client certificate and key storage on client’s machine

Related to a question I posted here, but thought it would also make sense to ask it here.

Basically, I’m developing a web application that will display a dashboard with sensor data from an installation that uses MQTT. I’ve deployed a certificate provisioning system which provides server and client (microcontroller) certificates inside that installation. The broker I use is Mosquitto and in the configuration file I added an option to require the clients to show a valid client certificate during the TLS handshake. Storing the certificate’s and keys in the microcontroller or the installation in general is not a problem because I will have control over those devices in order to mantain and secure the system. However, for the web clients it’s not the same.

Ideally, there should be an option in the Mosquitto broker that would allow some clients to not be forced to provide a client certificate during the handshake, but a username and password. I haven’t found the way of doing this.

My idea for the web app is to have two layers of security:

  1. Access to the webapp via username and password

  2. Access to the Mosquitto broker once the user is logged in via client certificates

The client certificate and key would only be sent in two cases: first login and certificate renewal. So there’s no way of requesting a certificate outside those two cases.

If someone can get hold of the username and password they would still need to certificate to view the MQTT data. If a malicious user can steal a valid certificate and key they’d still need a valid username and password combination. Is this okay from a security stand point?

What is the right way of storing private keys to access some (your) system inside a client machine you have no control over?

Using unique per-session gpg keys to store backups on cloud storage

I’d like to encrypt my server’s daily backups and send them to dropbox / google drive / etc., as a backup.

I’ve read of various approaches. Assuming symmetric encryption (passphrase rather than public/private keypair), people seem to: tar, compress, encrypt with a passphrase (using gpg), and upload the result to cloud storage.

Then I found this comment (edited for brevity):

I wouldn’t use the same passphrase over and over to encrypt your files. Instead, I’d generate a file containing a number of random bytes and use that as a key for my .tar.bz2.gpg file. I’d then encrypt this random file with my 100 character passphrase and upload it together with the backup file. (Basically, I’d create a session key with which to encrypt my data and use the 100 character string as a master key to decrypt the session keys). You can automate this, and it gives you forward secrecy in case one of your backup session keys is compromised and the ability to decrypt any specific backup without losing control over your master key.

So if I understand correctly, for every backup I must (via a bash script):

  1. create the backup 2020-01-01.backup.tar.bzip2 (date is just an example)
  2. generate a random passphrase, and save it as 2020-01-01.passphrase.txt
  3. use 2020-01-01.passphrase.txt to encrypt 2020-01-01.backup.tar.bzip2 to get 2020-01-01.backup.tar.bzip2.gpg
  4. encrypt 2020-01-01.passphrase.txt with my “master” passphrase (which I keep on my local box) to get 2020-01-01.passphrase.txt.gpg
  5. upload 2020-01-01.backup.tar.bzip2.gpg and 2020-01-01.passphrase.txt.gpg to cloud storage

The above comment says this is more secure because if one backup/passphrase is compromised, the others are still safe as they use different passphrases.

But I’m a little confused. If the master passphrase is compromised (“hacked” / guessed / whatever) – all the backups are compromised. It seems like just another level of indirection.

The only way this makes sense is if the master passphrase is MUCH longer (more entropy) than each session passphrase – e.g. 100 characters vs 20 characters, respectively. But then why not just make every session passphrase 100 characters?

Is my understanding of this strategy correct, and can you detect any gotchas I should take into account?

*Dedi startup-$80/M-HDD Storage,8 GB RAM,2x HDD,2TB 7.20 Storage.

If you want to take your business to the top in an efficient manner, through fast servers and the best quality services then Hostpoco.com is the best option for you.

Dedicated servers hosting is the best option for you to full authority and extensive control over your commercial environment and business websites. Our dedicated servers not only provide complete root SSH access but also additionally permit you to host unlimited domains and set up the application which you want, you can resell hosting to provide you the convenience and independence of a dedicated server. Apache, php, Perl and MySQL are pre-established for all dedicated Servers. To facilitate further easier and quicker administration you can move for cPanel/WHM control panel to your server.

===========
Our Plans:
===========
*Dedi Startup: $80 /Monthly
– E3-1240 ( 2 Cores x 3.3 )
– HDD Storage
– 8 GB RAM
– 2x HDD SATAII 2TB 7.20 Storage
– 4 Free IP Address
———

*Dedi Pro: $85 /Monthly
– X5650 ( 2 Cores x 2.66 )
– SSD Storage
– 8 GB RAM
– 2x 240GB SSD Storage
– 4 Free IP Address
———

*Dedi Premium: $95 /Monthly
– E3-1240 ( 2 Cores x 3.3 )
– HDD Storage
– 16 GB RAM
– 2x HDD SATAII 2TB 7.20 Storage
– 4 Free IP Address
——–

*Dedi Elite: $110 /Monthly
– Intel Xeon 56xx (4 Cores)
– HDD Storage
– 16 GB RAM
– 2x HDD SATAII 3TB 7.20 Storage
– 4 Free IP Address
———

For more Info:https://hostpoco.com/low-cost-dedicated-server.php

Thank you.

China 1000L Food Grade Plastic IBC Storage Tank suppliers

▲ Brief introduction :
Kadoya Everbright(Dalian) Co.,Ltd is a Sino-Japanese joint venture company founded in November 2008. We mainly specializes in design, development and quality control of various kinds of stainless steel tanks. The products are widely used in production, storage, and transportation in industry of chemical, cosmetic, food and pharmacy etc. We have the ability and approval of designing, producing and selling general and hazardous chemical products packaging as well as class I&II Pressure tanks. We already got certificate from CCS for some of our tanks(UN approval). In 2015,our company successfully got a patent of a self-design stainless steel tank with heating-jacket and insulation layer.
Our company works on integrating effective resources, utilizing advanced technology and committing to provide customers with a reasonable one-stop package solution. Our products are used by clients from USA, Canada, UK, Japan, Singapore, Indonesia, Malaysia, Thailand, India, and domestic companies. They are satisfied with our product quality, delivery time and good service
▲ History:
◆ 1911-On August 1st, 44th Year in Meiji Period (1911), kadoya Company (Japanese) was started to do business.
◆ 1932-In 1932,Mr. Li Baoshan started to establish a venture(china)
◆ 1974-On July 1st,49th Year Showa Period(1974),Kadoya Co.,Ltd.was established.
◆ 2004-In 2004,Dandong Changming Trading Co.,Ltd. Was established.
◆ 2006- In 2006,Kadoya Company started to do business with Dandong Changming Trading Co.,Ltd.
◆ 2007-In 2007, kadoya Company and Dandong Changming Trading Co.,Ltd. rached the intention to set up a joint venture company
◆ 2008-On November 28,2008, Kadoya Everbright Trading (Dalian)Co.,Ltd.was established.
◆ 2009-In 2009, became an Alibaba China supplier,and a member of Dalian E-business Association
◆ In October 2009, moved to Development Building in Dalian Development Zone.
◆ 2010-In September 2010,invited by the South Korean government to participate in Seoul International Sourcing in South Korea
◆ In June 2010,Kadoya Everbright started business cooperation with the Japanese listed company-Sendai Kobayashi Pharmaceutical Co.,Ltd
◆ 2011-In 2011,IBC products are sold over 300 units
◆ 2012-In June 2012,Kadoya Everbright purchased its own office building(Jiahua business Building)
◆ In June 2012,the company’s English name was officially changed from(KODOYA
GUANGMING TRAIAN)CO.,LTD) to(KADOYA EVERBRIGHT TRADING(DALIAN)CO.,LTD)
◆ 2013-In July 2013,Kadoya Everbright participated in pharmaceuticals and cosmetics exhibition in Tokyo,Japan me
◆ In 2013,became the high quality supplier of Kobayashi Phamaceutical Co.,Ltd. And obtained the appre and trophy of Kobayashi Phamaceutical Co.,Ltd.
◆ In 2013,obtained ISO9001 international certification
◆ In November 2013,Kadoya Everbright has been established for 5 years,and took monument photos
◆ 2014-In April 2014,took the group photo of board members and staff,
In May 2014,participated in Shanghai CPHI Exhibition
◆ 2015-Go to japan and visit our customer
◆ 2016-The company organized a trip to jeju island
Go to germany and visit our customer
2017-Participated in Vietnam Exhibition
▲ Our Factory
Our factory is located in the beautiful coastal city-Dalian, the geographical position is superior, the transportation is convenient, It can provide processing according to the customer’s drawing, accept customers’ materials for processing, or design and product the goods all according to the customer’s requirement. The company has more than 50 sets of advanced mechanical equipment. With rich experience in stainless steel processing and production and the ability to undertake large-scale projects and orders, and have a strong product design capacity and market base. Products are constantly innovative and diversified.
The products have been exported to japan, korea, Europe and America and many domestic cities for a long time. 70% of the products are exported to japan. After years of continuous exploration and development, the company has developed the production capacity of over 400 varieties in 15 categories in the fields of diet, medical treatment, pharmacy, construction, chemical engineering, environmental protection and logistics.
▲ Our Product
1, stainless steel storage and transportation container
2, Liquid heating&insulation container
3, fermentation tank
4, mixing tank
5, pressure vessels
6, other non-standard customized products
7, collapsible tank
8, spare parts of stainless steel container
Our company works on integrating effective resources, utilizing advanced technology and committing to provide customers with a reasonable one-stop package solution.
▲ Production Market
We have customers from both domestic market and oversea market. Our sales can speak fluent English, Japanese, and Korea for good communication. Our main sales market:

Eastern Asia 72%
Southeast Asia 11%
Domestic Market 9%
North America 4%
Europe 4%
▲ Our Certificate
We always feel that all success of our company is directly related to the quality of the products we offer. They meet the highest quality requirements as stipulated in
ISO 9001:2008, Utility Model Patent Certificate, Supplier Assessment Certificate, Appreciation Award, UN Certificate(UN31A/Y).
▲ Production Equipment
steel plate shearer, bending machine ,welding machine ,lathe, drilling machine, laser cutting machine, hydraulic machine
▲ Our service
QCDDS
◆ Quality: professional QC team, The products will be serious examined
◆ Cost: Cost down according to manufacturing process management .we carry out the production process management, to grasp the progress of the product at any time and submit progress reports to customers.
◆ Delivery: Provide the customer with the production schedule and follow it,delivery on time
◆ Design: To customize the products according to customer’s requirement
To make the detail production drawing according to customer’s assembly drawing
◆ Service:
Prenatal meeting, production schedule, material list review, production progress report, double check before delivery, logistics delivery report etc.to keep you get the most suitable packing solutionChina 1000L Food Grade Plastic IBC Storage Tank suppliers
website:http://www.totetank-en.com/
website2:http://www.totetank-jp.com/

What are the main differences between a covert timing channel and a covert storage channel?

I am trying to find the differences between a covert timing channel and a covert storage channel in terms of detectability, performance, features, and any other advantages and disadvantages.

Is there any resource that directly compares the advantages and disadvantages of the two attacks?

How can we protect encrypted files and directories from being fingerprinted when stored on online storage services?

Assuming that online storage providers are considered untrusted, if files and directories are encrypted, how can these be protected against fingerprinting?

The files are encrypted using rclone’s implementation of Poly1305 and XSalsa20 before being backed up to the cloud provider.

According to rclone’s documentation, the available metadata is file length, file modification date and directory structure.

  • What can be identified?
  • What can be inferred?
  • What attack vectors are there against the encrypted files and directories if the online storage provider is compromised assuming the passphrase is at least 24 characters long and is a combination of alphanumeric and special characters (uppercase and lowercase) as well as salted with similar entropy?

The encrypted data is considered to be sensitive.

How can I protect those files from being fingerprinted and the contents inferred such as ownership, source and the like?

Is Bitlocker secure enough for portable storage devices?

I have recently lost a U drive, which contained some important information. Fortunately, it was protected by Bitlocker. I felt the compulse to ask exactly how secure it is. Most answers on this site related to Bitlocker seem to be about built-in storage on a computer. This answer says there was a possible cold boot hack. Is it more secure to protect a U drive with Bitlocker, since you cannot use that kind of hack on a U drive? Also, that answer is 6 years old. There must have been some new developments. With the current technology that Bitlocker uses, do I need to worry that the information on my U drive could be decrypted?

Space-efficent storage of a trie as array of integers

I’m trying to efficiently store a list of strings in an array with the following constraints:

  • All strings consist of 8-bit characters (0..255).
  • The final trie is static, i.e. once it is built, no strings have to be inserted or removed.
  • Looking up a string of length $ m$ must be done in $ O(m)$ with a constant factor as low as possible.
  • The only available memory structure to store the data is an array of integers. In particular, there are no pointers or dynamic memory allocation.
  • Once an array is allocated, it cannot be resized and its memory cannot be released anymore.
  • Memory is rare, so the final data structure should be as compact as possible and no unnecessarily long arrays should be allocated.
  • Computation time is not important for the building phase, but for memory usage the consraints above apply.

Preface

My current approach is a trie that is stored in the array with the following structure:

$ $ \fbox{$ \vphantom{^M_M} \;i_0 \;\ldots\;i_{255}\;$ }\, \fbox{$ \vphantom{^M_M} \;i^*_0 \;\ldots\;i^*_{255}\;$ }\, \fbox{$ \vphantom{^M_M} \;w\;$ }\, \fbox{$ \vphantom{^M_M} \;\mathit{last}\;$ }\, \fbox{$ \vphantom{^M_M} \;B_0\;$ }\,\fbox{$ \vphantom{^M_M} \;B_1\;$ }\,\ldots $ $

where $ i_k$ is a mapping from each unique input character $ k$ to an integer $ 1 \leq i_k(c) \leq w$ with $ i^*$ being the corresponding reverse mapping of $ i$ . Each node in the trie is stored as a block $ B$ of size $ w+1$ . The mapping $ i$ is used to reduce the size of each block, because not the whole character range has to be stored but only the number of characters actually used. This comes at the expense of having one more indirection when looking up words. (The field $ \mathit{last}$ here is used as a pointer to the field after the last block in the array, used to find the next allocation point.)

Each block looks like this:

$ $ \fbox{$ \vphantom{^M_M} \;b\;$ }\, \fbox{$ \vphantom{^M_M} \;c_1 \;\ldots\;c_w\;$ } $ $

$ b$ is either 1 if the word represented by that block is in the trie, and 0 otherwise. $ c_i$ represent all unique input characters (after the $ i$ mapping). If the value of $ c_i$ is equal to 0, there is no entry for this character. Otherwise $ c_i$ is the index into the array at which the block to the following letter starts.

To build the trie, the first step is calculate the bijection $ i$ /$ i^*$ and $ w$ . Then new blocks are added with each prefix that isn’t already present in the trie.

Problem

While this approach works so far, my main problem is memory usage. The current approach is extremly memory expensive when only few words share longer prefixes (which is usally the case). Some tests show that the typical number of non-empty fields is only about 2-3% of the whole array. Another problem is that the final number of needed array fields is only available after the trie has already been built, i.e. I have to be conservative when allocating the memory to not get out of memory while adding new blocks.

My idea now was to use a compressed trie/radix trie instead with two types of blocks: 1) the ones above that represent nodes with several children, and 2) compressed blocks (similar to C char arrays) that represent suffixes in the trie. For example, when the words apple juice and apple tree should be stored in the tree, there would be seven normal blocks for the common prefix apple and a compressed block for each juice and tree. (Perhaps that would also allow to merge common suffixes for words with different prefixes.)

The problem with this is that is may lead to gaps in the array while building the trie. Consider the situation in the above example, in which only apply juice is stored as a compressed block in the trie. Now apple tree is inserted, which would lead to a removal of the apple juice block and addition of juice and tree blocks instead, which will not fit into the left hole in general.

Under the given constraints, can anyone see an algorithm to store strings most efficiently in the array while keeping the linear lookup time?