Jump to content
Welcome, welcome! Come in and register, and have some developer coffee. 👨‍💻 ×


  • Content Count

  • Joined

  • Last visited

  • Days Won


chrono_legionnaire last won the day on June 22

chrono_legionnaire had the most liked content!

Community Reputation

12 Good

About chrono_legionnaire

  • Rank
    Junior Kaki

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Perhaps that in most cases, people only know about Pre-Compromise Security which involves hiring tons of security experts to guard a server/network but it's not that effective against insider or skilled malicious hacker as data protection law or non disclosure agreement is likely not going to have a restraining effect on them. When people talk about post-compromise security, perhaps the first impression that people have in mind is that it's something based on cryptography. That's too narrow in my perspective. (For example, we if talk on WhatsApp and the server gets hacked, our messages
  2. The logic behind the respond and challenge login mechanism The steps required will be: 1. Users when they register in the system(online), they most likely will generate a digital signature keypair, the users will need to keep the digital signature keypair's secret key in a secret and secure way and then they will need to give their digital signature keypair public key to server. 2. When user intends to login, the server has to generate some random data in this case is random challenge through cryptographic secure way, through some forum, the random data or challenge minimum length is
  3. Maybe some people here will want to look at an example of how challenge and response login mechanism work(Cryptographic Digital Signature), if you are someone who installed Visual Studio and have .Net Framework installed in your Windows OS as well. You can have a look at my sample code that describes how can it be done. (In actual code, you have to determine which information is private and clear it safely & set a valid duration for the challenge that generated and sent by server) Here's the source code. Feel free to use it if you think that this login mechanism is generally b
  4. 1. The PriSecFileStorage was licensed under "APGL-3.0" This will be the source code that responsible for the PriSecFileStorage. Client Application(C# Winform) (OS=Windows) https://github.com/Chewhern/PriSecFileStorageClientApplication Server Application (ASP.Net Core) (Web API) (OS=Linux Ubuntu) https://github.com/Chewhern/PriSecFileStorage
  5. The MySQL database hosting project that I posted here is an example of PriSec Projects. The PriSec Projects consists of the following attributes: The goal of PriSec Projects was not to stop hackers from getting into the server but solving the root of data leakage(server has valuable data or metadata) by fulfilling the attributes above, essentially these projects will have post-data leakage security by its design from start. The service provider/server won't be able to follow the trend of big data or perform any data analysis work on their end. This series of projects will most li
  6. This video is a follow up of what asymmetric encryption/symmetric encryption is. This is a video that describes what cryptography digital signature is.
  7. This may be an important follow up, as I recently found this online. This is what I proposed as an alternative to password. The passwordless login mechanism that I wrote in kaki.gg
  8. I always have the idea that passwords is really bad to use as a login mechanism, so I smash my head into wall, asking forums and finally came up with this kind of login mechanism(don't worry it's not new, and it has better overall security compare to passwords). To understand about the challenge and respond login mechanism, we need to first know what exactly is asymmetric encryption and RNG(random number generator). I will leave people to explain or explore a little bit of what asymmetric encryption is. In asymmetric encryption we have 2 mathematically linked components which are public a
  9. Often down the line, be it that we like it or not, we as a developer(mostly refer to web based application be it webpage or web API), we need to deal with passwords as a login mechanism. The problem with passwords is that it's very easy to mess up on both user side and developer side. Some developers don't know what they are doing and store them in plaintext, encrypted or hash them regularly. These 3 stuffs that I described here even though it's common sense, but let's be honest, we do mess them up a lot don't we 🤣. There're proper ways of dealing with passwords like using
  10. I will be trying to shift myself away as much as I could from Facebook or WhatsApp, if any members here find my posts useful feel free to post it onto Facebook but please ask my permission before posting to Facebook .
  11. Just tested several stuffs, ephemeral TLS works, account recovery functions works, register and login also works.
  12. This whole project must be using these 3 things which are zero access/knowledge encryption, as little metadata collection as possible and no MFA/Account Recovery feature. If account recovery feature is really required, it won't compete with usual account recovery functions out there as this does not operates based on collecting public identity or does it works in the way which is similar to Google/Microsoft Authenticator. This whole project will only be exists in client side application form where no web pages exists but API will exist. This whole project will also be built on t
  13. I am not a person who's well versed in cryptography and security .-. , I am just a beginner to what my goal was
  14. I am new to what my goal was the same applies to security stuffs, I am limited by what I know. Flashang, I am trying to understand what u are stating as the flow in the first part of the message, to do that essentially, what u are trying to say was to ask the user to type in their username in the system or to use some of their nickname? then proceed with the account recovery flow. Because from what I understand, you are saying that asking user to enter their recovery email/something similar then proceed with the account recovery is not a good idea. Fliermate, mind fill me/this commu
  • Create New...