Jump to content
Welcome, welcome! Come in and register, and have some developer coffee. 👨‍💻 ×


  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by chrono_legionnaire

  1. Suddenly wanna create a C# club huh ? 🤣 hi senior 😁 I am an open source cryptography library, libsodium C# nuget wrapper contributor, building stuffs in .Net Framework 4.7.2(Winforms)[File Storage and DB setup client for db hosting] and Electron.Net(ASP.Net Core) cross platform desktop application and ASP.Net Core API application 🙃
  2. Disclaimer: This topic will assume that the reader have basic understandings with RSA, Diffie Hellman KX and symmetric encryption. Majority of the time, RSA was vastly used in public key digital signature rather than encryption. Drawbacks of RSA if it's used in actual encryption/decryption of data 1. Encrypting data with RSA is consider quick, however the time needed to decrypt the data encrypted with RSA is quite slow, for details refer to this link (https://www.javamex.com/tutorials/cryptography/rsa_key_length.shtml). 2. If anyone would want to use RSA for actual encrypti
  3. I don't mind if people want to join me, it's just that I wasn't quite sure if what I am doing give you satisfaction or you are interested in it because I don't have $$ LOL. Besides.., my journey as a sole proprietorship business is uncertain 🙃. If chances present itself and u did joined me in future, feel free to get "pressured" by me due to my requirements will become higher if I have the ability to further educate myself.
  4. I wasn't quite sure regarding this but based on what I know .. no country is not responsible for this.. In 2011, an incident had been revealed on a famous MNC located in USA called RSA(yup u get the idea.., RSA as in public key encryption). A heavy and serious sponsored China Chinese cyber attacks had been conducted by their state hackers which results in a serious leaks/breaches. Several weeks after the breach/leak, they(the RSA MNC) apologizes for the incident. The story can be seen here: https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/ During my
  5. I use DLLImport as I think that it's the easiest way to use language interoperability in C#(I am a total beginner 😂) When we talk about privacy, obviously that there're many levels to it. Like how private you are talking? In general there're several levels of privacy that I can think of (The level of privacy depending on how you understand it): 1. You want to have privacy even if you are using big tech products(Which is not totally doable, the best one can do is have 5% of privacy out of 100% of non privacy oriented environment) 2. You want to have privacy to people who you don't
  6. Most developer/programmer when they heard about cryptography and wants to implement them, they faced 2 major problems, which are I do understand them, but it's too risky to implement on my own, I can't implement them , I do understand them, it's too risky to implement on my own, I can't implement them so I will use an outdated version of them. These 2 major problems are what developer/programmer faces every time if they want to implement certain cryptographic features in them like password hashing, key exchange, digital signature(public key cryptography) and symmetric encryption. The pro
  7. @FlierMate, @S. registering at SSM as an online business is not that difficult to begin with, I remember I registered last year's July/August, it's time for me to renew the license as well. The catch is you all know what happens with startup businesses, all has to be start from 0 (no relations, no people can help me), I get rejected by the payment platform that I wished to use also known as Rapyd(Mainly targets for Payout[A developer tool to make paying customers useful]) as I believe the majority of the reason is because I was a startup .. and my website is really not that professional, I am
  8. Perhaps that in most cases, people only know about Pre-Compromise Security which involves hiring tons of security experts to guard a server/network but it's not that effective against insider or skilled malicious hacker as data protection law or non disclosure agreement is likely not going to have a restraining effect on them. When people talk about post-compromise security, perhaps the first impression that people have in mind is that it's something based on cryptography. That's too narrow in my perspective. (For example, we if talk on WhatsApp and the server gets hacked, our messages
  9. The logic behind the respond and challenge login mechanism The steps required will be: 1. Users when they register in the system(online), they most likely will generate a digital signature keypair, the users will need to keep the digital signature keypair's secret key in a secret and secure way and then they will need to give their digital signature keypair public key to server. 2. When user intends to login, the server has to generate some random data in this case is random challenge through cryptographic secure way, through some forum, the random data or challenge minimum length is
  10. Maybe some people here will want to look at an example of how challenge and response login mechanism work(Cryptographic Digital Signature), if you are someone who installed Visual Studio and have .Net Framework installed in your Windows OS as well. You can have a look at my sample code that describes how can it be done. (In actual code, you have to determine which information is private and clear it safely & set a valid duration for the challenge that generated and sent by server) Here's the source code. Feel free to use it if you think that this login mechanism is generally b
  11. 1. The PriSecFileStorage was licensed under "APGL-3.0" This will be the source code that responsible for the PriSecFileStorage. Client Application(C# Winform) (OS=Windows) https://github.com/Chewhern/PriSecFileStorageClientApplication Server Application (ASP.Net Core) (Web API) (OS=Linux Ubuntu) https://github.com/Chewhern/PriSecFileStorage
  12. The MySQL database hosting project that I posted here is an example of PriSec Projects. The PriSec Projects consists of the following attributes: The goal of PriSec Projects was not to stop hackers from getting into the server but solving the root of data leakage(server has valuable data or metadata) by fulfilling the attributes above, essentially these projects will have post-data leakage security by its design from start. The service provider/server won't be able to follow the trend of big data or perform any data analysis work on their end. This series of projects will most li
  13. This video is a follow up of what asymmetric encryption/symmetric encryption is. This is a video that describes what cryptography digital signature is.
  14. This may be an important follow up, as I recently found this online. This is what I proposed as an alternative to password. The passwordless login mechanism that I wrote in kaki.gg
  15. I always have the idea that passwords is really bad to use as a login mechanism, so I smash my head into wall, asking forums and finally came up with this kind of login mechanism(don't worry it's not new, and it has better overall security compare to passwords). To understand about the challenge and respond login mechanism, we need to first know what exactly is asymmetric encryption and RNG(random number generator). I will leave people to explain or explore a little bit of what asymmetric encryption is. In asymmetric encryption we have 2 mathematically linked components which are public a
  16. Often down the line, be it that we like it or not, we as a developer(mostly refer to web based application be it webpage or web API), we need to deal with passwords as a login mechanism. The problem with passwords is that it's very easy to mess up on both user side and developer side. Some developers don't know what they are doing and store them in plaintext, encrypted or hash them regularly. These 3 stuffs that I described here even though it's common sense, but let's be honest, we do mess them up a lot don't we 🤣. There're proper ways of dealing with passwords like using
  17. I will be trying to shift myself away as much as I could from Facebook or WhatsApp, if any members here find my posts useful feel free to post it onto Facebook but please ask my permission before posting to Facebook .
  18. Just tested several stuffs, ephemeral TLS works, account recovery functions works, register and login also works.
  19. This whole project must be using these 3 things which are zero access/knowledge encryption, as little metadata collection as possible and no MFA/Account Recovery feature. If account recovery feature is really required, it won't compete with usual account recovery functions out there as this does not operates based on collecting public identity or does it works in the way which is similar to Google/Microsoft Authenticator. This whole project will only be exists in client side application form where no web pages exists but API will exist. This whole project will also be built on t
  20. I am not a person who's well versed in cryptography and security .-. , I am just a beginner to what my goal was
  21. I am new to what my goal was the same applies to security stuffs, I am limited by what I know. Flashang, I am trying to understand what u are stating as the flow in the first part of the message, to do that essentially, what u are trying to say was to ask the user to type in their username in the system or to use some of their nickname? then proceed with the account recovery flow. Because from what I understand, you are saying that asking user to enter their recovery email/something similar then proceed with the account recovery is not a good idea. Fliermate, mind fill me/this commu
  22. Often down the line, we deemed to design system that requires user to submit their public identity be it the most common public identity(email/phone number) such that we can provide questionable security to user. We will design the system in a way such that we can really make sure that it's indeed the user through authenticating user in multiple ways first through the system maybe like a password? Secondly then authenticate using SMS or using email. The lists can go on without stopping. The core purpose of MFA is to make sure that the user is really who they say they are because the user
  23. indeed it's .. but they are still prone to insider's attack don't they? Assuming that all things won't go wrong by just asking the staffs to sign NDA(Non Disclosure Agreement) is naive in my opinion. The best system design even for SMB/SME given though it's offline, is to assume that all things can goes wrong, signing NDA wouldn't help. It's also naive in my opinion to fully prevent from insider's attack from happening, that's why partially reduce or prevent it is good enough in my opinion. This is also the reason why stuffs like endpoint encryption, endpoint storage, end to end encrypti
  24. So do I @FlierMate, I only know how the stuffs works in layman's term, but no don't do that, if you can do so, at the least use SHA generation 2 Family Algorithm (like SHA256/SHA512) with salt that generated with cryptographic RNG way. Storing it in plaintext form no.., storing it in non-salted hashed form is also no, the best was to use salted hash for password storage. If you can afford go and use "Argon2" which is the best password hashing algorithm that's available which uses stronger hash algorithm(Blake2B). If you want to be even better use approach like Digital Signature Algorithm
  • Create New...