Is it secure to use a single pair of RSA keys to achieve mutual authentication? [migrated]

I saw this design recently in an infotainment product. The goal is mutual authentication between two ECUs, E1 and E2. They only care about each other. The basic idea is to keep both keys secret and let each ECU have one. Let’s call the keys k1 and k2, instead of public key and secret key, or E and D. Both keys are large.

Suppose E1 has k1, and E2 has k2. To perform mutual authentication in a cost efficient way:

  1. E1 generates random data D of a fix length, and encrypts hash(D) with k1, resulting in S1. D and S1 are sent to E2.
  2. E2 decrypts S1 with k2, and check if it matches hash(D).
  3. If OK, E2 calculates the binary complement of D, denoted D’. Then it encrypts hash(D’) with k2, resulting in S2. S2 is sent to E1.
  4. E1 calculate D’, decrypts S2 with k1, and check if it matches hash(D’).

I have a hunch this design is risky, but fail to find the weakness. Is it secure enough in the real world?

How to configure nginx with mutual TLS and restrict client domains

I have an nginx server that requires mutual TLS (client certificate required). What configurations do I need for nginx to only allow client certificates where the “subject” is from a certain domain?

I’ve read about the variable “ssl_client_s_dn”. I suppose I would parse this to get the domain and check that it matches a string. Can someone provide an example of how to do this?

For client certificates NOT belonging to a certain domain, access should be denied.

How to configure nginx with mutual TLS and restrict client domains

I have an nginx server that requires mutual TLS (client certificate required). What configurations do I need for nginx to only allow client certificates where the “subject” is from a certain domain?

I’ve read about the variable “ssl_client_s_dn”. I suppose I would parse this to get the domain and check that it matches a string. Can someone provide an example of how to do this?

For client certificates NOT belonging to a certain domain, access should be denied.

How do I disable the add friend button for mutual friends on Facebook?

I have seen on Facebook that it is explicitly possible for a user who shares mutual friends with another user to somehow disable the ability to become added as a friend. This is regardless of recent blocking or unblockings, or even recent friend requests. and a clearly visible group of mutual friends on their profile. I would like to know how to apply this privacy setting on my Facebook page, so that certain users who I share friends with cannot send me requests.

In Facebook’s privacy settings, it seems that I can either set my “Add Friend” possibilities to “Everyone” or “Friends of Friends”. How do I make it so some mutual friends cannot add me?

To be clear I do not want to block these people.

Mutual Information always gives negligible value

When I try to calculate Mutual Information between two Random variables the value comes very close to zero irrespective of nature of RVs. The steps I followed are,

def entropy(X):     p_X = X / np.sum(X)     return(-1 * np.sum(p_X * np.log(p_X)))  def joint_entropy(X, Y):     p_X = X / np.sum(X)     p_Y = Y / np.sum(Y)     sum = 0     for y_i in p_Y:        sum += np.sum((y_i * p_X) * np.log(y_i * p_X))     return(-1*sum)  Mi = entropy(X_bin) + entropy(Y_bin) - joint_entropy(X_bin, Y_bin) 

X_bin and Y_bin are histogram bins having a count of members in the bin. Any insight and help would be appreciated and Thanks in advance.

What is a counterexample for Lamport’s distributed mutual exclusion algorithm with non-FIFO message queues?

Lamport’s distributed mutual exclusion algorithm (also described here) solves mutual exclusion problem for $ N$ processes with $ 3(N-1)$ messages per request (“take and release lock” cycle).

It requires that for each pair of processes $ P$ and $ Q$ all messages send by $ P$ to $ Q$ are received and processed by $ Q$ in the same order. E.g. if $ P$ sends messages $ m_1$ and $ m_2$ in that order, $ Q$ cannot receive $ m_2$ before receiving $ m_1$ .

I would like to see how it breaks if I remove that First-In-First-Out condition and allow reordering. The only counterexample I was able to built uses two processes who want to acquire the shared resource:

  1. $ P$ starts with clock 10 and sends request $ m_1$ to $ Q$
  2. $ Q$ starts with clock 1 and sends request $ m_2$ to $ P$
  3. $ Q$ receives request $ m_1$ with timestamp 10 and sends acknowledge message $ m_3$ to $ P$
  4. $ P$ receives message $ m_3$ before $ m_2$ and enters critical section. As far as $ P$ is concerned, it’s the only process wanting the resource
  5. $ P$ receives message $ m_2$ and responds to $ Q$ with acknowledge
  6. $ Q$ enter critical section as $ Q$ ‘s request has timestamp 1 and $ P$ ‘s request has timestamp 10, so $ Q$ has priority

However, that requires $ P$ to respond to $ Q$ ‘s request $ m_2$ while in critical section. Otherwise, $ Q$ will receive acknowledgment when $ P$ is no longer in critical section and there will be no conflict.

Question being: how to construct a counterexample where processes do not respond to external messages while in critical section?

Using Mutual TLS to create api keys

I would just like a sanity check on my plan to implement API authentication/authorization.

  1. Authorized URLs are placed in a secure DB
  2. The client server places a GET request to api-key service with mutual TLS
  3. The URL in the cert is compared to the DB of authorized URLs, and the cert itself checked for validity
  4. A 512bit API key is generated from a CSRNG, SHA hashed, then the hash of the key is stored in a secure location. This key expires after 8 hours
  5. Subsequent requests from the client server place this key in the authorization header and are compared to the stored hash for validity

Are there any problems with this approach that should give me pause?