Collaborate Disseminate
I am working on a chat application, and I am trying to secure the communication by using asymmetric encryption. I am able to encrypt a message with the receiver’s public key and decrypt a message with the receiver’s private key.
However, … Continue reading How to identify the sender of a message in asymmetric encryption?
I’m thinking about an authentication sheme of a REST API in a setting where the only thing the server stores about a client, is their public key (the asymmetric encryption scheme should not matter). So I’ve come up with a scheme where the … Continue reading Bloom filter to prevent replay attacks in signed HTTP requests
After almost 4 days of work, I’ve finally gotten Libsodium crypto_aead_xchacha20poly1305_ietf_encrypt to work and produce the same result in JavaScript and PHP.
But I’m confused.
The PHPDoc describes the parameters as:
Why am I asking?
I am very new to cryptography (so please be patient with me…) and I want to avoid making unnecessary mistakes. I did a lot of research, but – other than with most other programming related questions – I ha… Continue reading How to store nonce and key when working with libsodium secretbox?
As we all know, nonce is needed to prevent replay attacks. Everywhere I read about nonce, I see that client always fetches one from the server, and, to improve security even more, it also can add its own client nonce (cnonce)… Continue reading If we use only client nonce and not server nonce, which attack vectors become possible?
Consider app using say, HMAC-SHA2, with securely pre-shared symmetric key. Are the nonces of exchanged messages considered secret as well?
Or in other words, does its easy predictability or even outright knowledge(plaintext)… Continue reading Is nonce of HMAC secured message considered secret?
I’m having difficulty understanding the impact the client nonce has. I understand that the server nonce can prevent the replay attack. Isn’t the client nonce an unnecessary part of the replay attack prevention? For example, a… Continue reading What’s the purpose of the client nonce in SSL?
I’m having difficulty understanding the impact the client nonce has. I understand that the server nonce can prevent the replay attack. Isn’t the client nonce an unnecessary part of the replay attack prevention? For example, a… Continue reading What’s the purpose of the client nonce in SSL?
In a network connection over an insecure channel I do the following:
Server sends database salt and a nonce to the client;
Client computes and sends hash(hash(pwd + salt) + nonce);
Server computes hash(db_pwd_hash + nonce) and compares it… Continue reading Why is salt+nonce authentication over insecure channel vulnerable to man-in-the-middle attack?
What I understand from the stack question:
“What is the use of a client nonce?”, is that nonce cannot be trusted since the malicious attacker can act as the server himself and send the same nonce over and over. Making it pos… Continue reading HMAC: What is the use of a server nonce on top of using a client nonce?