Skip to content

Instantly share code, notes, and snippets.

View sdrapkin's full-sized avatar
🛡️

sdrapkin

🛡️
51 followers · 0 following
View GitHub Profile
@sdrapkin
sdrapkin / HMAC__HKDF_Expand__SP800_108_Ctr.cs
Created January 6, 2024 20:47
Dangers of HMAC, HKDF.Expand, and SP800_108_Ctr
void Main() //LINQPad
{
var key1 = RandomNumberGenerator.GetBytes(128 + 1);
var hash_of_key1 = SHA512.HashData(key1);
var empty = Array.Empty<byte>();
(Enumerable.SequenceEqual(key1, hash_of_key1)).Dump("key1 == hash_of_key1 ?");
{
var r1 = Convert.ToHexString(HMACSHA512.HashData(key: key1, source: empty));
@sdrapkin
sdrapkin / TinyORM benchmark January-11-2019.txt
Created January 11, 2019 18:48
TinyORM benchmark January-11-2019
Warming up DB, DB client code and CLR
====================================================================
DataTable, using DbDataAdapter. Change tracking: True. Caching: False.
--------------------------------------------------------------------------------------------
[13:32:02] # of elements fetched: 31465. Fetch took: 214.79ms. Enumerating result took: 25.81ms.
[13:32:03] # of elements fetched: 31465. Fetch took: 204.54ms. Enumerating result took: 24.42ms.
[13:32:03] # of elements fetched: 31465. Fetch took: 195.04ms. Enumerating result took: 24.98ms.
[13:32:03] # of elements fetched: 31465. Fetch took: 211.50ms. Enumerating result took: 24.06ms.
@sdrapkin
sdrapkin / Login.gov encryption is badly designed.md
Last active December 6, 2018 15:03
Login.gov encryption is badly designed

Login.gov encryption is badly designed

Disclaimer: everything that follows is a personal opinion - not an assertion of fact.

Regulatory/Compliance flaws

NIST has created Federal Information Processing Standard (FIPS) 140-2: Security Requirements for Cryptographic Modules. FIPS requirements are mandatory for Federal Government agencies, as prescribed by FISMA law. FIPS-140-2 Annex D covers Approved Key Establishment Techniques. The only FIPS-approved password-based key derivation algorithm is PBKDF2 (NIST SP800-132). Login.gov uses scrypt, which is not FIPS-approved. The FIPS-approved key-derivation algorithms are mostly covered by NIST SP800-108. Login.gov uses several custom approaches for key derivation, none of which are FIPS-approved.

Summary:
@sdrapkin
sdrapkin / RSA APIs in .NET - a crypto-trek rant.md
Created June 22, 2017 19:54
RSA APIs in .NET - a crypto-trek rant

RSA APIs in .NET - a crypto-trek rant

The stardate is 2017-06. In your .NET Enterprise mission to seek out biweekly paychecks you find yourself in need of RSA encryption. You check MSDN and do:

var rsa = RSA.Create();
  • Problem: the default RSA key size is 1024 (insecure).

You know about it because you've learned long ago that the only way to use .NET crypto APIs correctly is by reading implementation internals - you've seen 1024 hardcoded in the ctor. Defaults are forever, since "the needs of many outweigh the needs of the few" and all that. Fine, you'll set the key size explicitly. You double check MSDN again just to make sure that rsa.KeySize should do the job:

AssymmetricAlgorithm.KeySize: Gets or sets the size, in bits, of the key modulus used by the asymmetric algorithm.