Any book/resource on ssl, client auth using cert, server auth pgp, keys, etc [closed]

Is there any book which can cover security from certs point of view in detail. I want topics like

  1. SSL certs for webservers/ sites
  2. Security certs for authenticating clients rather username/password
  3. PGP keys, ssh keys anything realted
  4. CA cert chain, bundle , database certs
  5. diff types of formats of certs , keys
  6. Security at diff layers of OSI Model /protocols

How are keys negotiated in wpa-eap?

Question about PEAP-MSCHAPV2 on RADIUS.

After MSCHAPV2 success keys are extracted from TLS context. Then it sent to AP.

Client failed to connect WiFi (or eapol, etc) with my handmade RADIUS Access-Accept.

Can you explain full keys negotiation?

Radius source code implementations based on state machines, so code is difficult to understand.

Would Triple DES-X with 9 keys be much slower than standard Triple DES?

Since a single hardware pass of an XOR with a 64 bit key is very fast, would Triple DES-X using nine 64 bit keys used in the following manner be virtually identical in terms of code size, memory consumption, and execution speed to 3DES?

XOR (Key 1) DES (Key 2) XOR (Key 3)

XOR (Key 4) DES (Key 5) XOR (Key 6)

XOR (Key 7) DES (Key 8) XOR (Key 9)

Additionally, would it be significantly stronger? Would it still suffer from the same block size based vulnerability of DES-X?

Max no. of keys of B-Tree of height h

I am reading about B-Tree through CLRS. One of the exercise problem is to express maximum number of keys in a BTree of height $ h$ and minimum degree $ t$ .

Properties of BTree of $ t$ :

  • $ t\ge 2$
  • Min. no of keys in a node is $ t-1$ and max. number of keys in a node is $ 2t-1$
  • Max number of children a node can have is $ 2t$

To solve it the formula I came up with is $ $ \sum_0^h (2t)^h(2t-1) $ $

Does it have any convergence?

Multi-user document encryption: access to user private keys

I am attempting to implement these solutions for multi-user document encryption:

  • https://security.stackexchange.com/a/71915

  • https://owncloud.com/wp-content/uploads/2014/10/Overview_of_ownCloud_Encryption_Model_1.1.pdf

The user’s private key is stored in a database and encrypted using a symmetrical cipher, the key to which is the user’s password.

My question is how should the private key be kept around so it can be used in subsequent requests? The user’s plaintext password is only available during the initial login request so that’s the only time it can be used to decrypt the private key.

The options I have thought of include:

  • Decrypt the private key on login, keep it in memory, then look it up on subsequent requests
  • sending back the private key in the user’s JWT (also ensuring the JWT is encrypted)

How does a TLB lookup compare all keys simultaneously?

I am reading OS Concepts dinosaur book which says, “Each entry in the TLB consists of two parts: a key (or tag) and a value. When the associative memory is presented with an item, the item is compared with all keys simultaneously.”

I checked How does a TLB and data cache work? but it does not say anything about the implementation that allows this parallel checking of the keys.

I read something about a parallel hash table here: http://www.cs.cmu.edu/afs/cs/academic/class/15210-s12/www/lectures/lecture27.pdf

Is this the basic idea? The insertion of a key outputs a frame number and this could either be a hit or miss?

How to store API keys when algo trading?

I write Python scripts for clients to “algo trade” at currency/stock exchange websites. My clients are typically running my scripts on traditional personal desktop PC’s. Usually using these PC’s for web browsing activities as well. The environment is always linux; usually debian. In the industry; Python is quite standard for algo trading in this manner; both institutionally and privately.

However, I can’t help but see a flaw in the security model.

Each exchange has a slightly different authentication method; but in short there is:

USER INPUTS:  api['secret']       # private key from exchange  USER CONFIG FILE CONTAINS:  api['key']          # public key from exchange api['exchange']     # name of exchange; ie "binance" api['symbol']       # market pair symbol in format BTC:USD api['uri']          # the url up to .com/  FROM USER INPUTS SCRIPT BUILDS REQUEST SPECIFIC:  api['nonce']        # time.time() at beginning of request api['endpoint']     # path/to/server/resource api['url']          # uri + endpoint api['method']       # GET, POST, or DELETE api['params']       # dict with request specific parameters api['data']         # str with request specific parameters api['headers']      # authentication signature specific to the request 

These requests are of the sort:

POST BUY/SELL DELETE BUY/SELL (CANCEL) GET ACCOUNT BALANCES GET OPEN ORDERS WITHDRAW FUNDS 

Here are some examples of the authentication methods I’ve written to some currency exchanges; they’re all quite standard in the forex/stock/crypto trading industry. Mostly in the generalized format:

api["header"] = {"signature": HMAC(SHA256(the_request_parameters))} 

examples:

def signed_request(api, signal):     """     Remote procedure call for authenticated exchange operations     api         : dict with keys for building external request     signal      : multiprocessing completion relay     """     api = lookup_url(api)     api["data"] = ""     if api["exchange"] == "coinbase":         api["data"] = json_dumps(api["params"]) if api["params"] else ""         api["params"] = None         message = (             str(api["nonce"]) + api["method"] + api["endpoint"] + api["data"]         ).encode("ascii")         secret = b64decode(api["secret"])         signature = hmac.new(secret, message, hashlib.sha256).digest()         signature = b64encode(signature).decode("utf-8")         api["headers"] = {             "Content-Type": "Application/JSON",             "CB-ACCESS-SIGN": signature,             "CB-ACCESS-TIMESTAMP": str(api["nonce"]),             "CB-ACCESS-KEY": api["key"],             "CB-ACCESS-PASSPHRASE": api["passphrase"],         }     elif api["exchange"] == "poloniex":         api["params"]["nonce"] = int(api["nonce"] * 1000)         message = urlencode(api["params"]).encode("utf-8")         secret = api["secret"].encode("utf-8")         signature = hmac.new(secret, message, hashlib.sha512).hexdigest()         api["headers"] = {             "Content-Type": "application/x-www-form-urlencoded",             "Key": api["key"],             "Sign": signature,         }     elif api["exchange"] == "binance":         api["params"]["timestamp"] = int(api["nonce"] * 1000)         api["params"]["signature"] = signature         message = urlencode(api["params"].items()).encode("utf-8")         secret = bytes(api["secret"].encode("utf-8"))         signature = hmac.new(secret, message, hashlib.sha256).hexdigest()         api["headers"] = {"X-MBX-APIKEY": api["key"]}     elif api["exchange"] == "bittrex":         api["params"]["apikey"] = api["key"]         api["params"]["nonce"] = int(api["nonce"] * 1000)         message = api["url"] + api["endpoint"] + urlencode(api["params"])         message = bytearray(message, "ascii")         secret = bytearray(api["secret"], "ascii")         signature = hmac.new(secret, message, hashlib.sha512).hexdigest()         api["headers"] = {}     elif api["exchange"] == "kraken":         api["data"] = api["params"][:]         api["params"] = {}         data["nonce"] = int(1000 * api["nonce"])         api["endpoint"] = "/2.1.0/private/" + api["endpoint"]         message = (str(data["nonce"]) + urlencode(data)).encode("ascii")         message = api["endpoint"].encode("ascii") + hashlib.sha256(message).digest()         secret = b64decode(api["secret"])         signature = b64encode(hmac.new(secret, message, hashlib.sha512).digest())         api["headers"] = {             "User-Agent": "krakenex/2.1.0",             "API-Key": api["key"],             "API-Sign": signature,         }     elif api["exchange"] == "bitfinex":         nonce = str(int(api["nonce"] * 1000))         api["endpoint"] = path = "v2/auth/r/orders"         api["data"] = json.dumps(api["params"])         api["params"] = {}         message = ("/api/" + api["endpoint"] + nonce + api["data"]).encode("utf8")         secret = api["secret"].encode("utf8")         signature = hmac.new(secret, message, hashlib.sha384).hexdigest()         api["headers"] = {             "bfx-nonce": nonce,             "bfx-apikey": api["key"],             "bfx-signature": signature,             "content-type": "application/json",         }      url = api["url"] + api["endpoint"]     ret = requests.request(         method=api["method"],         url=url,         data=api["data"],         params=api["params"],         headers=api["headers"],     )     response = ret.json() 

My clients often ask me, where to store the api["secret"]. In config file? In an environmental variable? Enter it manually at every restart and store it on physically on paper? I have no good answer and anything suggested… I quickly facepalm.

I set out to write an app – in python – to store the API keys:

primary feature:

  • given url and key input:

  • writes secret to clipboard w/ xclip

  • auto clears clipboard in 10 seconds

security features:

  • reads/writes AES CBC encrypted password json to text file

  • salt is 16 byte shake256 and generated in crypto secure manner w/ os.urandom

  • new salt after every return to main menu and exit to prevent dictionary attack

  • master password stretched to 400 megabytes to prevent GPU/FPGA attack

  • master password hashed iteratively 1,000,000 times via traditional salted pbkdf sha512 to prevent brute attack

  • only 3rd party module is “pycryptodome”; raises exception if deprecated “pycrypto” is found

  • sudo system password required to edit the script

My thought was my users could use this app to secure their keys; and in a scripting cryptographic sense… I’ve dotted my i’s and crossed my t’s… when they’re stored they’re stored. Period. I’m quite convinced you cannot break my encryption scheme.

You can find my app here or by googling: litepresence/CypherVault

But I still facepalm. I opened a reddit/r/security thread here to discuss my app and my facepalm was quickly validated.

In the end of things… no matter how I handle the api[“secret”] it ends up on RAM which can be dumped by malware and uploaded to an attacker.

When the user enters the secret to be encrypted… its on RAM. When the script decrypts the secret to sign a transaction… its on RAM.

Then hocus pocus… “my script” caused somebody to lose money because it was not “secure”; I have a sense of responsibility.

How can this be avoided? How can one securely store exchange API secrets for composing financial transactions – by bot – in scripting languages, on desktop machines, without at some point exposing them to your RAM, and potentially worse… your SWAP?

Which tool/key manager to manage people’s public keys in organization?

I’m not really an expert on different key types but here it goes. My company never really managed keys. We have an SKS server that was set up to manage GPG keys for a couple of users sending encrypted documents.

Now a new requirement has come up: all users logging into servers will have to use SSH keys (i.e. ssh-keygen, creating rsa keys) or to use services like git.

Can I manage/does it make sense to manage GPG and SSH keys in the same tool? Is the existing SKS server the right tool to store these keys?