How to allow NULL in foreign keys of a compound primary key

I want to have NULLs in foreign keys of a compound primary key. This is an example of what I would expect to be valid data.

product_id variant_id
123-123 ABC
123-123 NULL
456-456 ABC

I cannot figure out why the following SQL in postgres gives NOT NULL violation constraint me when inserting NULL as variant_id.

CREATE TABLE IF NOT EXISTS inventory.price (   product_id             UUID NOT NULL, -- this has to be always to a valid product   variant_id             UUID,          -- this could be NULL   amount                 MONEY NOT NULL,   created_at             TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT now(),   -- Constraints   CONSTRAINT inventory_price_pkey PRIMARY KEY (product_id, variant_id),   CONSTRAINT inventory_price_inventory_product_fkey FOREIGN KEY (product_id)     REFERENCES inventory.product (id) MATCH FULL,   CONSTRAINT inventory_price_inventory_variant_fkey FOREIGN KEY (variant_id)     REFERENCES inventory.variant (id) MATCH SIMPLE,   CONSTRAINT inventory_price_amount_gt_0 CHECK (amount > '0'::money) ); 

And the inspection to information_schema confirms the non-nullable constraint.

column_name column_default is_nullable data_type
product_id NULL NO uuid
variant_id NULL NO uuid
amount NULL NO money
created_at now() NO timestamp with time zone

Are hardware security keys (e.g ones supporting Fido2) “able to protect authentication” even in case of compromised devices?

Correct me if I am wrong, please.

I understand that 2FA (MFA) increases account security in case an attacker obtains a password which might be possible via various ways, e.g. phishing, database breach, brute-force, etc..

However, if the 2FA device is compromised (full system control) which can also be the very same device then 2FA is broken. It’s not as likely as opposed to only using a password but conceptually this is true.

Do hardware security keys protect against compromised devices? I read that the private key cannot be extracted from those devices. I think about protecting my ssh logins with a FIDO2 key. Taking ssh as an example, I would imagine that on a compromised device the ssh handshake and key exchange can be intercepted and the Fido2 key can be used for malicious things.

Additionally: Fido2 protects against phishing by storing the website it is setup to authenticate with. Does FIDO2 and openssh also additionally implement host key verification or doesn’t it matter because FIDO2 with openssh is already asymmetric encryption and thus not vulnerable to MitM attacks?

TLS- Key exchange for session keys. Why?

I have a question about the Key Exchange Algorithm used in TLS process. I have read that the Key Exchange algorithm is used by client and server to exchange session keys. Do the client and server exchange session keys at the end of Handshake process? If they arrive mathematically at the same results for session keys at the end of the process, why would they exchange them?

How to express a type that represents an associative array whose keys determine the type of the value?

I’m fairly new to type systems and theory, so I would appreciate some guidance in a problem that sparked my interest.

I would like to understand what type system features are required so a compiler can enforce that a given key will return a value of the same type as the one the key was associated with in the first place.

A practical version of my problem is to declare a Map in TypeScript that allows a developer experience like in the pseudocode below:

const cache =  new  Map<K,  V>()  cache.set('Foo',  Error('R'))  cache.set('Bar',  1)  cache.get('Foo')  // Return value typed as Error.    cache.get('Bar')  // Return value typed as number.  cache.get('Qux')  // Compilation error. 

What would the type of K and V be?

Handling API keys for client-side app with cloud key vault

I would like to hear about the security implications of my desktop app’s current API usage workflow:

  1. Client-side WPF desktop app connects to Azure Key Vault, a cloud vault, by authenticating via a self-signed certificate packaged and distributed with the app’s installer.
  2. Client app retrieves the API key and the key is assigned to a declared runtime object.
  3. Client app uses the key value to make the required GET requests.
  4. Client app closes with Application.Current.Shutdown().

Not well-versed in security myself, but I wondered:

  • Is distributing self-signed certs a risky practice? Ie. others may create a clone app with it
  • Can others potentially hack into the client during runtime and access the key?
  • Potentials for man-in-the-middle attacks to intercept keys when retrieving from vault?

Keen to hear expert thoughts about the above and other ideas. I can’t think of another way to make the GET request directly from client-side.

How to protect certificates and keys in peer to peer application

I’m making a peer-to-peer cross-platform application (in Java & Kotlin), and I want to encrypt conversations between tens of users, concurrently.

However, due to lack of knowledge in security good practices & protocols and due to this being my first time actually getting into informatics security, I’m sort of confused.

My goal is that every peer connection has a unique session that shares as little as possible to the other peer connections, in order to minimize any risk if one connection proves to be vulnerable. The connections will be implemented using TLSv1.3 or TLSv1.2 (I do not intend to support lower protocols due to the risks involved with using them).

However, I’ve done some rudimentary research on my own, and I cannot wrap my head around the question, is having a keystore and a truststore on the (classloader) directory of my application a security vulnerability? Could it ever be one?

I am aware that keystore stores the private and public key of the server, and truststore stores the public key of the server, which it verifies & uses when contacting the server. How can I protect my keystore’s and truststore’s certificate password, when they must be on the application’s directory? Does it need to be protected, even?

What encryption algorithm should my keystore use? I’m heading for really strong encryption, future proofing as much as possible along with keeping up as much backwards compatibility as I can without reducing the application’s security.

Is there an issue with the certificates being self-signed considering I’m solely using them between peers of the same application?

Considering I’m doing Java, do SSLSockets/SSLServerSockets create a "brand new session" for every new connection, as in, do they reuse the private or public key? Are private keys generated when making a handshake with a client?

Thank you for taking the time in advance, privacy is a really big focus of the application itself.