Collaborate Disseminate
I am writing browser javascript that has a pre-shared key with nonce, and creates a binary websocket connection. How can I apply block encryption-authentication such as AES-GCM to the messages?
Is it possible to tell the browser to skip th… Continue reading javascript: how to apply block cipher to byte stream
I’ve been reading about HMAC protecting from length extension attacks, but if the message already specifies it size, is HMAC adding any advantange to simple hashing after prepending a secret?
As example consider a protocol where the messag… Continue reading I using sha256 after adding a secret enough if the message includes its length?
I don’t have formal CS education but i’ve written one or 2 little websites. I have troubles communicating even in my native language but i hope this is understandable.
With simple i mean something like we have a single server to authentica… Continue reading What would be the most complete procedure to get a simple login system working securely?
I have a black-box token generation system from a Unity (Android) app, and the format is as follows (with one real example from the system, and unlabelled parts were identical for bunch of different tokens; "…" means the string… Continue reading Crack HMAC-SHA512 to find plaintext with the known secret key
I’m trying to build a generic function to encrypt HMAC values with a single global secret key, but that can be "scoped" or salted by application/uses. For instance, an HMAC for a session token signature should not be the same as … Continue reading Key derivation for HMAC, concatenate vs multiple HMAC passes
I’m writing a mailing list manager program. For subscribing and unsubscribing, I’m considering using HMACs of email addresses with secret keys to generate unsubscribe links. This key would be generated one time on the server and then used … Continue reading Is an HMAC of an email address with a permanent secret key a good way to generate security tokens for unsubscribing from an email list?
I have 2 websites: a.com and b.com
To avoid using SAML for Single-Sign-On and making things complicated, I’ve taken this approach:
a.com is the identity provider. All users will be asked to sign in on a.com
b.com will receive information f… Continue reading Is is safe to pass an API key in a HMAC hash?
Usecase: KeepassXC is configured with a Passward + Yubikey HMAC.
I am trying to understand the exact steps that happen.
I think the first five Steps are clear:
Open KeepassXC
Enter Password
Select Hardware Key
Click unlock
Yubikey is bli… Continue reading What exactly happens when you use 2FA with "Password" + "Yubikey HMAC" Login in KeepassXC?
Update: I’ve been able to work out everything I was asking about packet structure when I was finally able to get Wireshark to work, but there is one last thing I’m confused on which I detail at the end of the question.
Original question:
I… Continue reading How exactly does OpenVPN’s tls-auth option apply HMAC to packet messages?
In BLE there is events like authentication, pairing, bonding, exchange of LTK to secure a link, etc…
How does HMAC fit in BLE? I know that HMAC is used to ensure the integrity of a message so does that mean that even after exchanging LTK… Continue reading How does HMAC fit in BLE?