Skip to content

Instantly share code, notes, and snippets.

Avatar

Scott paragonie-scott

View GitHub Profile
@paragonie-scott
paragonie-scott / crypto-wrong-answers.md
Last active Nov 24, 2022
An Open Letter to Developers Everywhere (About Cryptography)
View crypto-wrong-answers.md
@paragonie-scott
paragonie-scott / js-php-encrypt.md
Last active Sep 14, 2022
String Encryption in JavaScript and PHP
View js-php-encrypt.md

Just for fun, let's encrypt some stuff in client-side JavaScript and have a PHP server decrypt it. Note that this will never replace TLS (HTTPS).

JavaScript Encryption with Sodium-Plus

You'll want the latest release of sodium-plus for this. (As of this writing, it's version 0.4.0.)

<script
  src="/static/js/sodium-plus.min.js"
 integrity="sha384-lv7SVE0eb0bXA3fgK6PwlhViiUwG6tBuMAhS8XX7RvBvyRcdEdJ8HKtFgs4vHTUh"
@paragonie-scott
paragonie-scott / autoload.php
Created May 14, 2017
defuse/php-encryption autoloader
View autoload.php
<?php
define('DEFUSE_CRYPTO_BASEDIR', __DIR__.'/src/');
/**
* PSR-4 compatible autoloader
*
*/
\spl_autoload_register(function ($class) {
// Project-specific namespace prefix
View rsa-encrypt.php
<?php
$publicKey = openssl_pkey_get_public('
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7o9A47JuO3wgZ/lbOIOs
Xc6cVSiCMsrglvORM/54StFRvcrxMi7OjXD6FX5fQpUOQYZfIOFZZMs6kmNXk8xO
hgTmdMJcBWolQ85acfAdWpTpCW29YMvXNARUDb8uJKAApsISnttyCnbvp7zYMdQm
HiTG/+bYaegSXzV3YN+Ej+ZcocubUpLp8Rpzz+xmXep3BrjBycAE9z2IrrV2rlwg
TTxU/B8xmvMsToBQpAbe+Cv130tEHsyW4UL9KZY1M9R+UHFPPmORjBKxSZvjJ1mS
UbUYN6PmMry35wCaFCfQoyTDUxBfxTGYqjaveQv4sxx0uvoiLXHt9cAm5Q8KJ+8d
@paragonie-scott
paragonie-scott / jose-security.md
Last active Jun 12, 2020
Suggestions for a Secure JOSE Alternative (or Protocol Upgrade)
View jose-security.md

Changes to JOSE that will prevent insecurity

Deletions

JWS and JWE

Drop the alg header

Neither JOSE users nor JOSE library designers should be required to understand cryptography primitives. At a lower level, this can lead to badly implemented primitives. On a higher level, this can lead to reasoning by lego.

View gist:c7a73fd0f759e451cf07
function secure_rand(min, max) {
var rval = 0;
var range = max - min;
if (range < 2) {
return min;
}
var bits_needed = Math.ceil(Math.log2(range));
if (bits_needed > 53) {
throw new Exception("We cannot generate numbers larger than 53 bits.");
@paragonie-scott
paragonie-scott / SVG Fails.md
Last active May 8, 2020
image/svg+xml considered harmful: an open letter to member-svg-media-type@w3.org
View SVG Fails.md

Update

Filed an issue to address this particular concern.

Thanks joepie91 for finding the folks responsible and getting the conversation started.


Currently, SVG is a security foot-cannon that allows attackers to upload a Stored XSS payload when a user views the image directly. Example.

@paragonie-scott
paragonie-scott / cacert-2019-10-16.diff
Created Oct 23, 2019
Diff between cacert-2019-08-28.diff and cacert-2019-10-16.pem
View cacert-2019-10-16.diff
diff --git a/cacert-2019-08-28.pem b/cacert-2019-10-16.pem
index 65be218..edc5090 100755
--- a/cacert-2019-08-28.pem
+++ b/cacert-2019-10-16.pem
@@ -1,7 +1,7 @@
##
## Bundle of CA Root Certificates
##
-## Certificate data from Mozilla as of: Wed Aug 28 03:12:10 2019 GMT
+## Certificate data from Mozilla as of: Wed Oct 16 03:12:09 2019 GMT
@paragonie-scott
paragonie-scott / JWTKiller.php
Created Mar 14, 2017
PHP 7.2 Replacement for JWT
View JWTKiller.php
<?php
declare(strict_types=1);
use ParagonIE\ConstantTime\Base64UrlSafe;
class JWTKiller
{
public static function sign(string $message, Key $key): string
{
$mac = sodium_crypto_auth($message, $key->getRaw());
@paragonie-scott
paragonie-scott / cacert-2019-05-15.diff
Created May 15, 2019
Difference between cacert-2019-01-29.pem and cacert-2019-05-15.pem
View cacert-2019-05-15.diff
diff --git a/cacert-2019-01-23.pem b/cacert-2019-05-15.pem
index 09b4ce1..8e92f77 100755
--- a/cacert-2019-01-23.pem
+++ b/cacert-2019-05-15.pem
@@ -1,7 +1,7 @@
##
## Bundle of CA Root Certificates
##
-## Certificate data from Mozilla as of: Wed Jan 23 04:12:09 2019 GMT
+## Certificate data from Mozilla as of: Wed May 15 03:12:09 2019 GMT