Skip to content

Instantly share code, notes, and snippets.

View paragonie-scott's full-sized avatar

Scott paragonie-scott

View GitHub Profile
@paragonie-scott
paragonie-scott / crypto-wrong-answers.md
Last active August 17, 2024 06:33
An Open Letter to Developers Everywhere (About Cryptography)
@paragonie-scott
paragonie-scott / js-php-encrypt.md
Last active September 14, 2022 22:04
String Encryption in JavaScript and PHP

Just for fun, let's encrypt some stuff in client-side JavaScript and have a PHP server decrypt it. Note that this will never replace TLS (HTTPS).

JavaScript Encryption with Sodium-Plus

You'll want the latest release of sodium-plus for this. (As of this writing, it's version 0.4.0.)

<script
  src="/static/js/sodium-plus.min.js"
 integrity="sha384-lv7SVE0eb0bXA3fgK6PwlhViiUwG6tBuMAhS8XX7RvBvyRcdEdJ8HKtFgs4vHTUh"
@paragonie-scott
paragonie-scott / autoload.php
Created May 14, 2017 16:58
defuse/php-encryption autoloader
<?php
define('DEFUSE_CRYPTO_BASEDIR', __DIR__.'/src/');
/**
* PSR-4 compatible autoloader
*
*/
\spl_autoload_register(function ($class) {
// Project-specific namespace prefix
@paragonie-scott
paragonie-scott / rsa-encrypt.php
Created December 12, 2016 04:50
RSA Limits Demo
<?php
$publicKey = openssl_pkey_get_public('
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7o9A47JuO3wgZ/lbOIOs
Xc6cVSiCMsrglvORM/54StFRvcrxMi7OjXD6FX5fQpUOQYZfIOFZZMs6kmNXk8xO
hgTmdMJcBWolQ85acfAdWpTpCW29YMvXNARUDb8uJKAApsISnttyCnbvp7zYMdQm
HiTG/+bYaegSXzV3YN+Ej+ZcocubUpLp8Rpzz+xmXep3BrjBycAE9z2IrrV2rlwg
TTxU/B8xmvMsToBQpAbe+Cv130tEHsyW4UL9KZY1M9R+UHFPPmORjBKxSZvjJ1mS
UbUYN6PmMry35wCaFCfQoyTDUxBfxTGYqjaveQv4sxx0uvoiLXHt9cAm5Q8KJ+8d
@paragonie-scott
paragonie-scott / jose-security.md
Last active June 12, 2020 11:32
Suggestions for a Secure JOSE Alternative (or Protocol Upgrade)

Changes to JOSE that will prevent insecurity

Deletions

JWS and JWE

Drop the alg header

Neither JOSE users nor JOSE library designers should be required to understand cryptography primitives. At a lower level, this can lead to badly implemented primitives. On a higher level, this can lead to reasoning by lego.

@paragonie-scott
paragonie-scott / gist:c7a73fd0f759e451cf07
Created March 8, 2016 02:22 — forked from sarciszewski/gist:88a7ed143204d17c3e42
Javascript CSPRNG for Integers
function secure_rand(min, max) {
var rval = 0;
var range = max - min;
if (range < 2) {
return min;
}
var bits_needed = Math.ceil(Math.log2(range));
if (bits_needed > 53) {
throw new Exception("We cannot generate numbers larger than 53 bits.");
@paragonie-scott
paragonie-scott / SVG Fails.md
Last active May 8, 2020 03:49
image/svg+xml considered harmful: an open letter to member-svg-media-type@w3.org

Update

Filed an issue to address this particular concern.

Thanks joepie91 for finding the folks responsible and getting the conversation started.


Currently, SVG is a security foot-cannon that allows attackers to upload a Stored XSS payload when a user views the image directly. Example.

@paragonie-scott
paragonie-scott / cacert-2019-10-16.diff
Created October 23, 2019 22:31
Diff between cacert-2019-08-28.diff and cacert-2019-10-16.pem
diff --git a/cacert-2019-08-28.pem b/cacert-2019-10-16.pem
index 65be218..edc5090 100755
--- a/cacert-2019-08-28.pem
+++ b/cacert-2019-10-16.pem
@@ -1,7 +1,7 @@
##
## Bundle of CA Root Certificates
##
-## Certificate data from Mozilla as of: Wed Aug 28 03:12:10 2019 GMT
+## Certificate data from Mozilla as of: Wed Oct 16 03:12:09 2019 GMT
@paragonie-scott
paragonie-scott / JWTKiller.php
Created March 14, 2017 21:37
PHP 7.2 Replacement for JWT
<?php
declare(strict_types=1);
use ParagonIE\ConstantTime\Base64UrlSafe;
class JWTKiller
{
public static function sign(string $message, Key $key): string
{
$mac = sodium_crypto_auth($message, $key->getRaw());
@paragonie-scott
paragonie-scott / cacert-2019-05-15.diff
Created May 15, 2019 20:29
Difference between cacert-2019-01-29.pem and cacert-2019-05-15.pem
diff --git a/cacert-2019-01-23.pem b/cacert-2019-05-15.pem
index 09b4ce1..8e92f77 100755
--- a/cacert-2019-01-23.pem
+++ b/cacert-2019-05-15.pem
@@ -1,7 +1,7 @@
##
## Bundle of CA Root Certificates
##
-## Certificate data from Mozilla as of: Wed Jan 23 04:12:09 2019 GMT
+## Certificate data from Mozilla as of: Wed May 15 03:12:09 2019 GMT