Collaborate Disseminate
Trying to understand assymetric encryption. To my knowledge, it deals with the key management problem by having each user have their own private key and public key. But when is this private and public key pair generated for the user? Does … Continue reading When is a private and public key given to a user, and why can the private key not get hacked?
I recently found out, that according to the RFC, SSH can negotiate two different cipher (and MAC) algorithms for server-to-client-encryption and for client-to-server-encryption (check section 7.1. for reference).
In section 6.3 this is als… Continue reading Why can SSH negotiatie two different encryption and authentication algorithms?
Consider the following scenario:
client sends hello
server send a hello and its certificate
client generates a key and encrypts that with server’s public key
server decrypts the key with its private key
So, they shared a key and can talk… Continue reading Performing a simpler ssl handshake [duplicate]
I want to create Password Manager where users can create their accounts and store website passwords.
For the frontend, it will be a mobile app, but I need REST API as the backend data where the data will be stored.
I thought to encrypt and… Continue reading How to securely design REST API for Password Manager app?
I have a web server that uses the ECDHE-RSA-AES256-GCM-SHA384 cipher suite. I noticed that when given the "(Pre)-master-secret log" file (generated by the browser), Wireshark is able to decrypt the traffic given the client random… Continue reading Is it possible to decrypt TLS traffic through OpenSSL?
We have an API that runs exclusively in HTTPS, any unencrypted traffic is dropped.
We want to add public-key encryption to some of our methods (like login, payments, and so), by making the client generates locally a key pair and sends the … Continue reading Is JPAKE over SSL/HTTPS overkill?
I’ve read the official page on safety numbers but they are still unclear to me. Without verification, there still is end to end encryption, so what difference does it make? Is it that a phone number is easy to spoof so an adversary could p… Continue reading In Signal Messenger what is the purpose of verifying a safety number?
For a new application I’d like to store messages for each user’s account on a centralized server.
The user accesses the application through a SPA javascript web app through their browser.
These messages:
Should be unreadable by the server… Continue reading Client-side encryption of data, but the server can also add data without reading stored data
As a non security expert, I’m looking for advice from those who are.
I work with company X who have hired company Y to develop their website. Company Y needs to integrate server-side online payment and has asked company X for the secret (p… Continue reading Web developer needs customer’s private key
In the SSH spec, Section 7.1, key exchange algorithms are distinguished based on whether they require an "encryption-capable" or a "signature-capable" host key algorithm.
If I understood their details correctly, the wel… Continue reading Examples of SSH key exchange algorithms requiring encryption-capable host keys