Collaborate Disseminate
I need to hash 32 cryptographically random bytes, but later the verification the value with hash must be very fast, so I decided to use SHA256. Is it a security issue if my passwords are 32 cryptographically random bytes? Maybe you know so… Continue reading SHA256 for hashing 32 cryptographicaly random bytes
Can we use 10 digital TOTP as client_secret? What security problems would this do, and maybe some benefits? After all, TOTP changes every 30 seconds, but you need to know e.g. a 32 byte secret (which will never be sent across any request) … Continue reading Use TOTP as client_secret with OAuth
When to use application layer encryption? Is it important in backchannel communication (machine-to-machine) without users?
And e.g. when we create state in OpenID Connect’s client and redirect the user to an identity provider, shouldn’t we… Continue reading When to use application layer encryption
When client redirects user to identity provider with OpenID Connect then it have to save state, nonce and code_verifier e.g. in cookie. But are they any disadvantages/security issues of storing all these values (state, nonce, code_verifier… Continue reading Storing state, nonce and code_verifier in session cookie OpenID Connect
When I use secret key which only one server know for symmetric encryption done with XChaCha20-Poly1305, is any benefit to use signing aswell? As long as only one server knows the secret, doesn’t it also work as a signature? Are there any d… Continue reading Does signing make any sense when encrypting with secret key is used?
When we use mTLS, then client and server are authenticated. In this scenario, does it make any sense to send HTTP requests in signed tokens (like JWS)?
Continue reading Does send HTTP requests as signed tokens make sense when mutual TLS is used?
I have an endpoint that accepts data as signed PASETO tokens. It has one problem – if someone "cracks" the TLS encryption or this signed token leaks then everyone can use it as long as the token isn’t expired (signed token has a … Continue reading Using IP for one request (one time) protection
If I have session cookie or just cookie which is Secure, HttpOnly with SameSite=Strict and is never transmitted even in requests within the same domain and the page uses TLS.
Is there any attack that could catch this cookie? If so, how can… Continue reading Security of the not transmitted cookie
IP addresses can change and the FQDN is slightly more constant. So I thought that FQDN based authentication instead of IP based authentication might be a good idea, but I didn’t find any information about something like this on the interne… Continue reading Fully Qualified Domain Name (FQDN) based authentication
I want to use mTLS, so for testing I created simple API. I wanted to check if I will receive the public key of the certificate after the client sends the certificate to me (the server) as I want to use this public key in future encryption…. Continue reading SSL certificates their public keys and thumbprints