Difference between revisions of "Security notes / Unsorted"

From Helpful
Jump to: navigation, search
m (Is it important to use a password manager?)
m
 
Line 52: Line 52:
 
: you've moved the point of possible corruptibility, not removed it
 
: you've moved the point of possible corruptibility, not removed it
  
 +
-->
 +
 +
==Challenge/response==
 +
 +
<!--
 +
Challenge-response authentication, most broadly, is an answer to a question.
 +
Like asking for a password, and giving that password,
 +
but the term is often used for systems that avoid repeating a secret in communication.
 +
 +
 +
One way of doing this is to keep the method of calculating the response secret.
 +
This works decently, but with enough snooped examples people may guess said method.
 +
 +
It's also not a great idea when the device doing this can not be kept secret.
 +
For example, if it's software, it can probably be reverse engineered.
 +
 +
So it's handier to have a system where knowing the method does nothing to
 +
make guessing the response simpler.
 +
 +
 +
 +
For example, a login system where you use the idea of a password,
 +
but want to avoid sending the password, or a hash of that password, might be:
 +
* Server gives you randomly generated text (a nonce)
 +
* Server expects hash(thattext+password) back
 +
 +
Because both sides know this, both sides can calculate that,
 +
and verify that they both know the same secret (called a password).
 +
 +
Using a nonce also avoids some basic replay attacks.
 
-->
 
-->

Latest revision as of 23:00, 2 April 2020

Security related stuff.

Practical


Theory


Unsorted


This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)


Is it important to use a password manager?

"Is it important to use a VPN?"

Challenge/response