The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,839 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

OpenSSH keygen guidelines

Posted by jpluimers on 2020/05/01

Verify [WayBack] OpenSSH: Key generation before generating keys.

At the time of grabbing it was this (for the mozilla tag; use another tag if you prefer):

# RSA keys are favored over ECDSA keys when backward compatibility ''is required'',
# thus, newly generated keys are always either ED25519 or RSA (NOT ECDSA or DSA).
$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_mozilla_$(date +%Y-%m-%d) -C "Mozilla key for xyz"

# ED25519 keys are favored over RSA keys when backward compatibility ''is not required''.
# This is only compatible with OpenSSH 6.5+ and fixed-size (256 bytes).
$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_mozilla_$(date +%Y-%m-%d) -C "Mozilla key for xyz"

This was not changed based on [WayBack] Key generation: pass-a and -o argument? · Issue #68 · mozilla/wikimo_content · GitHub: a discussion on the KDF rounds (-a parameter) and storage format (-o parameter).

This is slightly less strong than in [WayBack] Upgrade Your SSH Key to Ed25519 | Programming Journal, but seems to be OK when writing this in 2018.

For comparison, a similar discussion is at [WayBack] public key – How many KDF rounds for an SSH key? – Cryptography Stack Exchange.

In practice, I am not for one ssh ID per host, but I use different tags depending on where the ssh ID applies. More discussion on this is at [WayBack] privacy – Best Practice: ”separate ssh-key per host and user“ vs. ”one ssh-key for all hosts“ – Information Security Stack Exchange

Based on the above, I also learned about this password generator: [WayBack] GitHub – gdestuynder/pwgen

–jeroen

Posted in *nix, *nix-tools, Encryption, Hashing, Power User, Security, ssh/sshd | Leave a Comment »

SFTP (SSH file transfer protocol) server on Windows

Posted by jpluimers on 2020/04/10

A few links for my archive:

–jeroen

Posted in Communications Development, Development, Internet protocol suite, Security, SSH, TCP | Leave a Comment »

ssh – Why OpenSSH deprecated DSA keys – Information Security Stack Exchange

Posted by jpluimers on 2020/03/10

In a lot of ssh-keygen related posts, you still see DSA being mentioned, though that has been deprecated and later removed from OpenSSH.

I wondered why, so I did some digging.

TL;DR: it’s complicated:

  • different standards mandating eventually conflicting parameters,
  • extending the parameters would require protocol extension,
  • a logjam vulnerability for certain combinations of parameters and finally
  • better algorithms having become available.

Some of the related topics cannot be archived in the WayBack machine or refuse being archived at Archive.is, so here is a list of partially archived relevant links:

–jeroen

Posted in Communications Development, Development, Internet protocol suite, Power User, Security, SSH, TCP | Leave a Comment »

The Toxic Smog of the Information Age | Literary Hub

Posted by jpluimers on 2020/03/03

From 5 years ago, but now more relevant than it ever was: [WayBack] The Toxic Smog of the Information Age | Literary Hub

SCROOGLED

Give me six lines written by the most honorable of men, and I will find an excuse in them to hang him. –Cardinal Richelieu

We don’t know enough about you. –Google CEO Eric Schmidt

Via:

–jeroen

Posted in History, Opinions, Security | Leave a Comment »

Very nice “Appendix A. Introduction to TCP/IP security” on digests, hashing, encryption, asymetric/symmetric, VPN and much more

Posted by jpluimers on 2020/03/03

For me this is still a primary starting point in case I need to know something about security which has clear pictures: [WayBack] Appendix A. Introduction to TCP/IP security (sg245383.pdf/ftp://ftp.www.ibm.com/…/sg245383.pdf, thanks to Jac Las) all on one web page.

The links are to the “Digital signatures” portion, as that’s what I needed at the time, but they are just anchors in the page.

These were the diagrams I was after:

If you want much more in-depth slide then, then go for [WayBackCryptography, from Theory to Practice which you can find back searching for IBM “Cryptography, from Theory to Practice” or “sign then hash” or “hash then sign”.

It is very different from the equally interesting presentation

–jeroen

Posted in Development, Encryption, Power User, Security, Software Development | 2 Comments »

When you have physical access to a machine, assume it is compromised

Posted by jpluimers on 2020/02/24

When you have physical access to a machine, assume it is compromised.

Sometimes the compromise can be as simple as a HID device access:

–jeroen

Read the rest of this entry »

Posted in Power User, Security | Leave a Comment »

Does anyone knows a existing implementation of bcrypt or scrypt for delphi?

Posted by jpluimers on 2020/02/19

For my link archive: [WayBack] Does anyone knows a existing implementation of bcrypt or scrypt for delphi? – Fabian S. Biehn – Google+:

–jeroen

Posted in Delphi, Development, Encryption, Power User, Security, Software Development | Leave a Comment »

Happlink / PlugUp died, but you can still use their U2F USB key

Posted by jpluimers on 2020/01/31

Nothing lasts, so the company behind the U2F key on the right is long gone, but their site is archived in Archive.is and the WayBack machine. Since the U2F protocol is open, you can still set up the device and use it. Here is how for your Google account (for instance with GMail), it works in a similar way for other providers:

Archived links:

Some of their videos are also still online (embedded links at the bottom of the post):

U2F (or Universal 2nd Factor – Wikipedia) has an open protocol by FIDO Alliance – Wikipedia. More on that in these links below.

One final odd note:

The FIDO alliance still listed Happlink on their web-site when I wrote this blog post.

It used to be at this address: Happlink, 4 rue Jehan Le Povrmoyne, 76240 Le Mesnil-Esnard, France

Read the rest of this entry »

Posted in Power User, Security, U2F FIDO Security Keys | Leave a Comment »

Viewing certbot installed certificates and their expiry dates

Posted by jpluimers on 2020/01/24

A simple tip on the certbot command-line from [WayBackUser Guide — Certbot 0.19.0.dev0 documentation – Managing certificates (Automatically enable HTTPS on your website with EFF’s Certbot, deploying Let’s Encrypt certificates.):

To view a list of the certificates Certbot knows about, run the certificates subcommand:

certbot certificates

This returns information in the following format:

Found the following certs:
  Certificate Name: example.com
    Domains: example.com, www.example.com
    Expiry Date: 2017-02-19 19:53:00+00:00 (VALID: 30 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem

Via: [WayBack] It there a command to show how many days certificate you have? – Server – Let’s Encrypt Community Support

–jeroen

Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

I’m harvesting credit card numbers and passwords from your site. Here’s how.

Posted by jpluimers on 2020/01/14

Below is one of the reasons I try to stay on the back-end side of things. Those are complex enough to focus on for me.

[WayBackI’m harvesting credit card numbers and passwords from your site. Here’s how.

It basically comes down to:

  • anything in the same page has access to anything happening on that page.
  • be careful when using npm and ad networks.
  • perform security operations in a light-weight iframe that is scrutinized.

The source of any npm package might be different from the source you find in a the underlying repository. This recursively holds for all the other npmit pulls in.

–jeroen

via: [WayBackJeroen Wiert Pluimers – Google+

Posted in Development, Power User, Security, Software Development, Web Development | Leave a Comment »

« Previous Entries
Next Entries »