Collaborate Disseminate
I’d like to implement a RESTful API service over HTTP that developers can call from their server side environments.
I intend to use a cryptographically secure pseudo-random number generator (CSPRNG) to generate keys and then convert the bi… Continue reading Is using a developer key to protect a REST API good practice?
When dealing with cryptographic secrets (private keys, passwords, etc) it is desirable to not run these secrets through functions that do not run in constant time, in order to avoid the potential for side channel attacks. An example of thi… Continue reading Constant-Time String-to-Byte Encoding for JavaScript
I was routinely checking up all my servers, I found a strange process with kthreaddk command running up and taking up all 100% CPU resources. After checking it out I found that www-data (default user for php-fpm) has shell access. so I had… Continue reading Cyptomining on my AWS VPS
I have an service that accepts an HTTP POST request from the end-user’s browser. The user passes their only email. I intend the server to generate a token and store this in a database, and email them the HMAC’d token as a means of implemen… Continue reading Should I be concerned about timing attacks on HTTP service for passwordless signin?
I have an service that accepts an HTTP POST request from the end-user’s browser. The user passes their only email. I intend the server to generate a token and store this in a database, and email them the HMAC’d token as a means of implemen… Continue reading Should I be concerned about timing attacks on HTTP service for passwordless signin?
I’ve been researching timeless timing attacks, ie: timing attacks using concurrency rather than round trip time. Here is an article by portswigger with links to the original article by Van Goethem. Basically it says that if you pack two re… Continue reading Timeless timing attacks and response jitter
Assuming I am using different secrets/keys for each MAC pass, does running both MtE and EtM creates any vulnerability?
This is what I mean about doing MtEtM:
K0 ≠ K1 ≠ K2
addMAC(msg, K) = msg || MAC(msg, K)
ciphertext = addMAC(encrypt(addM… Continue reading Is is safe to use MtEtM? (MAC-then-Encrypt and Encrypt-than-MAC) [migrated]
I want to measure the execution time of a function. The execution time of this function is only slightly different in the two cases. Is there any way I can accurately measure its time to distinguish the two cases?
The possible solutions ar… Continue reading In the time side channel, is there any way to improve the measurement time accuracy?
I know the title isn’t good at all but allow me to explain. In this model I have n devices on different networks that are able to communicate with each other. A supervisor is able to see every packet a device sends or receives. How can two… Continue reading What mitigations are there against a timing attack done to find which devices are communicating on a set of devices?
I had a discussion with a friend today about his password hash comparison. I argued that you can’t return false on the first hash mismatch you have and I sent him a link to an article about a Java timing attack that happened in Java 6.
pub… Continue reading Timing attacks in password hash comparisons