Collaborate Disseminate
I would like to ask how I should go about securely transmitting the password between two applications. I have two projects that work with each other. The first one is a project called AuthApi, which authenticates the user and creates token… Continue reading ow do I move password securely between api and web?
I have been searching for a way to use challenge-response over PKCS11, is that possible? I have found that it is possible for Windows Minidriver, but all the PKCS11 challenge-response protocols are custom and vendor defined.
How can someon… Continue reading How to implement challenge-response authentication using PKCS11
I was learning about SCRAM and liked its ability to protect against various attacks (as mentioned in this MongoDB blog post), specifically:
Eavesdropping – The attacker can read all traffic exchanged between the client and server. To prot… Continue reading Is SCRAM secure if both the communication channel and the database got compromised?
As an Automotive Security Professional, my state of the art approach to implement a Secure Access would be to have an ECU generate a challenge (nonce + ID), forward it to the tester who can pass the challenge to the backend system which si… Continue reading Is the Seed-And-Key Challenge-Response used in Automotive Security really secure?
Imagine the following situation: You created a KeepassXC database and secured it with a strong passphrase, as well as the HMAC-SHA1 based Challenge-Response mechanism provided by a YubiKey. The secret for the YubiKey is backed up on paper … Continue reading How to decrypt a KeePass database using YubiKey Challenge-Response, but without token?
To use the free trial of Nessus, you need an email address to receive an activation key.
There are two modes to activate a Nessus server:
Online mode registration
If the computer running Nessus server has internet, you can activate the s… Continue reading How does Nessus offline registration work?
I currently have to write a paper for university in my Network Security lecture about methods of secure location verification. Therefore, I chose to write about several distance bounding protocols, e.g. the one by Brands and Chaum and the … Continue reading Problems understanding the use of Distance Bounding against Man-In-The-Middle attacks
I’m currently developing an Android Application that communicates with a server and needs the user to login.
The connection is secured with SSL and certificate pinning.
For user authentication I’m currently using challenge-response.
The se… Continue reading Challenge-Response authentication and SSL
At my Company, we put a honeypot in our network and it raised us the Lansweeper SSH password used to connect to the scanned assets (and it is reusable over many boxes…).
So it is a way for an attacker to get sensitive passwords in a corp… Continue reading Is this Wikipedia article about SCRAM wrong?
Suppose that 2 people have a keyed hash algorithm (that is, a MAC) with a key that they both know. How could they implement challenge-response using their keyed hash algorithm? This confuses me…