Manual TLS decryption with master secret

Assuming I have the master secret from SSLKEYLOGFILE client random, and server random, can I decrypt any tls traffic captured? I’ve started from Golang’s TLS implementation, pulled the connection stuff out, had it generate the keys and iv from the values above (https://github.com/golang/go/blob/cd18da451faedc4218a5fd0e38f9b3d13aa5da01/src/crypto/tls/prf.go#L121), but still can’t decrypt.

Thoughts? Is one able to generally decrypt any TLS (given correct version and cipher) with one instance implementation, like Golang’s?

Do the Secret Chats of Telegram really support Perfect Forward Secrecy?

In the Telegram API it is stated that Telegram support Perfect Forward Secrecy in their “secret chats”. It is also stated that

official Telegram clients will initiate re-keying once a key has been used to decrypt and encrypt more than 100 messages, or has been in use for more than one week, provided the key has been used to encrypt at least one message.

So my question is, in this case, if a session key gets compromised, is it possible for an attacker to read 100 messages (or possibly more)? If yes, can we still say that perfect forward secrecy is satisfied here?

Keeping self signed CA certification a secret [duplicate]

I have a server that has a public and private key pair that are known by my own self hosted CA.

A client wants to send the server some sensitive data. When the client receives the server’s public key, to initiate a tls connection, the client obviously has to contact my CA to verify the server is not an imposter.

The client has to also make sure my CA is not an imposter. Is the only option for facilitating this is to obtain a non self signed, legitimate certificate from another CA, embedded into the software tools the client is already using to communicate all this? Or a second option, send the client our CA certificate before hand, like in an email to use in all future communications with our CA? How is this normally handled in software exposing public APIs over secure connections and who want to manage their own PKI?

Can you not have mutations or be in a secret society?

I have been reading up on Paranoia a bit, though it’s really hard to figure out what information I am allowed to have and what information I’m not. I want to get into a game, but I don’t like the idea of belonging to a secret society or having any mutant powers. Is there an option to simply not be a mutant and/or not belong to any of the secret societies? And if I have to, are there any consequences to just not doing any of the secondary objectives my secret society wants me to, or not using my mutant powers?

OAuth authorization code grant with exposed client secret

Let’s assume that a client has the client secret exposed somewhere. What are the risks that the client and its users are exposed to? Are those the same as having implemented the implicit flow from the begin with?

I would say that, the risk here is for an attacker stealing a code, and since the client secret is available, assuming no other form of client authentication is performed, then the attacker would be able to exchange the code to token. So it looks like it’s similar with the risks of implicit flow, but a bit more secure since by default the tokens are not exposed in the user-agent (implicit flow could use for example response_mode=form_post and avoid that scenario)

How can I help my party find a secret path in a forest? [closed]

So, I’m trying to kinda plan out the main plots of whats going to happen in the next campaign. Currently my party are in a forest; they just got done traveling in the exact opposite direction of where they wanted to go, and found themselves back where they started at the very first session… rough, but they chose the path. Anyways to get the point, I want them to find a secret hidden path, in an area they’ve already been in, and that’s the route they originally wanted to go. its past a grove of trees; however its hidden in a valley, down the path know as the lowland path, however I cant think of anyways to help them go down that path. Let alone find the secret path. please help.

Find the flaw in my architecture: Shamir’s Secret implementation for data encryption and recovery

This will be a long one.

Here’s the thing: I want to build a privacy-preserving system where the user data is not even accessible to the database administrator.

Intuitively, I immediately thought of simply using AES to encrypt user data with their own password and hashing their username so that an attacker with access to my database would need to brute-force the password for the encrypted data to get the info and then brute-force the username to maybe get an idea of who the decrypted data is about.

This would be great but leads to the problem of forgotten passwords. If one forgets their password they could reset it by providing the correct username or recovery email (also hashed), but they could not get their data back. ProtonMail, for instance, claims your data is safe even from them, but you cannot recover your emails if you forget your password.

I then started looking at secret sharing and came across Shamir’s secret. My question therefore is: Is the system I propose below worse than simply storing data in plaintext with obfuscated (hashed) usernames?

I understand that:

  1. Security does not come with complexity
  2. This system will not be entirely flawless

However, I just want to know if it is any better than a much simpler solution. Because as long as it is equally easy/hard for a hacker but harder for the database admin to gather any info from the data, it would be worth it for me.

It is “complex” because it is the only system my mind has currently come up with that allows for data encryption + somewhat simple recovery protecting data from hackers and admins. I would also happily take suggestions for other implementations.

So here we go.

The proposed system would use Shamir’s secret to encrypt the user data with k=6 and n=11 so that 6/11 parts are needed to decrypt the data. User information would then be given a “weight” and utilized to store a proportional number of parts in an encrypted manner. Something like this:

Weights

  • Username: 2
  • Password: 4
  • Email: 2
  • Security Question 1: 1
  • Security Question 2: 1
  • Name + Date of Birth: 1

Based on those weights, the following is done to the user’s private data (pseudocode):

SHAMIR(user_data, k=6, n=11)

This will produce something like a uint8 array with length=11. Let’s call that array parts.

The database would then use symmetric encryption (let’s say AES) to store these parts as follows (only the resulting ciphertext is stored):

{   username: AES(key=username, message=parts[0:2])   password: AES(key=password, message=parts[2:6])   email: AES(key=email, message=parts[6:8])   seq1: AES(key=answer, message=parts[8:9])   seq2: AES(key=answer, message=parts[9:10])   id: AES(key=name+dob, message=parts[10:11]) }  

Login would then happen with the traditional username+password or email+password, such that the user will be authenticated/logged in if the data is decrypted correctly. Both combinations give access to enough parts (6) to decrypt the data. From the user perspective, it’s all the same as everywhere else.

Then, user forgets their password. Well, now they need to find an alternative way to gather the 4 “points” provided by the password. So they would click “Forgot Password”, and a form would pop up with all the possible fields to fill in. They must then fill enough to gather 4 more parts (in addition to username or email) in order to decrypt their data. For example:

username (2) + email (2) + seq1 (1) + namedob (1) = 6

(Email verification could also be implemented)

So now the user has 6/11. Server decrypts the data, user sets a new password, data is re-encrypted, and all the fields are updated with the new parts. By definition, a user who forgot their password will have accumulated a minimum of 10 out of 11 “points” after password reset is complete (The 6 points they provided + the 4 from the new password). Therefore, 1 point could be missing. Given that the user cannot provide that last point, they can be prompted to add a new security question, at which point all is back to normal.

So, in conclusion:

I know all parts of the secret being in the same place is not great, nor is it great to use AES with low-entropy secrets.

However, this should add some security, no? To get the data, an attacker would have to brute force at least a password and a username, or, to not brute-force the password, would have to brute-force quite a bit of other data. It isn’t perfect by any means, but it’s better for data privacy than the standard, no? What am I missing? Assuming it’s implemented perfectly and it works as intended, is it possibly worse than how companies treat our data today? For most, a database breach means the data is already out there, only the password has to be brute-forced, right?

Lastly, could these objectives be achieved in any other way?

That’s it. If you’ve read until now, thank you. Please go easy on me.

Cheers.

EDIT: I’m also thinking somewhat about UX here. The entropy of the data used to store the parts is definitely low, but giving users a higher-entropy “random recovery code” or something would be problematic from a UX perspective.

What is the Best Practice to change a secret password with PBDKF2

I read about recommendations about secret key (or password as rfc8018 call it), one of them is change the password from time to time.

I would like to know is there some best practice for this change of password?.

I found this reference in the RFC with the follow information

changing a password changes the key that protects the associated DPK(s). Therefore, whenever a password is changed, any DPK that is protected by the retiring password shall be recovered (e.g., decrypted) using the MK or the derived keying material that is associated with the retiring password, and then re-protected (e.g., encrypted) using the appropriate MK or the derived keying material that is associated with a new password.

I undestood from this text, that I have to re-protect again. But When and by Who this process has to be made? “re-protect” could be a batch process? or is there a better option?

In short, How to carry out this process without reinventing the wheel.

Thank you guys.

Can two wizards use Leomund’s secret chest to transport items between vast distances? [duplicate]

Related to this question. Assuming that two wizards cast Leomund’s Secret Chest on the same chest and then go in different directions could they use this chest to exchange items over vast distances? To clarify a bit.

1- Wizard A and Wizard B cast Leomund’s secret chest on the same chest.

  1. Wizard A leaves to venture into a dungeon while Wizard B stays at the city.
  2. Wizard A finds a huge hoard of gold but cannot carry it. Using
    sending to reach Wizard B he asks Wizard B to summon their chest
    every five minutes and dump it’s contents.
  3. Wizard A summons the chest and fills the empty chest with gold. Sends it to Ethereal Plane
  4. Wizard B summons the chest and empties the content before sending it to Ethereal Plane Rinse and repeat till the entire hoard is taken
    back to the city within the span of an hour.

What happens if 2 wizards cast Secret Chest on the same chest?

I my game, in which I play a wizard, I have met an NPC wizard who is willing to let me learn Leomund’s Secret Chest from her spellbook. This got me wondering what would happen if I learned the spell and cast it on the same large chest that she had already cast it on (using my own separate tiny replica). Would this enable us to effectively teleport objects back and forth by alternately summoning the chest and placing things in it, then letting the other person summon it and remove the items? Or would something else happen? How would the chest work if 2 different wizards cast Secret Chest on it?