Collaborate Disseminate
Recently I learned about TEE in Android, Trusty OS and its internals. I read through the articles on source.android.com and there is one thing I did not find there.
Trusty OS has its own API which allows TEE applications to expose ports an… Continue reading Security of Trusty OS (TEE) Non-Secure World API
Our web application issues governmental documents for our users. Every one of those documents needs to be signed with a private key. However, because our users find it cumbersome to point their browser to their key file every time they wan… Continue reading My web application needs to have my users’ private keys to sign documents on their behalf. How do I handle that?
My program, is installed on specific computers that use a shared, common login. The program decrypts variously sized (1KB-1GB) data assets which were encrypted elsewhere, and transferred over. Each asset is encrypted using a uniquely gener… Continue reading Securing the keystore key?
Currently I am working on an application that requires secret keys to encrypt and sign information generated by the client and transmited over the wire, these keys are granted per user.
Currently when the user logs in, the keys are downloa… Continue reading In a web application, what would you consider the best way to store secret keys obtained via an SDK?
According to NIST Key Management recommendation "8.1.5.2.2.2 Automated Key Distribution/Key Transport/Key Wrapping", it is required to use a key wrapping key or a public key-transport key to protect symmetric key distribution.
Is… Continue reading Is public key-transport key required for encryption key distribution over HTTPS?
When using cloud HSM (eg: AWS CloudHSM, Google Cloud HSM etc) for client-side encryption, they always refer to Envelope encryption. In this encryption approach, the data encryption key (DEK) is created locally and will be wrapped with a ke… Continue reading Data Encryption Key protection during transmission in Envelope-Based Encryption
I am developing an open source project(PKDSA) that uses ED25519 and ED448. My purpose of this project was to help others to enable user-secretless based passwordless authentication.
There’re a lot of questions but I will ask them one after… Continue reading What could be the correct and secure ways to store and manage public keys?
I made a website which among other things allows users to sign up to events. The HTML form is filled out and submitted, which automatically updates a google spreadsheet with all applications. This of course uses IDs and auth keys, which I … Continue reading How do I best share a shared account’s private key?
Assume a multitenant cloud-based application with a zero-knowledge security scheme where the hashed user password acts as a key which protects an actual 256-bit AES user encryption key, and that user key is used to encrypt and decrypt all … Continue reading How to protect user/application-level encryption keys in an SSO scenario?
If using asymmetric encryption, such as ES256, is there a reason why a private key could not be discarded after signing some data?
For example with a JWT, or a file hash use for audit at a later date, is keeping the private key necessary? … Continue reading Key management: Can I delete private key in asymmetric encryption?