Collaborate Disseminate
I remember from ages ago from reading DJB whitepapers that some of his criticisms of other elliptic curves (such as NIST P-256/P-384 aka secp256r1/secp384r1) were:
There are invalid points on the curve and conditional logic needs to be im… Continue reading Curve Completeness and Constant-Time Execution for P-256 and P-384
I’ve been looking around for smart cards with support for Ed25519. More specifically, I’d like to have a TLS CA with the private key on a YubiKey. The latest YubiKey 5 supports secp256k1, secp384r1, and RSA 2048 in the PIV tool for storing… Continue reading Can I Use an OpenPGP Smart Card to Sign a TLS Certificate?
I’m setting up a client TLS CA for authenticating requests over the internet to an AWS API Gateway endpoint. It supports TLS 1.2 but not TLS 1.3, at least from what I can tell.
Is there a minimum version of TLS 1.2 for support of Ed25519 c… Continue reading What is the minimum TLS version for support of Ed25519 Keys?
My general understanding is that in server-only TLS, the connection establishment proceeds like so:
Client opens a TCP connection to the server, passing SNI and other data such as supported ciphers/etc.
Server sends back its certificate c… Continue reading How much data is signed during TLS handshakes?
I’m building an application which will support both browser and application access to REST resources.
Applications will POST a username/password JSON body to a login endpoint which will return a signed JWT token in the response body. This… Continue reading CSRF and XSS Protection with a Static Site and REST API
I have the need to tunnel/forward a port over SSH. While I’m familiar with the ins and outs of doing this, I’d like to lock down the user so they effectively have no shell, rather just a process that accepts no input/output a… Continue reading Locking Down a Port-Forwarding User
Locally here on Ubuntu 14.04, my $PATH looks something like this:
PATH=”/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games”
When I manually define the path for cron jobs or in Puppet/Ansible provisi… Continue reading Ordering of the PATH environment variable
Automated signing of files, such as software packages or file backups, is inherently risky if a certain level of trust is given to it. Having signing be an automated process means that there’s no user sitting by and verifying… Continue reading How can I improve and secure automated signing?
Automated signing of files, such as software packages or file backups, is inherently risky if a certain level of trust is given to it. Having signing be an automated process means that there’s no user sitting by and verifying… Continue reading How can I improve and secure automated signing?
When creating Diffie Hellman parameters for OpenSSH, there’s a two-step process which looks like this to generate and filter secure primes for Diffie Hellman key exchange:
ssh-keygen -b 4096 -G dh4096-insecure
ssh-keygen -f … Continue reading Filtering safe primes for Diffie Hellman on OpenVPN