Saving secrets (API-keys for external application) per user in database (PKI?)

I’m developing a web-app which communicates with an external email message application through its HTTP API. My web-app consists of a JS (Svelte) front-end and a Node.js back-end.
Each user on my app will be getting a different API key fo… Continue reading Saving secrets (API-keys for external application) per user in database (PKI?)

Could an attack on time synchronization with a Galileo Satellite be used to spoof navigation messages with TESLA-based authentication?

I read about an attack on the TESLA protocol which will be used in Galileo’s navigation message authentication (Full article can be found here: https://doi.org/10.1007/978-3-319-49806-5_1)
Basically, an attacker delays all messages to make… Continue reading Could an attack on time synchronization with a Galileo Satellite be used to spoof navigation messages with TESLA-based authentication?

What are useful use cases for employing asymmetric cryptography in a database?

I see that many relational database systems offer asymmetric (private/public key) cryptography functions. For example, PostgreSQL offers the pgcrypto module, which supports OpenPGP (RFC 4880) encryption. Given that access to an RDBMS and a… Continue reading What are useful use cases for employing asymmetric cryptography in a database?

Is there a standard approach for serializing an RSA encrypted AES key alongside the AES payload itself?

Diffie-Hellman won’t really work here, since only one side has a public key, one side has the private. It must be this way to prevent decryption when the data is at-rest on one of the sides before transmission.
Currently, I am using RSA-20… Continue reading Is there a standard approach for serializing an RSA encrypted AES key alongside the AES payload itself?

Does the CA create the public key or is it created by the requesting server and sent to the CA?

This link says that the requesting server creates the public-private key pair and sends the public key to the CA inside the CSR. However, DigiCert says:

The CSR is submitted to a Certificate Authority (CA) which uses it to
create a public… Continue reading Does the CA create the public key or is it created by the requesting server and sent to the CA?

How is the digital certificate sent alongside digital signatures?

Most tutorials on the net only mention sending the digital signature attached to the document, but without the digital signature certificate, it’ll be impossible for receivers to verify the signature. I’m assuming that the digital certific… Continue reading How is the digital certificate sent alongside digital signatures?

Why is it said that we can obtain a digital signature from a CA when all we obtain from the CA is a certificate?

Several sites, like this states that

You can obtain a digital signature from a reputable certificate
authority such as Sectigo

But digital signature is something you create using a piece of text and your private key using a signing algor… Continue reading Why is it said that we can obtain a digital signature from a CA when all we obtain from the CA is a certificate?