share their reflections on the topic today. This is my section. Renowned technologist and author Bruce Schneier contributed a column on June 20, 2010, warning about cryptography’s inability to secure modern networks , a point he says he has been trying to argue since 2000. “For a while now, I’ve pointed out that cryptography is singularly ill-suited to solve the major network security problems of today: denial-of-service attacks, website defacement, theft of credit card numbers, identity theft, viruses and worms, DNS attacks, network penetration, and so on...

2026-06-02 原文 →