Skein
1. More than likely the most secure hash function on planet earth.
2. Skein-1024 is integrated with 'Threefish' (with a threefish bit strength that matches that of the Skein implementation) ; 1024 = 1024 (ratio perfect)
2a. Addressing the concerns regarding Threefish and the alleged attacks that were found on several of its rounds (response from one of the co-authors of Threefish [as well as Skein] = https://crypto.stackexchange.com/questions/11725/has-threefish-successfully-been-attacked-practically-or-theoretically/11727
2b. Attack in question was mentioned in this paper (published by the team ) = http://www.skein-hash.info/sites/default/files/skein1.3.pdf
^^^ SHA-3 finalist (but Keccak was the hash function that won out ; Ethereum is using Keccak as we ll, but not the same iteration as w hat was submitted to the NIST)
3. Threefish McOE Mode = https://eprint.iacr.org/2011/644.pdf [exponentially more secure than the original Threefish - seems that there are *very few individuals out there right now that even know that this exists*] <— that's interesting, going to have to do more homework on this
—-
Is it possible to draw from an implementation of Skein-1024 that utilizes Threefish (1024) McOE mode?
Link that attests to the fact that SKein-1024 is the equivalent of 2^452
1. More than likely the most secure hash function on planet earth.
2. Skein-1024 is integrated with 'Threefish' (with a threefish bit strength that matches that of the Skein implementation) ; 1024 = 1024 (ratio perfect)
2a. Addressing the concerns regarding Threefish and the alleged attacks that were found on several of its rounds (response from one of the co-authors of Threefish [as well as Skein] = https://crypto.stackexchange.com/questions/11725/has-threefish-successfully-been-attacked-practically-or-theoretically/11727
2b. Attack in question was mentioned in this paper (published by the team ) = http://www.skein-hash.info/sites/default/files/skein1.3.pdf
^^^ SHA-3 finalist (but Keccak was the hash function that won out ; Ethereum is using Keccak as we ll, but not the same iteration as w hat was submitted to the NIST)
3. Threefish McOE Mode = https://eprint.iacr.org/2011/644.pdf [exponentially more secure than the original Threefish - seems that there are *very few individuals out there right now that even know that this exists*] <— that's interesting, going to have to do more homework on this
—-
Is it possible to draw from an implementation of Skein-1024 that utilizes Threefish (1024) McOE mode?
Link that attests to the fact that SKein-1024 is the equivalent of 2^452
Cryptography Stack Exchange
Has threefish successfully been attacked (practically or theoretically)?
Reading Schneier's "The Doghouse: Crypteto" dated September 30, 2009, I noticed Bruce Schneier stating:
Threefish, the block cipher inside Skein, encrypts data at 7.6 clock cycles/byte with a 25...
Threefish, the block cipher inside Skein, encrypts data at 7.6 clock cycles/byte with a 25...
Minio + Nextcloud (marriage) = https://autoize.ch/minio-as-nextcloud-primary-storage/
Autoize Europe
Definitive Guide to using Minio as NextCloud Primary Storage | Autoize Europe
Minio is an on-premises object storage server that can be deployed as a Minio cluster (with local storage) or as a gateway to other object storage services with their own API such as Backblaze B2, Azure Blob Storage, and Google Cloud Storage. Because Minio…
1. Blake2b Information (straight from one of the creators of the hash algorithm itself) = https://crypto.stackexchange.com/questions/31674/what-advantages-does-keccak-sha-3-have-over-blake2
2. Catalog of hardware implementations for SHA3 competitors = ehash.iaik.tugraz.at/wiki/SHA-3_Hardware_Implementations#High-Speed_Implementations_.28ASIC.29
3. Catalog of Hash Functions = https://www.cs.rit.edu/~ark/662/module11/notes.shtml
4. Threefish McOE Mode =https://eprint.iacr.org/2011/644.pdf
5. Php Code for Implementing Argon2id = https://www.php.net/manual/en/function.password-hash.php
6. Argon2id Winner of the Password Hashing Competition =https://password-hashing.net/
Notably, password hashing is in a different category than 'regular' hash functions (for data) - like SHA-based functions.
2. Catalog of hardware implementations for SHA3 competitors = ehash.iaik.tugraz.at/wiki/SHA-3_Hardware_Implementations#High-Speed_Implementations_.28ASIC.29
3. Catalog of Hash Functions = https://www.cs.rit.edu/~ark/662/module11/notes.shtml
4. Threefish McOE Mode =https://eprint.iacr.org/2011/644.pdf
5. Php Code for Implementing Argon2id = https://www.php.net/manual/en/function.password-hash.php
6. Argon2id Winner of the Password Hashing Competition =https://password-hashing.net/
Notably, password hashing is in a different category than 'regular' hash functions (for data) - like SHA-based functions.
Cryptography Stack Exchange
What advantages does Keccak/SHA-3 have over BLAKE2?
Keccak/SHA-3 is new NIST standard for cryptographic hash functions. However, it is much slower than BLAKE2 in software implementations. Does Keccak have compensating advantages?
Internet Routing (RPKI) = https://rpki.readthedocs.io/en/latest/rpki/bgp-routing.html [this is a solution that we want to start looking toward in the near future to simply enhance security even more (at least w our website) to ensure that *correct*, non-hijacked routes are being taken in order to visit our site)
^^^ We're quite a bit aways from obtaining such an infrastructure.
^^^ We're quite a bit aways from obtaining such an infrastructure.
(there's a surprising amount of cryptography-related information that we need to disseminate in relation to what we've been working on, on the 'personal' side of things)
So, without further ado - let's get started.
So, without further ado - let's get started.
PrivateBin
Many have heard o this app - but if you haven't go ahead and take a look at their website here: https://privatebin.info/jsdoc/privatebin.js.html
—
Its already pretty well designed (we've peered all through the code).
Some of the things that we're working on now, however, to enhance its efficacy:
1. Mixing in better ciphers for AEAD. While AES-256 is great, its more so for raw encryption (keeping contents private vs. authenticating information) <— not to say that AES can't do a great job at this as well.
2. In particular, since we're dealing with data streams, xchacha20-poly1305 doesn't seem like a bad option.
Pending RFC for xChaCha20-Poly1305 = https://tools.ietf.org/html/draft-arciszewski-xchacha-00
—-
3. We're also working on upgrading the hashing algorithm (preferably implementing Argon2 as a drop-in replacement or, at the very least, swapping the PBKDF-256 algo for ssha-512 instead <— this is necessary because of the proliferation of Bitcoin miners that are out here capable of mining 110TH/s
The issue here is that the code authenticates some of the web client data to the fingerprint of the deployment (there are also some Web Crypto issues as well)
^^ These are not things that cannot be worked around, but they're still issues nonetheless.
*Edit* = Relevant code can be found here - https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-the-loading-message-not-go-away
Many have heard o this app - but if you haven't go ahead and take a look at their website here: https://privatebin.info/jsdoc/privatebin.js.html
—
Its already pretty well designed (we've peered all through the code).
Some of the things that we're working on now, however, to enhance its efficacy:
1. Mixing in better ciphers for AEAD. While AES-256 is great, its more so for raw encryption (keeping contents private vs. authenticating information) <— not to say that AES can't do a great job at this as well.
2. In particular, since we're dealing with data streams, xchacha20-poly1305 doesn't seem like a bad option.
Pending RFC for xChaCha20-Poly1305 = https://tools.ietf.org/html/draft-arciszewski-xchacha-00
—-
3. We're also working on upgrading the hashing algorithm (preferably implementing Argon2 as a drop-in replacement or, at the very least, swapping the PBKDF-256 algo for ssha-512 instead <— this is necessary because of the proliferation of Bitcoin miners that are out here capable of mining 110TH/s
The issue here is that the code authenticates some of the web client data to the fingerprint of the deployment (there are also some Web Crypto issues as well)
^^ These are not things that cannot be worked around, but they're still issues nonetheless.
*Edit* = Relevant code can be found here - https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-the-loading-message-not-go-away
GitHub
FAQ
A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES. - PrivateBin/PrivateBin
Read Command for Linux
Somewhat outdated, but its still entirely relevant to this channel - for those of you that may be running cryptographic operations in your terminal.
Links:
1. https://medium.com/@blackode/read-command-linux-shell-ee84a45591f5
2. https://www.geeksforgeeks.org/read-command-in-linux-with-examples/
3. https://linuxhandbook.com/read-command/
4. https://www.baeldung.com/linux/read-command
^^ All of these are great resources to read up on when it comes to the Linux 'read' command.
This is what you want to use in order to pipe in passwords on the terminal (versus typing them out directly).
For most UNIX OSes, they keep a pretty robust log of all of the commands run.
Somewhat outdated, but its still entirely relevant to this channel - for those of you that may be running cryptographic operations in your terminal.
Links:
1. https://medium.com/@blackode/read-command-linux-shell-ee84a45591f5
2. https://www.geeksforgeeks.org/read-command-in-linux-with-examples/
3. https://linuxhandbook.com/read-command/
4. https://www.baeldung.com/linux/read-command
^^ All of these are great resources to read up on when it comes to the Linux 'read' command.
This is what you want to use in order to pipe in passwords on the terminal (versus typing them out directly).
For most UNIX OSes, they keep a pretty robust log of all of the commands run.
Medium
Read Command Linux Shell
Reading is a good habit.
Argon2id
We've been doing a *ton* of work with Argon2id lately!
If you're not up to date on this password bashed hashing algorithm, then we'd recommend that you read up!
^^^ That doesn't mean that the most popular alternatives (i.e., ssha512 / ssha256) are inferior as solutions to Argon2 when it comes to password based hashing (there are other things that PBKDF / HMAC-based hash functions from the SHA family are superior in, we'll get to those thigns later)
Relevant Links & Resources:
1. Argon2 Specification = https://password-hashing.net/argon2-specs.pdf
2. Password Hashing Competition Winner (yes, this is a legitimate competition) = https://password-hashing.net/
3. Official GitHub for Argon2 = https://github.com/p-h-c/phc-winner-argon2
4. Another Great Git Repo for Argon2 (if you're going to visit the other, it only makes sense to check this one out as well) = https://github.com/antelle/argon2-browser
^^ *side note*: 'Keeweb' (open source password manager, been around 10+ years - very much trusted by the community) has already implemented a version of their password vault client (100% free, as always) that incorporates the Argon2 hash + salting algo.
The relevant code for that facet of its functionality can be found here:
https://github.com/keeweb/keeweb/blob/develop/app/noscripts/util/kdbxweb/kdbxweb-init.js#L11
We've been doing a *ton* of work with Argon2id lately!
If you're not up to date on this password bashed hashing algorithm, then we'd recommend that you read up!
^^^ That doesn't mean that the most popular alternatives (i.e., ssha512 / ssha256) are inferior as solutions to Argon2 when it comes to password based hashing (there are other things that PBKDF / HMAC-based hash functions from the SHA family are superior in, we'll get to those thigns later)
Relevant Links & Resources:
1. Argon2 Specification = https://password-hashing.net/argon2-specs.pdf
2. Password Hashing Competition Winner (yes, this is a legitimate competition) = https://password-hashing.net/
3. Official GitHub for Argon2 = https://github.com/p-h-c/phc-winner-argon2
4. Another Great Git Repo for Argon2 (if you're going to visit the other, it only makes sense to check this one out as well) = https://github.com/antelle/argon2-browser
^^ *side note*: 'Keeweb' (open source password manager, been around 10+ years - very much trusted by the community) has already implemented a version of their password vault client (100% free, as always) that incorporates the Argon2 hash + salting algo.
The relevant code for that facet of its functionality can be found here:
https://github.com/keeweb/keeweb/blob/develop/app/noscripts/util/kdbxweb/kdbxweb-init.js#L11
What's the Big Deal?
Many that aren't really familiar with cryptography often confuse hashing with encryption.
There is a marked difference between the two operations. As such, both functions require entirely different operations.
The cryptographic 'primitive' that you are probably most familiar with = SHA-256 (used in Bitcoin)
To be clear, there are no native encryption mechanisms for Bitcoin - so when we dig into the cryptography laced within its protocol we're working with someone of a 'deficit' (if we're to consider a privacy a desired solution)
^^ But we digress
—
SHA-Based Hash Algorithms Are Designed or Speed
Contrary to Argon2 (which is memory-intensive to a much greater extent than 'Scrypt') - SHA-based algorithms are designed to be optimized by hardware.
This may seem counterintuitive, but when in an environment where quickly hashing & validating information is of importance (i.e., 'live-time' encryption "on the fly" where hash algorithms are needed to rapidly assess the integrity of whatever assets are being transferred / obtained /etc.)
One example of an app that we have deployed (open source) where this means of hashing (plus authenticating data) is favorable vs. Argon2id = StandardNotes (encrypted, synced notes manager)
Link = https://standardnotes.org/
Every note created on the app has its own signature & the notes are encrypted + synced constantly in live time, so its critical that an effective hash algorithm can be deployed in this situation that allows for efficient authentication / verification.
Many that aren't really familiar with cryptography often confuse hashing with encryption.
There is a marked difference between the two operations. As such, both functions require entirely different operations.
The cryptographic 'primitive' that you are probably most familiar with = SHA-256 (used in Bitcoin)
To be clear, there are no native encryption mechanisms for Bitcoin - so when we dig into the cryptography laced within its protocol we're working with someone of a 'deficit' (if we're to consider a privacy a desired solution)
^^ But we digress
—
SHA-Based Hash Algorithms Are Designed or Speed
Contrary to Argon2 (which is memory-intensive to a much greater extent than 'Scrypt') - SHA-based algorithms are designed to be optimized by hardware.
This may seem counterintuitive, but when in an environment where quickly hashing & validating information is of importance (i.e., 'live-time' encryption "on the fly" where hash algorithms are needed to rapidly assess the integrity of whatever assets are being transferred / obtained /etc.)
One example of an app that we have deployed (open source) where this means of hashing (plus authenticating data) is favorable vs. Argon2id = StandardNotes (encrypted, synced notes manager)
Link = https://standardnotes.org/
Every note created on the app has its own signature & the notes are encrypted + synced constantly in live time, so its critical that an effective hash algorithm can be deployed in this situation that allows for efficient authentication / verification.
For Password-Based Algorithms You Want to Seek the Opposite
It goes without saying, but when it comes to securely storing one's password, whatever cryptographic primitives that are used to secure it should be:
A) Memory intensive (i.e., 'Argon2id' ; this is a variation of the Argon2 hash / salt scheme we've been discussing up to this point, but we'll get to that later)
B) Extensive to hash (even i this results in somewhat of a higher load for the hardware / chip that's going to need to ultimately run the cryptographic scheme in live time) .
We need to keep in mind that we don't need to access passwords that often. And, comparatively speaking, they're very tiny pieces of data (vs. the amount of encrypted data that must be encrypted + decrypted + synced back & forth continuously when it comes to ensuring StandardNotes continued functionality).
C) Encrypt, then MAC (in that order, specifically) = https://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html
This is age old wisdom handed down from the OGs of cryptography and math.
Pay heed.
D) Understand **what kind of mode you should be using if you're implementing AES encryption (yes, it does matter - substantially - in terms of both performance + security).
E)
It goes without saying, but when it comes to securely storing one's password, whatever cryptographic primitives that are used to secure it should be:
A) Memory intensive (i.e., 'Argon2id' ; this is a variation of the Argon2 hash / salt scheme we've been discussing up to this point, but we'll get to that later)
B) Extensive to hash (even i this results in somewhat of a higher load for the hardware / chip that's going to need to ultimately run the cryptographic scheme in live time) .
We need to keep in mind that we don't need to access passwords that often. And, comparatively speaking, they're very tiny pieces of data (vs. the amount of encrypted data that must be encrypted + decrypted + synced back & forth continuously when it comes to ensuring StandardNotes continued functionality).
C) Encrypt, then MAC (in that order, specifically) = https://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html
This is age old wisdom handed down from the OGs of cryptography and math.
Pay heed.
D) Understand **what kind of mode you should be using if you're implementing AES encryption (yes, it does matter - substantially - in terms of both performance + security).
E)
Libraries / Languages That Already Contain 'Out of the Box' Implementations For Argon2id
(keep in mind that if you're upgrading a system that is already in production use, you're going to lock yourself out by default (assuming that the salted and/or hashed version of your password is stored in data vs. the actual clear text, "raw" password that's used).
If you have a means of logging back in, then this is a trivial matter. However, if you don't then...
1. NodeJS Implementation = https://www.npmjs.com/package/argon2
2. Python Integration (for Argon2 ; among other algorithms) :
a. https://passlib.readthedocs.io/en/stable/lib/passlib.hash.argon2.html
b. https://cryptobook.nakov.com/mac-and-key-derivation/argon2
3. Golang Implementation = https://godoc.org/golang.org/x/crypto/argon2
4. Java = https://github.com/phxql/argon2-jvm
5. Argon2 Rust Implementation = https://docs.rs/just-argon2/1.2.0/argon2/
6. php reference docs = https://www.php.net/manual/en/function.password-hash.php
—
Argon2 comes pre-packaged with php in versions 7.3 & aboe
(keep in mind that if you're upgrading a system that is already in production use, you're going to lock yourself out by default (assuming that the salted and/or hashed version of your password is stored in data vs. the actual clear text, "raw" password that's used).
If you have a means of logging back in, then this is a trivial matter. However, if you don't then...
1. NodeJS Implementation = https://www.npmjs.com/package/argon2
2. Python Integration (for Argon2 ; among other algorithms) :
a. https://passlib.readthedocs.io/en/stable/lib/passlib.hash.argon2.html
b. https://cryptobook.nakov.com/mac-and-key-derivation/argon2
3. Golang Implementation = https://godoc.org/golang.org/x/crypto/argon2
4. Java = https://github.com/phxql/argon2-jvm
5. Argon2 Rust Implementation = https://docs.rs/just-argon2/1.2.0/argon2/
6. php reference docs = https://www.php.net/manual/en/function.password-hash.php
—
Argon2 comes pre-packaged with php in versions 7.3 & aboe
(peripherally related - some 'AJAX' coverage) — Inter-language Support for php Using 'AJAX'
If you need your cherry busted on this topic, go ahead and visit this link here = https://www.geeksforgeeks.org/php-json_encode-function/
—-
Relevance
When we were tweaking the 'PrivateBin' code to enhance the cryptographic primitives (partially for fun), one of the 'roadblocks' that we ran into was porting our php code and created environment variables into some of the 'javanoscript' packages that come pre-packaged with 'Private Bin'.
Obviously, if you're creating a noscript / config file that is written in a certain language (the suffix almost always gives that way), then it becomes damn near infeasible to run said code in a co-dependent manner.
There's certainly no way to 'authenticate' or 'meld' commands between languages "on the fly" - so this isn't something that we're going to consider entertaining for the time being.
*edit* = Here's a fairly thorough guide on how it works = https://www.w3resource.com/ajax/working-with-PHP-and-MySQL.php
If you need your cherry busted on this topic, go ahead and visit this link here = https://www.geeksforgeeks.org/php-json_encode-function/
—-
Relevance
When we were tweaking the 'PrivateBin' code to enhance the cryptographic primitives (partially for fun), one of the 'roadblocks' that we ran into was porting our php code and created environment variables into some of the 'javanoscript' packages that come pre-packaged with 'Private Bin'.
Obviously, if you're creating a noscript / config file that is written in a certain language (the suffix almost always gives that way), then it becomes damn near infeasible to run said code in a co-dependent manner.
There's certainly no way to 'authenticate' or 'meld' commands between languages "on the fly" - so this isn't something that we're going to consider entertaining for the time being.
*edit* = Here's a fairly thorough guide on how it works = https://www.w3resource.com/ajax/working-with-PHP-and-MySQL.php
GeeksforGeeks
PHP | json_encode() Function - GeeksforGeeks
A Computer Science portal for geeks. It contains well written, well thought and well explained computer science and programming articles, quizzes and practice/competitive programming/company interview Questions.
More Relevant, Password-Based Hashing Resources
1. 'Reading Passwords From 'STDIN' in PHP' = https://dev.to/mykeels/reading-passwords-from-stdin-in-php-1np9 ; this was of particular importance for us because PrivateBin is built on php modules (so are many other apps - including our main web client)
^^^ This guide addresses how to create & pipe in commands using the 'password' variable (or another suitably secure alias for the command).
Obviously, Argon2 was our target algorithm here (which has yet to be depoyed fully in any of our solutions up to this point)
1. 'Reading Passwords From 'STDIN' in PHP' = https://dev.to/mykeels/reading-passwords-from-stdin-in-php-1np9 ; this was of particular importance for us because PrivateBin is built on php modules (so are many other apps - including our main web client)
^^^ This guide addresses how to create & pipe in commands using the 'password' variable (or another suitably secure alias for the command).
Obviously, Argon2 was our target algorithm here (which has yet to be depoyed fully in any of our solutions up to this point)
DEV Community
Reading Passwords from STDIN in PHP
I needed a PHP noscript to have access to a user's password. An environment variable didn't seem secure enough.
Php Documentation RE: Generating Argon2 Keys (plus validating / verifying said keys as well)
1. https://dev.to/mykeels/reading-passwords-from-stdin-in-php-1np9 (yes, this guide was on the previous post, but since it covers Argon2 + php , its extremely relevant once again [a couple of the commands may not have been correctly]
—— (official resources form the php website / code examples) ——
2. 'getpassword' function samples = https://hotexamples.com/examples/-/-/getpassword/php-getpassword-function-examples.html
3. Laravel Documentation re: hashing, in specific = https://laravel.com/docs/7.x/hashing
4. Documentation on php's website re: 'password_hash' command = https://www.php.net/manual/en/password.constants.php
(again, to be clear, the '7.3' base image is needed in order to leverage 'Argon2' functionality ([out of the box])
5. As a side note, there are plenty of other really potent cryptographic libraries that can accessed w little to no barriers to entry (assuming that your interests are actually rooted in cryptography, and not **cryptocurrency <— similar, but extremely different)
6. Php Main Cryptographic Modules Webpage = https://www.php.net/manual/en/refs.crypto.php [pretty extensive to say the least]
The 'libsodium + NaCL Libraries Are the 'Sweet Spots to Visit if you have a strong urge for leveraging high-powered cryptographic functions <— make sure that you read the cipher functions + algorithms respective guides & all other available information at your disposal to ensure that you're using these tools correctly. *
1. https://dev.to/mykeels/reading-passwords-from-stdin-in-php-1np9 (yes, this guide was on the previous post, but since it covers Argon2 + php , its extremely relevant once again [a couple of the commands may not have been correctly]
—— (official resources form the php website / code examples) ——
2. 'getpassword' function samples = https://hotexamples.com/examples/-/-/getpassword/php-getpassword-function-examples.html
3. Laravel Documentation re: hashing, in specific = https://laravel.com/docs/7.x/hashing
4. Documentation on php's website re: 'password_hash' command = https://www.php.net/manual/en/password.constants.php
(again, to be clear, the '7.3' base image is needed in order to leverage 'Argon2' functionality ([out of the box])
5. As a side note, there are plenty of other really potent cryptographic libraries that can accessed w little to no barriers to entry (assuming that your interests are actually rooted in cryptography, and not **cryptocurrency <— similar, but extremely different)
6. Php Main Cryptographic Modules Webpage = https://www.php.net/manual/en/refs.crypto.php [pretty extensive to say the least]
The 'libsodium + NaCL Libraries Are the 'Sweet Spots to Visit if you have a strong urge for leveraging high-powered cryptographic functions <— make sure that you read the cipher functions + algorithms respective guides & all other available information at your disposal to ensure that you're using these tools correctly. *
Continuing On (we weren't done earlier - and there are a lot of tabs that we simply want to close to clear room for other tasks)
*Another Note About 'PrivateBin'*
If you're looking to configure PrivateBin, here is their Git = https://github.com/PrivateBin/ ; specifically, their code provides all information necessary for users that are looking to tweak its settings (we're referring to adjustments to the cryptographic signatures). As a recommendation: Do not tweak the initial sha-256 signatures in the privatebin.js file or you will most likely break your app. We will provide a guide soon (on the confirmation + guidance of the PrivateBin team) that gives greater detail on what adjustments can be made to PrivateBin's source code to enhance the cryptographic primitives w/o undermining the app's setup.
*Another Note About 'PrivateBin'*
If you're looking to configure PrivateBin, here is their Git = https://github.com/PrivateBin/ ; specifically, their code provides all information necessary for users that are looking to tweak its settings (we're referring to adjustments to the cryptographic signatures). As a recommendation: Do not tweak the initial sha-256 signatures in the privatebin.js file or you will most likely break your app. We will provide a guide soon (on the confirmation + guidance of the PrivateBin team) that gives greater detail on what adjustments can be made to PrivateBin's source code to enhance the cryptographic primitives w/o undermining the app's setup.
Importance of OpenSSL (part 1)
If you're using a modern desktop (laptop , too) computer that's not running OpenBSD or some obscure form of Linux, then your computer most likely comes with 'openssl' packaged by default.
*'What is open OpenSSL?'*
OpenSSL is a software is a software package, written in 'C', that contains an expansive suite of cryptographic ciphers, digests, encryption mechanisms, and other commands that utilize or interact with cryptography in some facet.
Its most common usage is enabling the processing of various cryptographic primitives in our browser (that we may not pay attention to), such as:
A) Assessing whether a website has a 'secure' certificate or not [this is what enables your browser to assess website certificates + your SSL connection strength to other sites; which is an extremely important process for users & general user security]
B) Connecting & establishing a secure connection with various websites (with any level of cryptographic strength at all) ; this is a critical facet of the 'handshake' process that's classically included in TLS
C) Running any sort of cryptographic operation on our computers for things such as storing user passwords / generating or verifying checksums / etc.
D) This goes w/o saying (probably) - but if you're a blockchain user and you're using software that generates your wallet's keys client side (which it absolutely should be), then it is more than likely that openssl is interfaced in order to process and compute the cryptographic operations necessary there as well
—
There are obviously several other very noteworthy and critical crypto libraries, such as:
1. 'WebCrypto API' = Comes pre-packaged in Firefox + Chrome. is meant to provide capability for performing cryptographic operations in the browser (client side) ; this is part of what makes such a thing possible. Well written web apps will insert functions that are designed to call upon this functionality in one's browser in order to generate / utilize / utilize data provided or extracted from certain cryptographic operations that logic dictates should not be performed server side.
2. GPG = GPG comes equipped with its own library. It also benefits from (a solid explanation of its cryptographic properties is broken down here: https://hashrocket.com/blog/posts/encryption-with-gpg-a-story-really-a-tutorial) ; there are certain complementary cryptographic libraries that can be utilized by gpg via API though, such as:
a.) 'libgcrypt' (url = https://gnupg.org/software/libgcrypt/index.html)
b.) 'ntbtls' (url =https://gnupg.org/software/ntbtls/index.html)
there are other popular implementations listed on GnuPG's actual website, which users can look up at their leisure.
If you're using a modern desktop (laptop , too) computer that's not running OpenBSD or some obscure form of Linux, then your computer most likely comes with 'openssl' packaged by default.
*'What is open OpenSSL?'*
OpenSSL is a software is a software package, written in 'C', that contains an expansive suite of cryptographic ciphers, digests, encryption mechanisms, and other commands that utilize or interact with cryptography in some facet.
Its most common usage is enabling the processing of various cryptographic primitives in our browser (that we may not pay attention to), such as:
A) Assessing whether a website has a 'secure' certificate or not [this is what enables your browser to assess website certificates + your SSL connection strength to other sites; which is an extremely important process for users & general user security]
B) Connecting & establishing a secure connection with various websites (with any level of cryptographic strength at all) ; this is a critical facet of the 'handshake' process that's classically included in TLS
C) Running any sort of cryptographic operation on our computers for things such as storing user passwords / generating or verifying checksums / etc.
D) This goes w/o saying (probably) - but if you're a blockchain user and you're using software that generates your wallet's keys client side (which it absolutely should be), then it is more than likely that openssl is interfaced in order to process and compute the cryptographic operations necessary there as well
—
There are obviously several other very noteworthy and critical crypto libraries, such as:
1. 'WebCrypto API' = Comes pre-packaged in Firefox + Chrome. is meant to provide capability for performing cryptographic operations in the browser (client side) ; this is part of what makes such a thing possible. Well written web apps will insert functions that are designed to call upon this functionality in one's browser in order to generate / utilize / utilize data provided or extracted from certain cryptographic operations that logic dictates should not be performed server side.
2. GPG = GPG comes equipped with its own library. It also benefits from (a solid explanation of its cryptographic properties is broken down here: https://hashrocket.com/blog/posts/encryption-with-gpg-a-story-really-a-tutorial) ; there are certain complementary cryptographic libraries that can be utilized by gpg via API though, such as:
a.) 'libgcrypt' (url = https://gnupg.org/software/libgcrypt/index.html)
b.) 'ntbtls' (url =https://gnupg.org/software/ntbtls/index.html)
there are other popular implementations listed on GnuPG's actual website, which users can look up at their leisure.
Hashrocket
Encryption with gpg, a story (really, a tutorial)
GPG is a compatible replacement of PGP. That, in and of itself, is confusing.
Importance of OpenSSL (pt. 2)
Since OpenSSL is the default implementation for most operating systems, out of the box, developers must remain cognizant of its capabilities at various junctures in order to maintain compatibility (i.e., allow users to actually use whatever app / service / program that they're developing).
Below is a Miniature 'Cheat Sheet' For OpenSSL (to be ran on command line ; if you're unsure about how to do this, consider joining @librecodes) [when we provide the example commands to run in the terminal to provide certain information, we wrap them in apostrophes '' ; if you are going to run these commands, make sure to remove the apostrophes!!!]
1. Command that you run to see which version of OpenSSL is installed on Your OS:
'openssl version -a' ; this will generate a bunch of output, but the most relevant bit (for checking versioning) is the very first part of said output
2. Command to List All Packaged Cipher Algorithms Included in Your Version of OpenSSL:
'openssl list -cipher-algorithms'
3. Command to List All ECC Curves Packaged With Your Version of OpenSSL:
'openssl ecparam -list_curves'
4. OpenSSL Command to List All Digest Algorithms:
'openssl list -digest-algorithms'
5. OpenSSL Command to List All Digest Commands (yes, different than the algorithms with a wholly different list provided):
'openssl list -digest-commands'
6. OpenSSL Command to List All Cipher Algorithms:
'openssl list -cipher-algorithms'
Other useful command parameters built into OpenSSL are (must be ran with an argument of some sort, obviously):
1. 'prime' = for computing prime numbers
2. 'rand' = generating pseudo-random bytes
3. 's_client' = fed to openssl as a command with appended arguments (most popular = 'connect' flag [-connect]) that can be ran against domain names or IP names (with an accomanying port) for opsec / osint / sysadmin / pentesting / simple intel or 'for-fun' purposes. Highly useful & built into the s_client
4. 'x509' = Command must be ran for various CA operations (whether for a self-signed cert or otherwise)
All of the above information was extracted from OpenSSL's online man pages, found here = https://wiki.openssl.org/index.php/Command_Line_Utilities
Since OpenSSL is the default implementation for most operating systems, out of the box, developers must remain cognizant of its capabilities at various junctures in order to maintain compatibility (i.e., allow users to actually use whatever app / service / program that they're developing).
Below is a Miniature 'Cheat Sheet' For OpenSSL (to be ran on command line ; if you're unsure about how to do this, consider joining @librecodes) [when we provide the example commands to run in the terminal to provide certain information, we wrap them in apostrophes '' ; if you are going to run these commands, make sure to remove the apostrophes!!!]
1. Command that you run to see which version of OpenSSL is installed on Your OS:
'openssl version -a' ; this will generate a bunch of output, but the most relevant bit (for checking versioning) is the very first part of said output
2. Command to List All Packaged Cipher Algorithms Included in Your Version of OpenSSL:
'openssl list -cipher-algorithms'
3. Command to List All ECC Curves Packaged With Your Version of OpenSSL:
'openssl ecparam -list_curves'
4. OpenSSL Command to List All Digest Algorithms:
'openssl list -digest-algorithms'
5. OpenSSL Command to List All Digest Commands (yes, different than the algorithms with a wholly different list provided):
'openssl list -digest-commands'
6. OpenSSL Command to List All Cipher Algorithms:
'openssl list -cipher-algorithms'
Other useful command parameters built into OpenSSL are (must be ran with an argument of some sort, obviously):
1. 'prime' = for computing prime numbers
2. 'rand' = generating pseudo-random bytes
3. 's_client' = fed to openssl as a command with appended arguments (most popular = 'connect' flag [-connect]) that can be ran against domain names or IP names (with an accomanying port) for opsec / osint / sysadmin / pentesting / simple intel or 'for-fun' purposes. Highly useful & built into the s_client
4. 'x509' = Command must be ran for various CA operations (whether for a self-signed cert or otherwise)
All of the above information was extracted from OpenSSL's online man pages, found here = https://wiki.openssl.org/index.php/Command_Line_Utilities
Jumble Password [Tool]
A tool (npm-based) with one simple purpose: Provide randomly generated passwords
source code (github repo) found here: https://github.com/theIYD/jumble-password
A tool (npm-based) with one simple purpose: Provide randomly generated passwords
source code (github repo) found here: https://github.com/theIYD/jumble-password
GitHub
theIYD/jumble-password
🔐 A tiny tool to create unique id's or passwords. Contribute to theIYD/jumble-password development by creating an account on GitHub.
'8gWifi': Site with Some Good Cryptography Tools on it
Here's the link = https://8gwifi.org/docs/ ; nothing mind blowing, but seems to be pretty useful if you need a reference point for some functions or ... whatever else you may be using these operations for.
Here's the link = https://8gwifi.org/docs/ ; nothing mind blowing, but seems to be pretty useful if you need a reference point for some functions or ... whatever else you may be using these operations for.
8gwifi.org
PKI Introduction X.509,CRL
pki concepts, Certification Authority (CA),Registration Authority (RA),PKI Users,PKI Architecture, openssl Generating hierarchical CA structure, PKI Data Structure,X.509 certificates, CRL, Implement CERTIFICATION REVOCATION LIST, Adding CRL distribution point
Chef Crypto (hosted by us)
url = https://chefcrypto.librehash.com
If you're familiar with GCHQ (who isn't?), then you're probably aware of the cryptography-based suite that the released to the public a little while ago.
Its called, 'Crypto Chef'.
Its a cool little html / js "crypto chef" platform that provides a GUI for a slew of operations.
*Example*
Suppose you wanted to hash some input using Shake256. Then encrypt that output using AES256, GCM mode (just throwing out something random here) - you can do that on this site.
Goes w/o saying that the results generated from any operations performed on the site should not be used in a production setting. The link to GCHQ's GitHub page is provided at the URL itself & the code (as we have it deployed) is unaltered.
We'd like to start working on getting some subresource integrities together in the near future though + some pre-setup 'recipes' that users can throw in to this webapp to get a better 'visual' for how vaious cryptograhic operations are performed.
Enjoy.
url = https://chefcrypto.librehash.com
If you're familiar with GCHQ (who isn't?), then you're probably aware of the cryptography-based suite that the released to the public a little while ago.
Its called, 'Crypto Chef'.
Its a cool little html / js "crypto chef" platform that provides a GUI for a slew of operations.
*Example*
Suppose you wanted to hash some input using Shake256. Then encrypt that output using AES256, GCM mode (just throwing out something random here) - you can do that on this site.
Goes w/o saying that the results generated from any operations performed on the site should not be used in a production setting. The link to GCHQ's GitHub page is provided at the URL itself & the code (as we have it deployed) is unaltered.
We'd like to start working on getting some subresource integrities together in the near future though + some pre-setup 'recipes' that users can throw in to this webapp to get a better 'visual' for how vaious cryptograhic operations are performed.
Enjoy.
EC-384 Certificates? Maybe? Yes? No?
Here's an entry on Namecheap's website regarding supposed ec-384 certificates users can purchase
https://www.namecheap.com/support/knowledgebase/article.aspx/9504/38/how-do-i-get-an-ecc-certificate-via-namecheap
This is being shared here because most of us in this world have made chosen to go the financially fiscal route for obtaining + deploying certificates (LetsEncrypt).
Unfortunately, 'LetsEncrypt' still uses an intermediate C.A. that signs keys with an RSA private key (its 4096-bit, so not a major security drawback).
Obviously with ECC being all the rage (despite people wishing Edwards' Curves were), there's been a major shift in the industry over the past few years to begin adopting ECC-standards in cryptography based products.
Unable to Locate the EC-Strength Cerificates
Namecheap claims that these certificates are provided for by Comodo, but we were unable to find them on their site (namecheap) or via Comod's site either.
Admittedly, we didn't dig incredibly hard for them, but we'll try to remember to follow up on this and ask their sales reps about this.
The world of 'paid' for certificates is super gimmicky & commercialized (and this feels like something that shouldn't be...for some reason), but hey — its the best 'trust' system that we have at our disposals for right now.
Here's an entry on Namecheap's website regarding supposed ec-384 certificates users can purchase
https://www.namecheap.com/support/knowledgebase/article.aspx/9504/38/how-do-i-get-an-ecc-certificate-via-namecheap
This is being shared here because most of us in this world have made chosen to go the financially fiscal route for obtaining + deploying certificates (LetsEncrypt).
Unfortunately, 'LetsEncrypt' still uses an intermediate C.A. that signs keys with an RSA private key (its 4096-bit, so not a major security drawback).
Obviously with ECC being all the rage (despite people wishing Edwards' Curves were), there's been a major shift in the industry over the past few years to begin adopting ECC-standards in cryptography based products.
Unable to Locate the EC-Strength Cerificates
Namecheap claims that these certificates are provided for by Comodo, but we were unable to find them on their site (namecheap) or via Comod's site either.
Admittedly, we didn't dig incredibly hard for them, but we'll try to remember to follow up on this and ask their sales reps about this.
The world of 'paid' for certificates is super gimmicky & commercialized (and this feels like something that shouldn't be...for some reason), but hey — its the best 'trust' system that we have at our disposals for right now.
Namecheap
How do I get an ECC certificate via Namecheap? - SSL Certificates - Namecheap.com
Learn more about How do I get an ECC certificate via Namecheap?. Find your answers at Namecheap Knowledge Base.