Collaborate Disseminate
I’am trying to get a feel for Elliptic Curve Cryptography. I wrote a small Python program below to generate key material but I don’t get the same result for y_squared and Q.y^2. I’am using the parameters from 256-Bit Random ECP Group (RFC … Continue reading Elliptic Curve Cryptography Key Verification fails [migrated]
I’am trying to get a feel for Elliptic Curve Cryptography. I wrote a small Python program below to generate key material but I don’t get the same result for y_squared and Q.y^2. I’am using the parameters from 256-Bit Random ECP Group (RFC … Continue reading Elliptic Curve Cryptography Key Verification fails [migrated]
In TLS 1.3 (RFC8446), there are many secrets and keys. As far as I’ve understood, every certificate (usually only the server) has a long term key associated with it which is used with HKDF to generate a temporary key for the certificate ve… Continue reading Permanent Keys/Secrets in TLS 1.3
When one peer is trying to negotiate an ESP SA, it sends a security association (SA) payload to the other peer. This SA payload must contain at least one proposal, suggesting at least one encryption and one integrity transform to use. It m… Continue reading Do IKEv2 ESP proposals really require a unquie SPI per proposal?
I’m implementing the Authorization code flow with PKCE and planning to have my redirect_uri as the backend.
In this case, while making the code to token exchange call (in the backend), I won’t be having information like the clientId and co… Continue reading OAuth2: Is it good practice to store multiple information in state parameter then encrypt it?
This is the architecture I want to follow
Source:
https://stackoverflow.com/questions/73075156/what-exactly-is-redirect-uri-in-google-oauth2-request-for-getting-authorization
I’m using a backend to exchange tokens with the authorization c… Continue reading OAuth2: Is PKCE required if the callback is located in the backend?
I’m trying to understand the effect of empty sets in permittedSubtrees in both, RFC 5280 and RFC 3280. There is something that doesn’t compile in my head.
Scenario:
We have a CA certificate with the following Name Constraints setup:
Permit… Continue reading Name Constraints, empty sets in permitted subtree (RFC 3280 vs RFC 5280)
In my search for a comprehensive list of implemented RFC’s as pertaining to TCP/UDP traffic, I’ve come across RFC 7414 – but it only provides links and only for TCP. Is there any project that either meta-analyzed these, or that has been ma… Continue reading Is there a way to filter RFCs for what would constitute minimum allowed TCP/UDP traffic for functioning of web applications? [closed]
Section 2.1.1 of IETF’s OAuth 2.0 Security Best Current Practice begins as follows:
Clients MUST prevent injection (replay) of authorization codes into
the authorization response by attackers. Public clients MUST use
PKCE [RFC7636] to th… Continue reading Why is PKCE "RECOMMENDED" for authorization codes with confidential clients?
I’ve read through RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749
The only mention of consent is in this bit:
The authorization server MUST implement CSRF protection for its
authorization endpoint and ensure that a malicious client… Continue reading Is a consent screen in an OAuth 2.0 implementation optional