LibreCryptography


Channel's geo and language: not specified, not specified
Category: not specified


Aggregating and Organizing Some Crypto-Related Resources | Under the #librehash brand

Related channels

Channel's geo and language
not specified, not specified
Category
not specified
Statistics
Posts filter


Lets Encrypt Moves to ECDSA Certificates

Its about time. Will be renewing the certificates on every single website that I have L.E. certs provisioned on when the opportunity allows itself.

Wondering if the popular ACME clients out there have adjusted their request policies accordingly.

Was surprised when I saw that LetsEncrypt was offering EC-384 strength certificates at that. Definitely raises the bar on what we should be expecting from vendors.

Apart from DigiCert, no other CA appears worth giving money for anything (digicert provides some exclusivity in terms of allowed extensions ; i.e., http signing servers and the like)


Perhaps the Coolest Cryptography-Based Website I've Seen in a While = noiseexplorer.com

This site is an htm5 page that allows you to tinker around with the Noise Protocol (via interactive GUI ; no coding or anything necessary) by essentially structuring your packet transmission & the timing of your handshakes etc.

Super cool (we need more things like this in the world)




Major Claim By ISARA (need to research this organization, ISARA) [re: HSS & XMSS - Ideal for Roots of Trust]

"Hierarchical Signature Scheme (HSS) and eXtended Merkle Signature Scheme (XMSS) are based on a mature area of mathematics and are well trusted to be used for digital signatures today. They are not part of the NIST PQC Standardization process but will be approved for specific use cases, like code-signing and certificate-signing. While they generally perform better than elliptic curve cryptography (ECC), they have one drawback: a large stateful private key.

By working closely with our HSM partners, we’ve solved the state management problem making these schemes ready for quantum-safe roots of trust in code and certificate signing today."








Stumbled upon this post from the LibreSwan team detailing that IPSec is essentially impossible on Amazon's Web Servers (regardless of how they are tweaked or configured).

More concerning though is the fact that general tests to check connectivity provided a false positive

https://libreswan.org/wiki/Interoperability


Quick test to ensure that we are indeed integrated w the RSS feed.


Only Hardware Wallet For Blockchain That's Probably Worth Considering = https://www.thalesgroup.com/en/markets/digital-identity-and-security/press-release/gemalto-and-ledger-join-forces-to-provide--security-infrastructure-for-cryptocurrency-based-activities-

Reasons

1. Produced / Manufactured by Thales ; a company with a far-reaching reputation in the cyber security and cryptography space (you're getting top of the line when you're dealing with these guys)

2. They don't tip toe around the concept of an HSM in hopes that unsophisticated customers will merely look at the raw dollar value of funds that need to be protected without delving deeper into the world of cryptographic key protection (which is really what this is ; and there is a thriving ecosystem in the corporate / enterprise environment for HSM software + devices that can be leveraged by competent dev teams to ensure that funds aren't being raided by 17 year old hackers a la Twitter)

Overall, this is still probably overkill in the grand scheme though. I think that a sufficient means of securing one's keys (hence, their crypto funds) can be derived from resources that are available online.

Fortunately, we at Librehash have taken it upon ourselves to derive such a solution for this very in-demand task (which is needed in all honesty ; especially when considering that the so-called hardware wallet companies are failing to remain secure)




'8gWifi': Site with Some Good Cryptography Tools on it

Here's the link = https://8gwifi.org/docs/ ; nothing mind blowing, but seems to be pretty useful if you need a reference point for some functions or ... whatever else you may be using these operations for.


'8gWifi': Site with Some Good Cryptography Tools on it

Here's the link = https://8gwifi.org/docs/ ; nothing mind blowing, but seems to be pretty useful if you need a reference point for some functions or ... whatever else you may be using these operations for.


Skein

1. More than likely the most secure hash function on planet earth.

2. Skein-1024 is integrated with 'Threefish' (with a threefish bit strength that matches that of the Skein implementation) ; 1024 = 1024 (ratio perfect)

2a. Addressing the concerns regarding Threefish and the alleged attacks that were found on several of its rounds (response from one of the co-authors of Threefish [as well as Skein] = https://crypto.stackexchange.com/questions/11725/has-threefish-successfully-been-attacked-practically-or-theoretically/11727

2b. Attack in question was mentioned in this paper (published by the team ) = http://www.skein-hash.info/sites/default/files/skein1.3.pdf

^^^ SHA-3 finalist (but Keccak was the hash function that won out ; Ethereum is using Keccak as we ll, but not the same iteration as w hat was submitted to the NIST)

3. Threefish McOE Mode = https://eprint.iacr.org/2011/644.pdf [exponentially more secure than the original Threefish - seems that there are *very few individuals out there right now that even know that this exists*]




Forward from: LibreCryptography
The idea is this:

1. Beginning with a classic user management situation (for some service / access controlled resources)

2. Using LDAP for user management. More specifically, OpenLDAP.

3. Argon2ID as the password mechanism (stick with me - I’m aware of what the RFCs say about SCRAM - we’re not going to go out of standard here)

If you’re not familiar with SCRAM authentication, then you should look here: https://en.m.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism


Curious About the Security Measures That Librehash Deploys?

This light wiki on cryptography-based security enhancing measures is a fairly solid round up of the various schemes that we have in place (give or take a few) = https://doubleoctopus.com/security-wiki/

These measures have been deployed for the purposes of:

A) Data

B) User credentials

C) Authenticating directly with any of the services (servers) that we provide

D) Ensuring that communications are kept secure

E) Providing some means of formulated resistance against would-be attackers and malware (as well as a means of detecting such - although this falls a bit more under the 'malware' section if there ever was one)


The idea is this:

1. Beginning with a classic user management situation (for some service / access controlled resources)

2. Using LDAP for user management. More specifically, OpenLDAP.

3. Argon2ID as the password mechanism (stick with me - I’m aware of what the RFCs say about SCRAM - we’re not going to go out of standard here)

If you’re not familiar with SCRAM authentication, then you should look here: https://en.m.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism


Wildfly Elytron (the s2s / c2s package of your dreams)

Wildfly’s Elytron software is fantastic.

Here is a link to the software’s specs = https://docs.wildfly.org/17/WildFly_Elytron_Security.html#sasl-authentication (page is on SASL authentication because that’s what we’ve been spending the most time on over the past few days)


EC-384 Certificates? Maybe? Yes? No?

Here's an entry on Namecheap's website regarding supposed ec-384 certificates users can purchase

https://www.namecheap.com/support/knowledgebase/article.aspx/9504/38/how-do-i-get-an-ecc-certificate-via-namecheap

This is being shared here because most of us in this world have made chosen to go the financially fiscal route for obtaining + deploying certificates (LetsEncrypt).

Unfortunately, 'LetsEncrypt' still uses an intermediate C.A. that signs keys with an RSA private key (its 4096-bit, so not a major security drawback).

Obviously with ECC being all the rage (despite people wishing Edwards' Curves were), there's been a major shift in the industry over the past few years to begin adopting ECC-standards in cryptography based products.

Unable to Locate the EC-Strength Cerificates

Namecheap claims that these certificates are provided for by Comodo, but we were unable to find them on their site (namecheap) or via Comod's site either.

Admittedly, we didn't dig incredibly hard for them, but we'll try to remember to follow up on this and ask their sales reps about this.

The world of 'paid' for certificates is super gimmicky & commercialized (and this feels like something that shouldn't be...for some reason), but hey — its the best 'trust' system that we have at our disposals for right now.

20 last posts shown.

149

subscribers
Channel statistics