Collaborate Disseminate
Microsoft is experimenting with a major new security mitigation to block attacks targeting flaws in the Windows Common Log File System (CLFS).
The post Microsoft Tackling Windows Logfile Flaws With New HMAC-Based Security Mitigation appeared first on S… Continue reading Microsoft Tackling Windows Logfile Flaws With New HMAC-Based Security Mitigation
I am currently developing a web application where I need to ensure that retrieved data (stored in database) have been generated by one or multiple (in the case of clustered applications) application. The idea would be to store a hash of th… Continue reading Authenticate web application generated data
I have a table in Postgres that stores phone numbers. Since phone
numbers are considered PII, I cannot store them as plaintext.
For other PII fields, I use AES-256-CBC. However, the requirements are that phone numbers are
part of a unique… Continue reading Searchable encryption for phone numbers
HMAC signatures are very commonly used for webhook authorization from service to consumer.
Examples:
Stripe
Slack
Twilio
Twitter
GitHub
and hundreds and hundreds more. This seems a near universal design decision.
Yet, the other direction… Continue reading Why are HMAC signatures frequently used for webhook authorization but not other HTTP API requests?
In TLS separate implicit sequence numbers for sent and received packets are used to calculate the HMAC in the record layer. The RFC 5246 says:
Each connection state contains a sequence number, which is maintained
separately for read and w… Continue reading Why does TLS use two separate sequence numbers?
I have been researching various techniques for preventing CSRF attacks, such as SOP, SameSite, Secure, Referer validation, and CSRF Tokens, and their potential bypasses. During my research, I discovered the following vulnerabilities:
In GlobalPlatform specification for smartcards, I came accross this rather strange scheme:
To calculate the Message Authentication Code, we take some original data (a host cryptogram and a padding), then we apply multiple chained DES calcu… Continue reading Why do we encrypt then decrypt then encrypt data with different keys?
The Double Submit Cookie CSRF Token pattern is a stateless technique that doesn’t require storage or a database. However, it’s vulnerable to session hijacking attacks and sub-/sibling domains that are susceptible to XSS or HTML injection. … Continue reading Session based CSRF Tokens – What value do i use with JWT?
I have been trying to recover the password of my old Point of Sale system.
I have the password file that I generated containing all possible combinations of numbers from 0000-0000 to 9999-9999 called combinations.txt. I know that the passw… Continue reading John returns invalid UTF-8 and askes for HMAC-Sha256 and HMAC-sha512 [closed]
If I pipe these 2 commands:
openssl passwd -6 -salt mysecretsalt | openssl dgst -binary -mac hmac -sha512 -macopt key:mysecretkey |base64
Password:
euOMVgfB/biBeqmizIuXBdD3SyKIUGu9jI+uc37yWmqpVoGv13VIvgyupx0Ld0xQBPCZO5Bwmjp0A7leLL8XiQ==