Collaborate Disseminate
The FIPS draft for Dilithium signature scheme (official name ML-DSA) had just been released not long ago. In the specification for skDecode (which is the subroutine that loads the private signing key) mentions that this procedure must be p… Continue reading Security implication of loading untrusted private keys
I’ve been reading about WebAuthn and try to write some code to exercise.
One thing I noticed is that the spec doesn’t seem to provide any way to verify the correctness of the public-key being create()’d other than through attestation. And … Continue reading WebAuthn does not guarantee public-key integrity other than trough attestation?
Comparing the checksum received in the UDP segment with the checksum calculated in the data helps UDP determine the integrity of the data. Is there a case where the Hacker changes both the corresponding binary value of the data and the che… Continue reading Can Hacker break the integrity of the data in UDP protocol?
I was doing some pentesting on a Drupal 10.x application that some colleagues built; I have not reviewed the source code. The dynamic vulnerability scanner I use provoked some exceptions related to a failure to obtain locks on various obje… Continue reading Data integrity protection in Drupal 10.x – how lock conditions might fail
Currently I’m trusting my web hoster to run my code on my behalf without tampering with the execution at some point.
What are some techniques to protect against this?
For instance, preventing the hoster from arbitrarily skipping some instr… Continue reading How can you make sure a remote web server is processing the right data and executing the code you expect? [closed]
I would like to know is there a need to implement data integrity measure given the scenario?
Clients send data/files (may or may not contain public keys) to the server via server side CA cert. The data/files may be static or continuous cha… Continue reading Ways to implement data integrity measures on static and non static data
I use OAuth2 private_key_jwt authentication scheme to authenticate clients. Also, I need to be sure that request body isn’t modified.
I see two ways:
In token which I use to authenticate client I can add claim that contains hash of entire… Continue reading Sign vs hash HTTP body request
I’m redoing my laptop installation from scratch, and this time I want a full secure boot chain.
Here’s what I did so far :
Enroll my own keys in the UEFI firmware
Sign my grub bootloader
Full disk encryption (implying /boot is encrypted a… Continue reading Secure boot + full disk encryption, should I sign the kernel?
Is it possible to unpack an application and re-pack it with changes and make it work on Android 11 ? I read that on Android 11 you have to sign the apk with schema v2. I did it but the app gives me an error when I try to install it.
Continue reading Apk android with signature scheme v2 [migrated]
Does Firefox’s built-in installer for addons/extensions validate its payload’s authentication and integrity for all files it downloads before actually installing them?
I avoid in-app updates because, more often than not, developers do not … Continue reading Does Firefox’s addon/extension installer provide cryptographic authentication and integrity validation?