Collaborate Disseminate
In OAuth2, as part of the authorization request, we generate a random string and pass it with the state parameter, so that when we get the response, we can ascertain that the response is a result of our request.
In some examples, I’ve see… Continue reading Does OAuth2 state parameter need to be cryptographically secure?
I’m looking to implement Sign in with Apple on the mobile device. We have a backend api that expects to receive the id_token (once we get it from Apple). I had a question about using nonce in this flow.
From my understanding nonce are use… Continue reading Apple sign in on mobile (IOS/Android) nonce usage
Is NONCE supported in Asp.Net when implementing the Content-Security-Policy header to protect from XSS ??
I read that NONCE was not supported in Asp.Net, however, I read another simple article, that shows how it is done? Does anyone use no… Continue reading NONCE not supported in Asp.Net for CSP implementation
I have a question about a cryptographic nonce. I understand the use of a nonce, however there is one particular part that I don’t understand. Please consider the picture below.
I don’t really understand why a replay attack … Continue reading Why does a nonce prevent a replay attack?
Background: I think I understand how the state parameter is used in oAuth to prevent CSFR attacks against the redirect_uri.
Situation: I am looking at this in the context of implementing a Shopify App and am having problems … Continue reading Shopify OAuth: State parameter useful when the auth server also returns a signed shop id?
How does an attacker use Cryptographic nonces to generate access cookies through a script on a server? As what happened to Yahoo! servers.
I am thinking about using nonce and secure request to API Server. Is this the right implementation for using nonce?
PURPOSE
Protect API Server from Replay attack
Protect API Server from MITM attack
Protect Core API Server … Continue reading nonce encryption in https
I know that encrypting password hashes is a contentious issue. However, I have seen it recommended in some quarters. I know for instance that DropBox did this at one time with AES256. In these cases, all password hashes would… Continue reading When encrypting password hashes, how to handle nonces?
I am aware that using a counter or a random value are both acceptable ways of generating nonces, depending on the circumstances.
The tradeoff with using a counter is the necessity to keep state and sometimes this can be a c… Continue reading Does using both a counter and a random nonce make sense for the purpose of reducing the likelihood of replay attacks?
The process involves two interested parties A (client) and B (server) and the attacker M. M is capable of intercepting all the communication between A and B (Man in the Middle) and even modify it. However A’s private key has … Continue reading Hardening a asymmetric key based authentication process