cryptography
8 posts tagged cryptography.
-
Rotating Every Cipher: SChannel and the Twenty-Year Algorithm-Agility Story of Windows TLS
How one Windows DLL rotated every TLS primitive from RC4 to ML-KEM without breaking IIS, RDP, SQL Server, or .NET SslStream -- and why Vista's 2007 CNG was the inflection point.
-
The Connection That Refused to Downgrade: Twenty-Five Years of SMB Cryptography, Finally Default-On
How SMB 3.1.1 pre-authentication integrity, AES-256-GCM, and SMB-over-QUIC closed a 25-year attack tradition, and which attacks still survive in 2026.
-
CNG Architecture: BCrypt, NCrypt, KSPs, and How Windows Picks Its Algorithms
A guided tour of the Cryptography API: Next Generation -- the two-tier API, the Key Storage Provider model, the FIPS toggle, and how PQC slots in.
-
Direct Anonymous Attestation: The Zero-Knowledge Proof Already in Every TPM
TPM 2.0 names a zero-knowledge group-signature primitive in its spec. A billion chips ship it. Almost nobody verifies it. The story of why DAA won every standardization fight and lost every deployment one.
-
Edge's Two Password Cryptographies: A Beautiful PSI on the Wire, and Plaintext RAM by Design
Microsoft Edge ships a homomorphic-encryption PSI for breach checking and decrypts every saved password into process RAM at launch. Both designs are deliberate. They defend different threat models.
-
Fuzzy Extractors and the One Inequality That Explains Why Windows Hello Doesn't Use One
Fuzzy extractors turn noisy biometrics into stable cryptographic keys. A single 2004 inequality explains why Windows Hello deliberately does not use one.
-
Post-Quantum Cryptography on Windows: The Thirty-Year Migration That Just Arrived
How NIST FIPS 203/204/205 reaches the Windows platform via SymCrypt, CNG, Schannel, and .NET 10 -- the algorithm internals, the wire format, the migration timeline, and the honest accounting.
-
BitLocker on Windows: Architecture, Attacks, and the Limits of Full-Disk Encryption
How BitLocker evolved from an optional enterprise feature to encryption-by-default, its cryptographic architecture, every known attack, and what FDE still cannot protect against.