The whirpool application of the Control Water spell leads to several questions regarding creatures caught in it

As written, the whirlpool usage of the Control Water spell says:

Whirlpool. This effect requires a body of water at least 50 feet square and 25 feet deep. You cause a whirlpool to form in the center of the area. The whirlpool forms a vortex that is 5 feet wide at the base, up to 50 feet wide at the top, and 25 feet tall. Any creature or object in the water and within 25 feet of the vortex is pulled 10 feet toward it. A creature can swim away from the vortex by making a Strength (Athletics) check against your spell save DC.

When a creature enters the vortex for the first time on a turn or starts its turn there, it must make a Strength saving throw. On a failed save, the creature takes 2d8 bludgeoning damage and is caught in the vortex until the spell ends. On a successful save, the creature takes half damage, and isn’t caught in the vortex. A creature caught in the vortex can use its action to try to swim away from the vortex as described above, but has disadvantage on the Strength (Athletics) check to do so.

The first time each turn that an object enters the vortex, the object takes 2d8 bludgeoning damage; this damage occurs each round it remains in the vortex.

Are creatures or objects in the water and within 25′ of the vortex automatically pulled 10′ toward it? Do they continue to be pulled 10′ further toward the center of the vortex every round they are in it? Is a creature or object caught in the vortex also pulled down toward the bottom? On a failed save, are they caught for the entire duration of the spell, with no more chance at saves, or until they can swim free of it? On a failed save, does a creature continue to take 2d8 bludgeoning damage every round they are in the vortex? Can the whirlpool be cast so that it is completely underwater? Also, can the whirlpool be cast ‘upside down’ so the widest part is at the bottom?

What is the application of symbols in the cultural extension of UWP?

In Traveller-5, worldgen step E includes creating the world’s cultural extension (Cx), the last digit of which is “symbols.” The rule book explains only that:

Symbols used by the culture may range from the concrete (idol; totems; statuary) to the abstract (symbolized belief systems; group affiliations).

Given that the value is computed as Tech Level + Flux with a minimum of 1, one can easily infer that more primitive cultures have a lower value while more advanced cultures have a higher value. One also might infer from the brief description that the axis it measures has more “concrete” symbols at the lower range and more “abstract” symbols at the higher end.

How is this value applied to describing the world’s culture?

[Responses relevant to other editions of Traveller besides 5 are useful.]

Authentication in Next.js application (SSR SPA with long sessions)

We’re currently developing a Next.js application (server side rendering) and are looking for secure ways to keep the users logged in for longer periods of time.

AFAIK this can either be done using silent authentication or refresh tokens. General note: When a user is not logged in yet, we can redirect the user to a login page. If the user enters their credentials, we use the Authorisation Code Grant (to my knowledge PKCE is not needed in this case as it’s all server side during these steps) that will redirect back and respond with an authorisation code. We can then exchange this authorisation code with an access token (and refresh token) using a client secret (all server side).

Refresh Tokens

Since any client side storage (local storage, cookies, etc.) is not safe (XSS attacks) for storing any kind of tokens (especially refresh tokens), we are wondering if it’s generally safe to store a refresh token (and access token) in a HTTP only cookie considering that…

  • … the token values are encrypted, e.g. AES, with a secret that is not exposed to the client side.
  • … the refresh tokens are rotating, so when you retrieve a new access token with your refresh token, you also receive a new refresh token. The old refresh token is invalidated and if used again, all refresh tokens are invalidated.
  • … the refresh token automatically expires after a couple of days, e.g. 7 days.

Silent Authentication

A possible alternative could be silent authentication via an auth request on the server side (prompt=none). The auth session for the silent authentication would also be stored in a HTTP only cookie.

In both scenarios, it’s probably necessary to make sure that the client doesn’t know about any of these tokens (You could potentially use silent authentication on the client side using an iframe (the domain is the same, just different subdomains) but the client would then potentially receive a new access tokens which has to be stored in memory (potential XSS vulnerability)).

Since it’s a server side rendered SPA, the client side still needs to be able to get new data from the API server using the access token. For this, we were thinking of using Next.js API routes as a proxy: So, if the client wants to get new data, it will send an AJAX request to the respective Next.js API route. The controller for this Next.js API route is able to read and decrypt the HTTP only cookie and can therefore send the request to the API server with a valid access token in the HTTP header. Just before the short lived access token expired, the controller would need to first send a request to the auth server to retrieve a new access (and refresh) token and then continue sending the request with the new access token to the API server.

While this sounds good and feasible in theory, we are wondering about the following points: 1.) Is it generally safe to save a (rotating) refresh and access token in a HTTP only cookie? Does the cookie value need to be encrypted or is that unnecessary? Does a rotating refresh token offer any additional security in this case? 2.) Is the “Next.js API route as a proxy” method a secure way to make sure that the client side can get new data from the API server? If e.g. otherdomain.com would try to send a request to the (“unprotected”) Next.js API route, it would not respond with any data as it’s a different domain and the HTTP only cookies therefore not accessible, correct? Is CSRF possible for these Next.js API routes? 3.) Is it safe if the HTTP only cookie for the refresh token is shared across all subdomains and not tied to one specific subdomain (application)? This would allow us to access the cookie from e.g. the actual website or other subdomains. 4.) Is the refresh token approach better / safer than the silent authentication approach?

Follow-Up question: Can the refresh token approach also be used the authenticate users in a browser extension? So:

1.) The user logs in (Authorisation Code Grant with PKCE): The login prompt/page is shown in a popup (or new tab) and the communication (authorisation code) is done through postMessage. 2.) The background script receives the authorisation code and exchanges it for an access token and rotating refresh token (which is probably necessary in this flow (?)) using the code and a code verifier. These tokens can then be saved in Chrome storage. We can potentially also encrypt the tokens but I’m not sure if that offers any additional protection (?) considering that the background script is not the same as a server. 3.) If the Chrome extension wants to receive data from the API server, it sends a message to the background script which will then send the API request using the tokens saved in Chrome storage.

Using slot and application to variable length vector

I have a list of 2D coordinates with a maximum length of 3, e.g.

peakdatAB {{1007.81, 8.64842}, {1008.38, 8.19264}} 

I need to generate something like this

({PointSize[0.01], Blue, Point[#1], Red, Point[#2], Black, Point[#3]}) & @@ peakdatAB 

but here the problem is the variable length of peakdatAB as when there is say no third point, it returns an error. How can I fix this?

Correct application of the CFL Pumping Lemma

I came across this question about showing that the language $ L = \{w \epsilon \{a, b, c\}^*: n_a(w) + n_b(w) = n_c(w)\}$ is context-free but not linear in the book by Peter Linz. That is easily doable by the separate pumping lemma for linear languages (as given in Linz’s book), but my question is different.

Evidently this is a CFL, and a pushdown automaton can be constructed for it. But if I apply the pumping lemma for CFLs, I find that I’m able to pump strings that don’t belong to the language, which would mean that the language is not a CFL. Clearly I’m doing something wrong.

Going by the "game-like" format given in Linz, say you pick $ w = a^mb^mc^{2m}$ , $ |w| \ge m$ . The adversary can choose a number of decompositions $ w = uvxyz$ , they can look like -:

  • $ v = a^k, y = a^l$ : The case where $ |vxy|$ is contained within the $ a$ ‘s of the string. Pump $ i = 0$ , and then $ w_0 = a^{m – (k + l)}b^mc^{2m}$ cannot be in the language since the equality no longer holds.
  • $ v = a^k, y = b^l$ : The case where $ v$ is in the $ a$ section, $ x$ spans across the $ a$ ‘s and $ b$ ‘s, and $ y$ is in the $ b$ section. Again, pump $ i = 0$ . $ w_0 = a^{m – k}b^{m – l}c^{2m}$ cannot be in the language.

There are more cases like these. Where am I going wrong in the application of the CFL PL?

How to protect certificates and keys in peer to peer application

I’m making a peer-to-peer cross-platform application (in Java & Kotlin), and I want to encrypt conversations between tens of users, concurrently.

However, due to lack of knowledge in security good practices & protocols and due to this being my first time actually getting into informatics security, I’m sort of confused.

My goal is that every peer connection has a unique session that shares as little as possible to the other peer connections, in order to minimize any risk if one connection proves to be vulnerable. The connections will be implemented using TLSv1.3 or TLSv1.2 (I do not intend to support lower protocols due to the risks involved with using them).

However, I’ve done some rudimentary research on my own, and I cannot wrap my head around the question, is having a keystore and a truststore on the (classloader) directory of my application a security vulnerability? Could it ever be one?

I am aware that keystore stores the private and public key of the server, and truststore stores the public key of the server, which it verifies & uses when contacting the server. How can I protect my keystore’s and truststore’s certificate password, when they must be on the application’s directory? Does it need to be protected, even?

What encryption algorithm should my keystore use? I’m heading for really strong encryption, future proofing as much as possible along with keeping up as much backwards compatibility as I can without reducing the application’s security.

Is there an issue with the certificates being self-signed considering I’m solely using them between peers of the same application?

Considering I’m doing Java, do SSLSockets/SSLServerSockets create a "brand new session" for every new connection, as in, do they reuse the private or public key? Are private keys generated when making a handshake with a client?

Thank you for taking the time in advance, privacy is a really big focus of the application itself.

What are the steps to secure Winform Application

I have a question to ask or advise to seek. Is there a need to secure winform application in intranet environment? Clearly, there is no external threat and only authorized personnel have access to intranet environment, so I am not sure if these is need to secure it. Unless it’s insider threat, however, it’s still impossible as there isn’t any necessary tools available or downloadable within the environment.

The only threat I can foresee is the transparency of my application. Within my winform application folder, the source file was made available to anyone and user might have the ability to understand it and reverse engineering to those source file.

So I’m asking, based on the description above:

  1. Aside from parameterized query or input sanitation, what others threat have I missed out?
  2. How do I better secure those source file? obfuscation?(any guide would be appreciated!)

Oauth2.0 | How to manage user session in Single Page application running in an iframe?

I’m new to security domain, and recently I have learned about Oauth2.0/OpenID connect and JWT tokens. I have an existing REST based web application where I need to implement security.

Server

Application A: Spring boot back-end application sever, with some RestEndpoints exposed connected with Mysql database.

Front End

Application B: Spring boot Web Applicaiton which have some JSP pages for login and some other template features(Also connected with same Mysql database used by back-end server).

Application C: Inside application B we have an Iframe in which Angular app is running, angular app calls the back-end server and show data.

Also in future we want to use SSO for our application as well.

Current Security

At the moment we don’t have any security on back-end server (i.e We can simply call RestEnd points without any authentication), Application B has basic login security implemented via spring security. User logins on application B and then he/she can use application C (Angular) as well. User session is managed at Application B, when session expires users forced to logout.

Oauth2 Authorization

What we are trying to acheive is make the server (Application A) as Oauth2Resource server and Oauth2Authorization server. Application B (JSP front end) remove database connection from it as well as the login controller, application B will call oauth2 server for authorizing user with "password" flow, when application B will receive access_token and refresh_token it will then somehow pass it to Iframe (angular app) to store these tokens inside cookie and on every subsequent request to server angular will add access token to it.

I’ve read articles about that Oauth2.0 have deprecated the use of "Implicit Flow", and they prefer to use the "Authorization Code Flow". I am having a very hard time to understand how this flow can be used for single page applications(SPA like angular). Also where to store the access_token and refresh_token if I use the implcit flow? I’m aware that storing both tokens in cookies is not a good practice.

Also how to manage user session now? what I have gathered so far is that, on requesting resource server with Bearer access token, when we get unauthorized response, we’ll then request for new access token with help of refresh token, but in case when refresh_token is also expired I will force user to login screen. Is this right approach?

Sorry for the long context, any help will be highly appreciated. Thanks