Skip to content

Instantly share code, notes, and snippets.

View bitraft's full-sized avatar

bitraft

18 followers · 5 following
View GitHub Profile
@bitraft
bitraft / aefd.md
Created April 25, 2016 04:22 — forked from tarcieri/aefd.md
Authenticated Encryption for Dummies

It might seem like a silly exercise, but I was looking at the "NIST approved" algorithms in NaCl (i.e. AES, HMAC) and wondering if I could build an authenticated encryption system with them. djb lists AES-GCM as a "todo" secretbox primitive so unfortunately NaCl does not presently expose any AES-based authenticated encryption, only aes128ctr.

This is what I came up with using the algorithms available in NaCl:

Diagram

A quick rundown:

Encrypt-then-MAC with AES-CTR (128-bit for now, 256-bit later!) encryption and HMAC SHA-512256 (i.e. SHA-512, truncated to 256-bits by NaCl via crypto_auth_hmacsha512256) authentication. MAC comparisons are performed using a NaCl supplied verifier function which is (hopefully!) constant time.

@bitraft
bitraft / semiprivate.md
Created April 25, 2016 04:05 — forked from tarcieri/semiprivate.md
Ed25519-based semi-private keys

Semiprivate Keys

Semi-private keys are an expansion of the traditional idea of asymmetric keys, which have a public/private keypair, to N keys which can each represent a different capability level. In the degenerate case, a semi-private key system has 3 different types of keys. These are, to use the Tahoe terminology:

  • writecap: can publish new ciphertexts
  • readcap: can read/authenticate ciphertexts
@bitraft
bitraft / xhyverun.sh
Created April 12, 2016 12:56 — forked from bruienne/xhyverun.sh
xhyve boot2docker sample config
#!/bin/sh
KERNEL="/path/to/vmlinuz64"
INITRD="/path/to/initrd.img"
#CMDLINE="earlyprintk=serial console=ttyS0 acpi=off"
CMDLINE="loglevel=3 user=docker console=ttyS0 console=tty0 noembed nomodeset norestore waitusb=10:LABEL=boot2docker-data base"
MEM="-m 1G"
#SMP="-c 2"
NET="-s 2:0,virtio-net,en0"
@bitraft
bitraft / gist:609a8089ce2dca4fc1d7
Last active August 29, 2015 14:11 — forked from mtigas/gist:952344

Client-side SSL

For excessively paranoid client authentication.

Using self-signed certificate.

Create a Certificate Authority root (which represents this server)

Organization & Common Name: Some human identifier for this server CA.

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
@bitraft
bitraft / packagist_proxy.php
Created February 13, 2014 03:01 — forked from beberlei/packagist_proxy.php
<?php
$baseUrl = "http://localhost/packagist";
$baseDir = "/var/www/packagist";
if (!file_exists($baseDir)) {
echo "Base dir $baseDir for local packagist proxy does not exist\n";
exit(1);
}
$packagesJson = $baseDir . "/packages.json";