Minio May Be the Way to Go for Cloud Storage
1. Distributed (this is critical, because we really need to make sure that the storage is not all in one location or we're fucked) [documentation = https://docs.min.io/docs/distributed-minio-quickstart-guide.html]
2. Extraordinary Amount of Security Here for the Minio Servers = https://docs.min.io/docs/minio-kms-quickstart-guide.html
(could get really greedy here and opt for a post-quantum compiled OpenSSL in order to create exponentially stronger keys that can be used to move from location to location)
^^ This is how a true cloud solution should be deployed if you want to ensure that your users are actually kept safe [which none of these mother fuckers hold a fidelity to].
1. Distributed (this is critical, because we really need to make sure that the storage is not all in one location or we're fucked) [documentation = https://docs.min.io/docs/distributed-minio-quickstart-guide.html]
2. Extraordinary Amount of Security Here for the Minio Servers = https://docs.min.io/docs/minio-kms-quickstart-guide.html
(could get really greedy here and opt for a post-quantum compiled OpenSSL in order to create exponentially stronger keys that can be used to move from location to location)
^^ This is how a true cloud solution should be deployed if you want to ensure that your users are actually kept safe [which none of these mother fuckers hold a fidelity to].
Vault Project (could be used for integration as a backend storage for the LDAP server ; in order to ensure that we aren't keeping everything on the LDAP server)
1. https://www.vaultproject.io/docs/auth/ldap
2. Enforces access to 'secrets' (can stand in as a "mid-point" of enforcement for protecting user credentials)
(more information about how we will be storing user credentials can be found here = https://medium.com/@harwoeck/password-and-credential-management-in-2018-56f43669d588)
1. https://www.vaultproject.io/docs/auth/ldap
2. Enforces access to 'secrets' (can stand in as a "mid-point" of enforcement for protecting user credentials)
(more information about how we will be storing user credentials can be found here = https://medium.com/@harwoeck/password-and-credential-management-in-2018-56f43669d588)
LDAP - Auth Methods | Vault | HashiCorp Developer
The "ldap" auth method allows users to authenticate with Vault using LDAP
credentials.
credentials.
Back to Argon2 (briefly)
1. More corroboration that Argon2 uses Blake2b = https://security.stackexchange.com/questions/201714/is-there-any-advantage-to-combining-a-hash-algorithm-with-a-key-derivation-funct
2. Reminder that Argon2 is RFC approved for PHP (>7.3 ; we can implement that with Roundcube reliably now because of that) = https://wiki.php.net/rfc/argon2_password_hash_enhancements [shows their initial RFC application]
3. RFC debate with Argon2 team on PHP = https://externals.io/message/94854
4. SHA-3 Zoo = https://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo (has a comprehensive list of all the hashing algorithms)
^^^ While Blake2b is in there (and is slower than SHA512 - which may not be a bad thing ) - there is still
1. More corroboration that Argon2 uses Blake2b = https://security.stackexchange.com/questions/201714/is-there-any-advantage-to-combining-a-hash-algorithm-with-a-key-derivation-funct
2. Reminder that Argon2 is RFC approved for PHP (>7.3 ; we can implement that with Roundcube reliably now because of that) = https://wiki.php.net/rfc/argon2_password_hash_enhancements [shows their initial RFC application]
3. RFC debate with Argon2 team on PHP = https://externals.io/message/94854
4. SHA-3 Zoo = https://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo (has a comprehensive list of all the hashing algorithms)
^^^ While Blake2b is in there (and is slower than SHA512 - which may not be a bad thing ) - there is still
Information Security Stack Exchange
Is there any advantage to combining a hash algorithm with a key-derivation function?
Let's assume I would like to secure passwords using a modern KDF such as Argon2. The flow of information would look like this: $hash,$salt = argon2id($password, $salt).
Is there any advantage to f...
Is there any advantage to f...
We have to be skeptical of any and all NIST deployments (de facto) no matter what = https://mailarchive.ietf.org/arch/msg/cfrg/dtUZzdkrAFXf2Zth6WiWm3GkprM/ (and this makes that painfully clear)
This response to the 'Modern Crypto' mailing list is what personally has me a bit worried (to a certain extent) about using any NIST curves (which is why we had to swap out on our website) - but still = https://moderncrypto.org/mail-archive/curves/2015/000653.html
Schnorr DLEQ Concerns (referring to Schnorrkell) = https://moderncrypto.org/mail-archive/messaging/2020/002581.html [from moderncrypto.org]
Schnorr's has already been integrated into the $BCH blockchain (lol). Lets see how this rabbit hole goes at some point in the very near future
Schnorr's has already been integrated into the $BCH blockchain (lol). Lets see how this rabbit hole goes at some point in the very near future
Skein
1. More than likely the most secure hash function on planet earth.
2. Skein-1024 is integrated with 'Threefish' (with a threefish bit strength that matches that of the Skein implementation) ; 1024 = 1024 (ratio perfect)
2a. Addressing the concerns regarding Threefish and the alleged attacks that were found on several of its rounds (response from one of the co-authors of Threefish [as well as Skein] = https://crypto.stackexchange.com/questions/11725/has-threefish-successfully-been-attacked-practically-or-theoretically/11727
2b. Attack in question was mentioned in this paper (published by the team ) = http://www.skein-hash.info/sites/default/files/skein1.3.pdf
^^^ SHA-3 finalist (but Keccak was the hash function that won out ; Ethereum is using Keccak as we ll, but not the same iteration as w hat was submitted to the NIST)
3. Threefish McOE Mode = https://eprint.iacr.org/2011/644.pdf [exponentially more secure than the original Threefish - seems that there are *very few individuals out there right now that even know that this exists*] <— that's interesting, going to have to do more homework on this
—-
Is it possible to draw from an implementation of Skein-1024 that utilizes Threefish (1024) McOE mode?
Link that attests to the fact that SKein-1024 is the equivalent of 2^452
1. More than likely the most secure hash function on planet earth.
2. Skein-1024 is integrated with 'Threefish' (with a threefish bit strength that matches that of the Skein implementation) ; 1024 = 1024 (ratio perfect)
2a. Addressing the concerns regarding Threefish and the alleged attacks that were found on several of its rounds (response from one of the co-authors of Threefish [as well as Skein] = https://crypto.stackexchange.com/questions/11725/has-threefish-successfully-been-attacked-practically-or-theoretically/11727
2b. Attack in question was mentioned in this paper (published by the team ) = http://www.skein-hash.info/sites/default/files/skein1.3.pdf
^^^ SHA-3 finalist (but Keccak was the hash function that won out ; Ethereum is using Keccak as we ll, but not the same iteration as w hat was submitted to the NIST)
3. Threefish McOE Mode = https://eprint.iacr.org/2011/644.pdf [exponentially more secure than the original Threefish - seems that there are *very few individuals out there right now that even know that this exists*] <— that's interesting, going to have to do more homework on this
—-
Is it possible to draw from an implementation of Skein-1024 that utilizes Threefish (1024) McOE mode?
Link that attests to the fact that SKein-1024 is the equivalent of 2^452
Cryptography Stack Exchange
Has threefish successfully been attacked (practically or theoretically)?
Reading Schneier's "The Doghouse: Crypteto" dated September 30, 2009, I noticed Bruce Schneier stating:
Threefish, the block cipher inside Skein, encrypts data at 7.6 clock cycles/byte with a 25...
Threefish, the block cipher inside Skein, encrypts data at 7.6 clock cycles/byte with a 25...
Minio + Nextcloud (marriage) = https://autoize.ch/minio-as-nextcloud-primary-storage/
Autoize Europe
Definitive Guide to using Minio as NextCloud Primary Storage | Autoize Europe
Minio is an on-premises object storage server that can be deployed as a Minio cluster (with local storage) or as a gateway to other object storage services with their own API such as Backblaze B2, Azure Blob Storage, and Google Cloud Storage. Because Minio…
1. Blake2b Information (straight from one of the creators of the hash algorithm itself) = https://crypto.stackexchange.com/questions/31674/what-advantages-does-keccak-sha-3-have-over-blake2
2. Catalog of hardware implementations for SHA3 competitors = ehash.iaik.tugraz.at/wiki/SHA-3_Hardware_Implementations#High-Speed_Implementations_.28ASIC.29
3. Catalog of Hash Functions = https://www.cs.rit.edu/~ark/662/module11/notes.shtml
4. Threefish McOE Mode =https://eprint.iacr.org/2011/644.pdf
5. Php Code for Implementing Argon2id = https://www.php.net/manual/en/function.password-hash.php
6. Argon2id Winner of the Password Hashing Competition =https://password-hashing.net/
Notably, password hashing is in a different category than 'regular' hash functions (for data) - like SHA-based functions.
2. Catalog of hardware implementations for SHA3 competitors = ehash.iaik.tugraz.at/wiki/SHA-3_Hardware_Implementations#High-Speed_Implementations_.28ASIC.29
3. Catalog of Hash Functions = https://www.cs.rit.edu/~ark/662/module11/notes.shtml
4. Threefish McOE Mode =https://eprint.iacr.org/2011/644.pdf
5. Php Code for Implementing Argon2id = https://www.php.net/manual/en/function.password-hash.php
6. Argon2id Winner of the Password Hashing Competition =https://password-hashing.net/
Notably, password hashing is in a different category than 'regular' hash functions (for data) - like SHA-based functions.
Cryptography Stack Exchange
What advantages does Keccak/SHA-3 have over BLAKE2?
Keccak/SHA-3 is new NIST standard for cryptographic hash functions. However, it is much slower than BLAKE2 in software implementations. Does Keccak have compensating advantages?
Internet Routing (RPKI) = https://rpki.readthedocs.io/en/latest/rpki/bgp-routing.html [this is a solution that we want to start looking toward in the near future to simply enhance security even more (at least w our website) to ensure that *correct*, non-hijacked routes are being taken in order to visit our site)
^^^ We're quite a bit aways from obtaining such an infrastructure.
^^^ We're quite a bit aways from obtaining such an infrastructure.
(there's a surprising amount of cryptography-related information that we need to disseminate in relation to what we've been working on, on the 'personal' side of things)
So, without further ado - let's get started.
So, without further ado - let's get started.
PrivateBin
Many have heard o this app - but if you haven't go ahead and take a look at their website here: https://privatebin.info/jsdoc/privatebin.js.html
—
Its already pretty well designed (we've peered all through the code).
Some of the things that we're working on now, however, to enhance its efficacy:
1. Mixing in better ciphers for AEAD. While AES-256 is great, its more so for raw encryption (keeping contents private vs. authenticating information) <— not to say that AES can't do a great job at this as well.
2. In particular, since we're dealing with data streams, xchacha20-poly1305 doesn't seem like a bad option.
Pending RFC for xChaCha20-Poly1305 = https://tools.ietf.org/html/draft-arciszewski-xchacha-00
—-
3. We're also working on upgrading the hashing algorithm (preferably implementing Argon2 as a drop-in replacement or, at the very least, swapping the PBKDF-256 algo for ssha-512 instead <— this is necessary because of the proliferation of Bitcoin miners that are out here capable of mining 110TH/s
The issue here is that the code authenticates some of the web client data to the fingerprint of the deployment (there are also some Web Crypto issues as well)
^^ These are not things that cannot be worked around, but they're still issues nonetheless.
*Edit* = Relevant code can be found here - https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-the-loading-message-not-go-away
Many have heard o this app - but if you haven't go ahead and take a look at their website here: https://privatebin.info/jsdoc/privatebin.js.html
—
Its already pretty well designed (we've peered all through the code).
Some of the things that we're working on now, however, to enhance its efficacy:
1. Mixing in better ciphers for AEAD. While AES-256 is great, its more so for raw encryption (keeping contents private vs. authenticating information) <— not to say that AES can't do a great job at this as well.
2. In particular, since we're dealing with data streams, xchacha20-poly1305 doesn't seem like a bad option.
Pending RFC for xChaCha20-Poly1305 = https://tools.ietf.org/html/draft-arciszewski-xchacha-00
—-
3. We're also working on upgrading the hashing algorithm (preferably implementing Argon2 as a drop-in replacement or, at the very least, swapping the PBKDF-256 algo for ssha-512 instead <— this is necessary because of the proliferation of Bitcoin miners that are out here capable of mining 110TH/s
The issue here is that the code authenticates some of the web client data to the fingerprint of the deployment (there are also some Web Crypto issues as well)
^^ These are not things that cannot be worked around, but they're still issues nonetheless.
*Edit* = Relevant code can be found here - https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-the-loading-message-not-go-away
GitHub
FAQ
A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES. - PrivateBin/PrivateBin
Read Command for Linux
Somewhat outdated, but its still entirely relevant to this channel - for those of you that may be running cryptographic operations in your terminal.
Links:
1. https://medium.com/@blackode/read-command-linux-shell-ee84a45591f5
2. https://www.geeksforgeeks.org/read-command-in-linux-with-examples/
3. https://linuxhandbook.com/read-command/
4. https://www.baeldung.com/linux/read-command
^^ All of these are great resources to read up on when it comes to the Linux 'read' command.
This is what you want to use in order to pipe in passwords on the terminal (versus typing them out directly).
For most UNIX OSes, they keep a pretty robust log of all of the commands run.
Somewhat outdated, but its still entirely relevant to this channel - for those of you that may be running cryptographic operations in your terminal.
Links:
1. https://medium.com/@blackode/read-command-linux-shell-ee84a45591f5
2. https://www.geeksforgeeks.org/read-command-in-linux-with-examples/
3. https://linuxhandbook.com/read-command/
4. https://www.baeldung.com/linux/read-command
^^ All of these are great resources to read up on when it comes to the Linux 'read' command.
This is what you want to use in order to pipe in passwords on the terminal (versus typing them out directly).
For most UNIX OSes, they keep a pretty robust log of all of the commands run.
Medium
Read Command Linux Shell
Reading is a good habit.
Argon2id
We've been doing a *ton* of work with Argon2id lately!
If you're not up to date on this password bashed hashing algorithm, then we'd recommend that you read up!
^^^ That doesn't mean that the most popular alternatives (i.e., ssha512 / ssha256) are inferior as solutions to Argon2 when it comes to password based hashing (there are other things that PBKDF / HMAC-based hash functions from the SHA family are superior in, we'll get to those thigns later)
Relevant Links & Resources:
1. Argon2 Specification = https://password-hashing.net/argon2-specs.pdf
2. Password Hashing Competition Winner (yes, this is a legitimate competition) = https://password-hashing.net/
3. Official GitHub for Argon2 = https://github.com/p-h-c/phc-winner-argon2
4. Another Great Git Repo for Argon2 (if you're going to visit the other, it only makes sense to check this one out as well) = https://github.com/antelle/argon2-browser
^^ *side note*: 'Keeweb' (open source password manager, been around 10+ years - very much trusted by the community) has already implemented a version of their password vault client (100% free, as always) that incorporates the Argon2 hash + salting algo.
The relevant code for that facet of its functionality can be found here:
https://github.com/keeweb/keeweb/blob/develop/app/noscripts/util/kdbxweb/kdbxweb-init.js#L11
We've been doing a *ton* of work with Argon2id lately!
If you're not up to date on this password bashed hashing algorithm, then we'd recommend that you read up!
^^^ That doesn't mean that the most popular alternatives (i.e., ssha512 / ssha256) are inferior as solutions to Argon2 when it comes to password based hashing (there are other things that PBKDF / HMAC-based hash functions from the SHA family are superior in, we'll get to those thigns later)
Relevant Links & Resources:
1. Argon2 Specification = https://password-hashing.net/argon2-specs.pdf
2. Password Hashing Competition Winner (yes, this is a legitimate competition) = https://password-hashing.net/
3. Official GitHub for Argon2 = https://github.com/p-h-c/phc-winner-argon2
4. Another Great Git Repo for Argon2 (if you're going to visit the other, it only makes sense to check this one out as well) = https://github.com/antelle/argon2-browser
^^ *side note*: 'Keeweb' (open source password manager, been around 10+ years - very much trusted by the community) has already implemented a version of their password vault client (100% free, as always) that incorporates the Argon2 hash + salting algo.
The relevant code for that facet of its functionality can be found here:
https://github.com/keeweb/keeweb/blob/develop/app/noscripts/util/kdbxweb/kdbxweb-init.js#L11
What's the Big Deal?
Many that aren't really familiar with cryptography often confuse hashing with encryption.
There is a marked difference between the two operations. As such, both functions require entirely different operations.
The cryptographic 'primitive' that you are probably most familiar with = SHA-256 (used in Bitcoin)
To be clear, there are no native encryption mechanisms for Bitcoin - so when we dig into the cryptography laced within its protocol we're working with someone of a 'deficit' (if we're to consider a privacy a desired solution)
^^ But we digress
—
SHA-Based Hash Algorithms Are Designed or Speed
Contrary to Argon2 (which is memory-intensive to a much greater extent than 'Scrypt') - SHA-based algorithms are designed to be optimized by hardware.
This may seem counterintuitive, but when in an environment where quickly hashing & validating information is of importance (i.e., 'live-time' encryption "on the fly" where hash algorithms are needed to rapidly assess the integrity of whatever assets are being transferred / obtained /etc.)
One example of an app that we have deployed (open source) where this means of hashing (plus authenticating data) is favorable vs. Argon2id = StandardNotes (encrypted, synced notes manager)
Link = https://standardnotes.org/
Every note created on the app has its own signature & the notes are encrypted + synced constantly in live time, so its critical that an effective hash algorithm can be deployed in this situation that allows for efficient authentication / verification.
Many that aren't really familiar with cryptography often confuse hashing with encryption.
There is a marked difference between the two operations. As such, both functions require entirely different operations.
The cryptographic 'primitive' that you are probably most familiar with = SHA-256 (used in Bitcoin)
To be clear, there are no native encryption mechanisms for Bitcoin - so when we dig into the cryptography laced within its protocol we're working with someone of a 'deficit' (if we're to consider a privacy a desired solution)
^^ But we digress
—
SHA-Based Hash Algorithms Are Designed or Speed
Contrary to Argon2 (which is memory-intensive to a much greater extent than 'Scrypt') - SHA-based algorithms are designed to be optimized by hardware.
This may seem counterintuitive, but when in an environment where quickly hashing & validating information is of importance (i.e., 'live-time' encryption "on the fly" where hash algorithms are needed to rapidly assess the integrity of whatever assets are being transferred / obtained /etc.)
One example of an app that we have deployed (open source) where this means of hashing (plus authenticating data) is favorable vs. Argon2id = StandardNotes (encrypted, synced notes manager)
Link = https://standardnotes.org/
Every note created on the app has its own signature & the notes are encrypted + synced constantly in live time, so its critical that an effective hash algorithm can be deployed in this situation that allows for efficient authentication / verification.
For Password-Based Algorithms You Want to Seek the Opposite
It goes without saying, but when it comes to securely storing one's password, whatever cryptographic primitives that are used to secure it should be:
A) Memory intensive (i.e., 'Argon2id' ; this is a variation of the Argon2 hash / salt scheme we've been discussing up to this point, but we'll get to that later)
B) Extensive to hash (even i this results in somewhat of a higher load for the hardware / chip that's going to need to ultimately run the cryptographic scheme in live time) .
We need to keep in mind that we don't need to access passwords that often. And, comparatively speaking, they're very tiny pieces of data (vs. the amount of encrypted data that must be encrypted + decrypted + synced back & forth continuously when it comes to ensuring StandardNotes continued functionality).
C) Encrypt, then MAC (in that order, specifically) = https://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html
This is age old wisdom handed down from the OGs of cryptography and math.
Pay heed.
D) Understand **what kind of mode you should be using if you're implementing AES encryption (yes, it does matter - substantially - in terms of both performance + security).
E)
It goes without saying, but when it comes to securely storing one's password, whatever cryptographic primitives that are used to secure it should be:
A) Memory intensive (i.e., 'Argon2id' ; this is a variation of the Argon2 hash / salt scheme we've been discussing up to this point, but we'll get to that later)
B) Extensive to hash (even i this results in somewhat of a higher load for the hardware / chip that's going to need to ultimately run the cryptographic scheme in live time) .
We need to keep in mind that we don't need to access passwords that often. And, comparatively speaking, they're very tiny pieces of data (vs. the amount of encrypted data that must be encrypted + decrypted + synced back & forth continuously when it comes to ensuring StandardNotes continued functionality).
C) Encrypt, then MAC (in that order, specifically) = https://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html
This is age old wisdom handed down from the OGs of cryptography and math.
Pay heed.
D) Understand **what kind of mode you should be using if you're implementing AES encryption (yes, it does matter - substantially - in terms of both performance + security).
E)
Libraries / Languages That Already Contain 'Out of the Box' Implementations For Argon2id
(keep in mind that if you're upgrading a system that is already in production use, you're going to lock yourself out by default (assuming that the salted and/or hashed version of your password is stored in data vs. the actual clear text, "raw" password that's used).
If you have a means of logging back in, then this is a trivial matter. However, if you don't then...
1. NodeJS Implementation = https://www.npmjs.com/package/argon2
2. Python Integration (for Argon2 ; among other algorithms) :
a. https://passlib.readthedocs.io/en/stable/lib/passlib.hash.argon2.html
b. https://cryptobook.nakov.com/mac-and-key-derivation/argon2
3. Golang Implementation = https://godoc.org/golang.org/x/crypto/argon2
4. Java = https://github.com/phxql/argon2-jvm
5. Argon2 Rust Implementation = https://docs.rs/just-argon2/1.2.0/argon2/
6. php reference docs = https://www.php.net/manual/en/function.password-hash.php
—
Argon2 comes pre-packaged with php in versions 7.3 & aboe
(keep in mind that if you're upgrading a system that is already in production use, you're going to lock yourself out by default (assuming that the salted and/or hashed version of your password is stored in data vs. the actual clear text, "raw" password that's used).
If you have a means of logging back in, then this is a trivial matter. However, if you don't then...
1. NodeJS Implementation = https://www.npmjs.com/package/argon2
2. Python Integration (for Argon2 ; among other algorithms) :
a. https://passlib.readthedocs.io/en/stable/lib/passlib.hash.argon2.html
b. https://cryptobook.nakov.com/mac-and-key-derivation/argon2
3. Golang Implementation = https://godoc.org/golang.org/x/crypto/argon2
4. Java = https://github.com/phxql/argon2-jvm
5. Argon2 Rust Implementation = https://docs.rs/just-argon2/1.2.0/argon2/
6. php reference docs = https://www.php.net/manual/en/function.password-hash.php
—
Argon2 comes pre-packaged with php in versions 7.3 & aboe
(peripherally related - some 'AJAX' coverage) — Inter-language Support for php Using 'AJAX'
If you need your cherry busted on this topic, go ahead and visit this link here = https://www.geeksforgeeks.org/php-json_encode-function/
—-
Relevance
When we were tweaking the 'PrivateBin' code to enhance the cryptographic primitives (partially for fun), one of the 'roadblocks' that we ran into was porting our php code and created environment variables into some of the 'javanoscript' packages that come pre-packaged with 'Private Bin'.
Obviously, if you're creating a noscript / config file that is written in a certain language (the suffix almost always gives that way), then it becomes damn near infeasible to run said code in a co-dependent manner.
There's certainly no way to 'authenticate' or 'meld' commands between languages "on the fly" - so this isn't something that we're going to consider entertaining for the time being.
*edit* = Here's a fairly thorough guide on how it works = https://www.w3resource.com/ajax/working-with-PHP-and-MySQL.php
If you need your cherry busted on this topic, go ahead and visit this link here = https://www.geeksforgeeks.org/php-json_encode-function/
—-
Relevance
When we were tweaking the 'PrivateBin' code to enhance the cryptographic primitives (partially for fun), one of the 'roadblocks' that we ran into was porting our php code and created environment variables into some of the 'javanoscript' packages that come pre-packaged with 'Private Bin'.
Obviously, if you're creating a noscript / config file that is written in a certain language (the suffix almost always gives that way), then it becomes damn near infeasible to run said code in a co-dependent manner.
There's certainly no way to 'authenticate' or 'meld' commands between languages "on the fly" - so this isn't something that we're going to consider entertaining for the time being.
*edit* = Here's a fairly thorough guide on how it works = https://www.w3resource.com/ajax/working-with-PHP-and-MySQL.php
GeeksforGeeks
PHP | json_encode() Function - GeeksforGeeks
A Computer Science portal for geeks. It contains well written, well thought and well explained computer science and programming articles, quizzes and practice/competitive programming/company interview Questions.
More Relevant, Password-Based Hashing Resources
1. 'Reading Passwords From 'STDIN' in PHP' = https://dev.to/mykeels/reading-passwords-from-stdin-in-php-1np9 ; this was of particular importance for us because PrivateBin is built on php modules (so are many other apps - including our main web client)
^^^ This guide addresses how to create & pipe in commands using the 'password' variable (or another suitably secure alias for the command).
Obviously, Argon2 was our target algorithm here (which has yet to be depoyed fully in any of our solutions up to this point)
1. 'Reading Passwords From 'STDIN' in PHP' = https://dev.to/mykeels/reading-passwords-from-stdin-in-php-1np9 ; this was of particular importance for us because PrivateBin is built on php modules (so are many other apps - including our main web client)
^^^ This guide addresses how to create & pipe in commands using the 'password' variable (or another suitably secure alias for the command).
Obviously, Argon2 was our target algorithm here (which has yet to be depoyed fully in any of our solutions up to this point)
DEV Community
Reading Passwords from STDIN in PHP
I needed a PHP noscript to have access to a user's password. An environment variable didn't seem secure enough.
Php Documentation RE: Generating Argon2 Keys (plus validating / verifying said keys as well)
1. https://dev.to/mykeels/reading-passwords-from-stdin-in-php-1np9 (yes, this guide was on the previous post, but since it covers Argon2 + php , its extremely relevant once again [a couple of the commands may not have been correctly]
—— (official resources form the php website / code examples) ——
2. 'getpassword' function samples = https://hotexamples.com/examples/-/-/getpassword/php-getpassword-function-examples.html
3. Laravel Documentation re: hashing, in specific = https://laravel.com/docs/7.x/hashing
4. Documentation on php's website re: 'password_hash' command = https://www.php.net/manual/en/password.constants.php
(again, to be clear, the '7.3' base image is needed in order to leverage 'Argon2' functionality ([out of the box])
5. As a side note, there are plenty of other really potent cryptographic libraries that can accessed w little to no barriers to entry (assuming that your interests are actually rooted in cryptography, and not **cryptocurrency <— similar, but extremely different)
6. Php Main Cryptographic Modules Webpage = https://www.php.net/manual/en/refs.crypto.php [pretty extensive to say the least]
The 'libsodium + NaCL Libraries Are the 'Sweet Spots to Visit if you have a strong urge for leveraging high-powered cryptographic functions <— make sure that you read the cipher functions + algorithms respective guides & all other available information at your disposal to ensure that you're using these tools correctly. *
1. https://dev.to/mykeels/reading-passwords-from-stdin-in-php-1np9 (yes, this guide was on the previous post, but since it covers Argon2 + php , its extremely relevant once again [a couple of the commands may not have been correctly]
—— (official resources form the php website / code examples) ——
2. 'getpassword' function samples = https://hotexamples.com/examples/-/-/getpassword/php-getpassword-function-examples.html
3. Laravel Documentation re: hashing, in specific = https://laravel.com/docs/7.x/hashing
4. Documentation on php's website re: 'password_hash' command = https://www.php.net/manual/en/password.constants.php
(again, to be clear, the '7.3' base image is needed in order to leverage 'Argon2' functionality ([out of the box])
5. As a side note, there are plenty of other really potent cryptographic libraries that can accessed w little to no barriers to entry (assuming that your interests are actually rooted in cryptography, and not **cryptocurrency <— similar, but extremely different)
6. Php Main Cryptographic Modules Webpage = https://www.php.net/manual/en/refs.crypto.php [pretty extensive to say the least]
The 'libsodium + NaCL Libraries Are the 'Sweet Spots to Visit if you have a strong urge for leveraging high-powered cryptographic functions <— make sure that you read the cipher functions + algorithms respective guides & all other available information at your disposal to ensure that you're using these tools correctly. *