Difference between revisions of "Security notes / Unsorted"

From Helpful
Jump to: navigation, search
m (ZKP)
m
 
Line 32: Line 32:
 
helps store some keys,  
 
helps store some keys,  
 
creates derived keys without revealing the original,  
 
creates derived keys without revealing the original,  
does certain crypto.
+
does certain cryptography.
  
  

Latest revision as of 00:55, 26 April 2022

Security related stuff.

Practical


Theory / unsorted



how to do a login system badly
how to do encryption badly
Disk and file encryption notes
This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)


TPM

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

What?

What is it?

Trusted Platform Module is part of the Trusted Computing design.


The TPM is basically the hardware part of that design.


Physically, TPM is often a hardware module that can be plugged into PC motherboards and laptops, and may be built into laptops (fairly common in business laptops).

One could also be part of a CPU (helps against some physical attacks), but there is some value to keeping it separate (practical one if the CPU is upgradable, but also, some attacks might be possible if it's part of the same silicon).

(You could implement the spec in code, but doing so means you lose the isolated environment, which defeats half the point)


What does it do?

The TPM is a different things to different people/needs.


It e.g. helps store some keys, creates derived keys without revealing the original, does certain cryptography.


It being separate hardware

makes it harder to steal certain keys
means there are some cases where you can use a key it stored without every transporting it out.
Keys for some uses can be marked as "never move these out"
Some other uses require them to be migratable, though.
lets you tie certain keys to specific TPM hardware
which alleviates certain physical attacks.
For example, you can force an encrypted drive to only work on the computer you encrypted it on (though note that also poses some risk of data loss)
you can prevent booting something that wasn't previously approved
as protection against malware that alters the boot
again, with footnotes.


In general, it makes attack surface much smaller and some attacks much harder to do remotely.

Though note it can be used badly, and even good use can be overestimated.



On secure boot

"Can't detect TPM device"

Means the BIOS knows that you can plug in a TPM module, and is looking for it (configured to do so, or always does), and doesn't find one.

So tell it not to look for one (if you can), plug one in, or ignore this message. It's often under a header named something like 'Trusted Computing'

Some BIOSes will always look for it(verify), in which case you can just ignore the message.

More acronyms

What does TPM not protect?

TPM versus TPM2

Use and criticism, strengths and weaknesses

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

See also

Nonce

Challenge/response

ZKP

JSON Web Signature, Encryption, Tokens

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

GSSAPI notes

GSSAPI is a IETF standard to make it easier for various software to do various strong auth, e.g. Kerberos.

It also allows various other auth schemes to be plugged into it.


Which also makes it potentially interesting for SSO setups within an organisation.


(not unlike SASL, which can include GSSAPI)


It's used by things like OpenSSH,

publickey
gssapi-keyex
gssapi-with-mic
password


NaCl

NaCl as in libsodium

Google NaCl