public-key-infrastructure – WindowsTechs.com

Best Practices for WebAuthn FIDO2 reset

Posted on November 4, 2024 by wahok

Security Noob here. I am trying to build a secure passwordless login mechanism for my webservice.
The authentication mechanisms
My idea is to encourage the users to use the following two login methods:

WebAuthn with a FIDO2 token (ideally… Continue reading Best Practices for WebAuthn FIDO2 reset→

Is it possible to store or import an external private key into a TPM?

Posted on October 27, 2024 by Ori Frish

Let’s assume I have 3 computers, each with its embedded TPM. I also have a pair of asymmetric keys, which I created elsewhere. I want to store & import the same external private key I have created onto the TPM of each of the 3 computer… Continue reading Is it possible to store or import an external private key into a TPM?→

ECDH Certificate Signing

Posted on September 27, 2024 by Rowan Smith

Is their a recommended RFC standard way to sign an ECDH certificate?
Given that the ECDH Private Key is not intended for digitalSignatures it seems wrong to sign a CSR with it’s own Private Key.
It would seem logical that another trusted c… Continue reading ECDH Certificate Signing→

Why is JWT claim x5t (thumbprint) useful?

Posted on September 23, 2024 by RokL

If I sign JWT (as per JWS spec) with a private key, the receiver of JWT will want to validate the signature and they need public key to do that.
The public key can be "baked" into the app validating or it can be retrieved from an… Continue reading Why is JWT claim x5t (thumbprint) useful?→

Certificate/key revocation

Posted on August 27, 2024 by somehybrid

Systems like Certificate Transparency and Key transparency store trees of keys/certificates. How would a user be able to remove a fraudulent/expired key or certificate? Do the trees stay the same and a separate list of revoked keys/certifi… Continue reading Certificate/key revocation→

openssl tar download, verifying the signature [closed]

Posted on August 20, 2024 by Tom Griffith

I was looking to verify the digital signature (if any) on the openssl3.3.1.tar.gz download from OpenSSL. The "PGP sign" link has nothing behind it (thought it’d have an asc or sig file).
I was able to checksum the hash on the dow… Continue reading openssl tar download, verifying the signature [closed]→

Security Risks of Deriving Crypto Wallet Seed Phrases Using Deterministically Derived Salt

Posted on July 8, 2024 by jamesgaddum

I’m working on a project where I want to generate a set of crypto wallet seed phrases from an existing seed phrase. The reason for this is so that using just the original seed phrase the wallet holder can access multiple connected accounts… Continue reading Security Risks of Deriving Crypto Wallet Seed Phrases Using Deterministically Derived Salt→

NTRU – How is the master key and session key generated?

Posted on June 10, 2024 by Chris Lo

I am learning the PKC topics and would like to understand about the master and session key generation process regarding NTRU.
Let’s make it a scenario, if a user wants to register during the registration process, the information obtained f… Continue reading NTRU – How is the master key and session key generated?→

mTLS set up – Does it require any offline certificates exchange?

Posted on May 31, 2024 by user1189332

My company is exposing a few APIs to one of our partner systems (external).
We’re looking at mTLS authentication here than any credentials based Auth schemes.
My understanding is,

My system (server) needs their public certificate.
Their s… Continue reading mTLS set up – Does it require any offline certificates exchange?→

Infer information of private key from public key / CSR

Posted on May 22, 2024 by Hans

is it possible to infer information like: algorithm, key length, mode etc. of the private key from the public key or CSR?

Continue reading Infer information of private key from public key / CSR→