protocols – WindowsTechs.com

How can intermediary devices securely forward traffic using only session IDs in a symmetric encryption system, without risking MITM attacks? [closed]

Posted on February 26, 2025 by Muhammad Ikhwan Perwira

I’m imagining a Utopian world where the internet nowadays doesn’t have as much overhead as the OSI layer. In this world, network engineers never make mistakes, such as using IPv4, which has been exhausted, instead of IPv6.
Unlike the OSI l… Continue reading How can intermediary devices securely forward traffic using only session IDs in a symmetric encryption system, without risking MITM attacks? [closed]→

How can intermediary devices securely forward traffic using only session IDs in a symmetric encryption system, without risking MITM attacks? [closed]

Posted on February 26, 2025 by Muhammad Ikhwan Perwira

Pairwise Authentication of Humans

Posted on February 10, 2025 by Bruce Schneier

Here’s an easy system for two humans to remotely authenticate to each other, so they can be sure that neither are digital impersonations.

To mitigate that risk, I have developed this simple solution where you can setup a unique time-based one-time passcode (TOTP) between any pair of persons.

This is how it works:

Two people, Person A and Person B, sit in front of the same computer and open this page;

They input their respective names (e.g. Alice and Bob) onto the same page, and click “Generate”;

The page will generate two TOTP QR codes, one for Alice and one for Bob;
…

Continue reading Pairwise Authentication of Humans→

What patterns of security protocol (or protocol) match discourse between cultures, or class of people? [closed]

Posted on December 16, 2024 by Christopher

Beyond what they might have been inspired by, what protocols OSI2, OSI7, others have non syntactical name matching for what is done by people, government or agency, or wealth?
This is the center of my research at what I’m modeling between … Continue reading What patterns of security protocol (or protocol) match discourse between cultures, or class of people? [closed]→

Security Analysis of the MERGE Voting Protocol

Posted on November 25, 2024 by Bruce Schneier

Interesting analysis: An Internet Voting System Fatally Flawed in Creative New Ways.

Abstract: The recently published “MERGE” protocol is designed to be used in the prototype CAC-vote system. The voting kiosk and protocol transmit votes over the internet and then transmit voter-verifiable paper ballots through the mail. In the MERGE protocol, the votes transmitted over the internet are used to tabulate the results and determine the winners, but audits and recounts use the paper ballots that arrive in time. The enunciated motivation for the protocol is to allow (electronic) votes from overseas military voters to be included in preliminary results before a (paper) ballot is received from the voter. MERGE contains interesting ideas that are not inherently unsound; but to make the system trustworthy—to apply the MERGE protocol—would require major changes to the laws, practices, and technical and logistical abilities of U.S. election jurisdictions. The gap between theory and practice is large and unbridgeable for the foreseeable future. Promoters of this research project at DARPA, the agency that sponsored the research, should acknowledge that MERGE is internet voting (election results rely on votes transmitted over the internet except in the event of a full hand count) and refrain from claiming that it could be a component of trustworthy elections without sweeping changes to election law and election administration throughout the U.S…

Continue reading Security Analysis of the MERGE Voting Protocol→

Can other apps on my phone see the data advertised by a device if it has been connected via BLE to another app on my phone?

Posted on September 3, 2024 by Randomstudenttryingtolearn

I am just trying to learn something about Android / iOS BLE (Bluetooth Low Energy) or Bluetooth services.
Say I want to create an app that connects to an external device via BLE. If the device doesn’t have any extra encryption on an app le… Continue reading Can other apps on my phone see the data advertised by a device if it has been connected via BLE to another app on my phone?→

RADIUS Vulnerability

Posted on July 10, 2024 by Bruce Schneier

New attack against the RADIUS authentication protocol:

The Blast-RADIUS attack allows a man-in-the-middle attacker between the RADIUS client and server to forge a valid protocol accept message in response to a failed authentication request. This forgery could give the attacker access to network devices and services without the attacker guessing or brute forcing passwords or shared secrets. The attacker does not learn user credentials.

This is one of those vulnerabilities that comes with a cool name, its own website, and a logo.

News article. Research …

Continue reading RADIUS Vulnerability→

benefits of a common session key over a common password

Posted on July 8, 2024 by yolooow

Password-authenticated key exchange (PAKE) is a method in which two or more parties, based on their knowledge of a shared password,
establish a cryptographic key using an exchange of messages, such that
an unauthorized party (one who cont… Continue reading benefits of a common session key over a common password→

benefits of a common session key over a common password

Posted on July 8, 2024 by yolooow

Security considerations in choosing DTLS connection IDs

Posted on July 5, 2024 by Perseids

Are there any security concerns with choosing highly structured or short connection IDs for use in DTLS? For example:

32bit connection IDs handed out sequentially: There is obviously statistical data being revealed and wrapping around the… Continue reading Security considerations in choosing DTLS connection IDs→