Security notes / Unsorted
Security related stuff.
Securing services
Unsorted - · Anonymization notes · website security notes · integrated security hardware · Glossary · unsorted |
Nonce
Challenge/response
JSON Web Signature, Encryption, Tokens
GSSAPI notes
GSSAPI is a IETF standard to make it easier for various software to make and use an API to provide/do varied strong auth.
It also allows various other auth schemes to be plugged into it (though developments meant Kerberos is a common one).
NaCl
There are two security related things called NaCl - which are completely unrelated to each other.
(There are also other things called salt, like automation software Salt (a.k.a. Saltstack)
NaCl as in libsodium
Google NaCl
Side notes
Asymmetric v.s. symmetric keys
Some systems have a single key, that can be used both to encode and decode - which we would call symmetric encryption.
Yes, it allows encryption in both ways.
But only if both parties trust each other mutually.
Everyone with that one key can do all the writing messages, and reading, so that key must stay secret -- but it you never really trusted the other party, then arguably it never was.
If hat key ever gets accidentally or purposefully leaked elsewhere,
- writing messages now probably means 'impersonating any party involved',
- and reading messages potentially means 'reading all messages, past and future'.
Sharing the same key between more than two is as weak as the weakest link.
In some ways, two is usually the limit that you would prefer.
Public-private key have upsides beyond fixing this, but there are many situations where this is the main thing:
even the strength of its encryption can be entirely secondary that you don't share all abilities from the get-go.
Consider:
- you can only write messages with the private key
- you can read messages with the public key
- given the public key of someone's (public,private) keypair, it is nearly impossible to calculate the private one
...which is why it isn't a problem to hand out the public key.