Best of Cryptography2024

  1. 1
    Article
    Avatar of hnHacker News·2y

    Reverse Engineering TicketMaster's Rotating Barcodes (SafeTix)

    The post explores TicketMaster's SafeTix rotating barcode system. It critiques the system's shortcomings, such as its reliance on internet connectivity and the potential for usability issues. The author reverse engineers the barcode mechanics, revealing how static bearer tokens and TOTP-based six-digit numbers are used to validate tickets. The motivations behind SafeTix's implementation, including reducing ticket fraud and promoting TicketMaster's app, are analyzed. The conclusion stresses the drawbacks of excluding people from events through tech barriers.

  2. 2
    Article
    Avatar of communityCommunity Picks·1y

    Golang 1.24 is looking seriously awesome

    Golang 1.24 introduces several notable features and improvements: a 2-3% performance boost, a new weak pointer implementation, support for post-quantum cryptography in `crypto/tls`, the `omitzero` tag for better zero value handling in `encoding/json`, and a `tool` directive in `go.mod`. The release also enhances the testing package with context support and introduces an experimental `testing/synctest` package for concurrent code testing. These updates promise better memory usage, enhanced security, and improved developer experience.

  3. 3
    Article
    Avatar of communityCommunity Picks·2y

    A complete guide to secure password storage

    The post provides a detailed guide on secure password storage, emphasizing the importance of hashing, salting, and using a pepper to protect passwords. It covers various hashing algorithms like Argon2id, Scrypt, BCrypt, and PBKDF2, and explains how to implement these techniques in practice, including handling existing applications. Additionally, it discusses the vulnerabilities of password storage, such as brute force attacks and rainbow tables, and offers methods to mitigate them.

  4. 4
    Article
    Avatar of systemweaknessSystem Weakness·2y

    Password Cracking 101

    Learn essential techniques for cracking password hashes and analyze cryptographic algorithms. Discover the concepts of cryptography, hashing, and salting. Get hands-on with tools like hashid, ShellScript, PowerShell, MD5, and Hashcat for practical password cracking exercises.

  5. 5
    Article
    Avatar of systemweaknessSystem Weakness·2y

    JSON WEB TOKEN (JWT)

    JSON Web Tokens (JWT) are a standard mechanism for transferring cryptographically signed JSON data, commonly used for access control, session handling, and authentication. Unlike traditional session tokens, JWTs store all necessary data client-side, making them ideal for distributed systems. JWTs consist of a payload, a signature, and a header. They are often used with JSON Web Signature (JWS) and JSON Web Encryption (JWE) extensions. JWT vulnerabilities include flawed signature verification, secret key brute-forcing, header parameter injections, and algorithm confusion attacks. To mitigate these risks, it's crucial to perform robust signature verification, use up-to-date libraries, and apply best practices such as setting token expiration dates and avoiding tokens in URL parameters.

  6. 6
    Article
    Avatar of threedotslabsThree Dots Labs·2y

    Live website updates with Go, SSE, and htmx

    Learn how to push live updates to your website using Go, SSE, and htmx. SSE endpoints in Go are slightly different from HTTP endpoints because you don't just write data to the ResponseWriter and return from the function. The connection stays alive until the client (the browser) closes it.

  7. 7
    Article
    Avatar of communityCommunity Picks·2y

    fffaraz/awesome-cpp: A curated list of awesome C++ (or C) frameworks, libraries, resources, and shiny things. Inspired by awesome-... stuff.

    A curated list of awesome C++ (or C) frameworks, libraries, resources, and shiny things.

  8. 8
    Article
    Avatar of hnHacker News·2y

    Please Stop Inventing New Software Licences

    Creating new software licences can be problematic for open-source projects by adding confusion and barriers for potential contributors. The author discusses their experience with Cyph's proprietary licence and the complications it introduced, ultimately discouraging them from contributing. Adhering to existing OSI Approved Licences can foster a more welcoming community for contributors.

  9. 9
    Article
    Avatar of communityCommunity Picks·2y

    Database 101: SSL/TLS for beginners

    The post provides a beginner-friendly guide on setting up secure and encrypted connections for databases, specifically using SSL/TLS. It covers fundamental concepts, along with practical steps for implementing SSL/TLS using OpenSSL, and configuring authentication in ScyllaDB. The post also includes code snippets and a detailed walk-through for testing encrypted connections using Node.js.

  10. 10
    Article
    Avatar of hnHacker News·2y

    rustgo: calling Rust from Go with near-zero overhead

    This post describes an experiment to call Rust code from Go with near-zero overhead, aimed at replacing assembly code for cryptographic operations. It explains why Rust is chosen over assembly and cgo, details the linking process, and provides a working example that integrates Rust and Go. The post concludes with performance benchmarks showing that rustgo is significantly faster than cgo and almost as fast as a Go function call.

  11. 11
    Article
    Avatar of coinsbenchCoins Bench·2y

    Insecure Randomness in Smart Contracts

    Smart contracts on blockchain cannot achieve true randomness due to the deterministic nature of blockchains, pushing developers to use pseudo-random number generators (PRNGs). Methods relying on block properties or blockhashes are susceptible to miner tampering and predictability. External solutions like Chainlink VRF and onchain VRFs like Harmony VRF offer more secure random number generation but come with additional costs. The Signidice algorithm and the commit-reveal approach provide additional methodologies, each with their own sets of advantages and limitations. The choice of method depends on the specific requirements and incentives of the contract.

  12. 12
    Article
    Avatar of rubyflowRuby Flow·1y

    OWASP Cheat Sheet Series

    Learn the proper methods for storing passwords to ensure they remain protected even if an application or database is compromised. This guide highlights the importance of using hashing (not encryption) for passwords, the benefits of using salts and peppers, and the recommended hashing algorithms like Argon2id, scrypt, bcrypt, and PBKDF2. It also discusses work factors, upgrading legacy hashes, and ensuring compatibility with international characters.

  13. 13
    Article
    Avatar of ayendeAyende @ Rahien·1y

    Isn't it ironic: Money isn't transactional

    The author, who works on transactional databases, finds it ironic that there are no real-world transactions for money transfers, highlighting inefficiencies in the banking system. They share an example where a payment remained pending despite the recipient confirming receipt, providing insights into historical banking methods and distributed system design.

  14. 14
    Video
    Avatar of davidbombalDavid Bombal·2y

    Never access the Dark Web without doing this! (Tor and Telegram demos)

    The post provides insights into safely navigating the dark web, focusing on operational security (OPSEC). It highlights the importance of using secure tools like Tor and Telegram while discussing the risks of encountering illegal content. The post also mentions reputable sources like the Dark Net Marketplace Bible for OPSEC best practices. Additionally, it promotes TCM Security's certifications, which include comprehensive training and practical exams in penetration testing.

  15. 15
    Article
    Avatar of medium_jsMedium·2y

    QNNs: The Next Chapter in AI

    Quantum Neural Networks (QNNs) combine quantum computing principles with traditional neural networks to enhance computational efficiency and solve complex problems more effectively. QNNs excel in fields like cryptography, climate modeling, and pharmaceutical research by leveraging properties like superposition and entanglement. Despite challenges in developing scalable quantum hardware and effective algorithms, the potential benefits are significant. Ethical considerations such as data privacy, algorithmic transparency, and equitable access are crucial for responsible development and deployment of QNNs.

  16. 16
    Article
    Avatar of communityCommunity Picks·2y

    oz123/awesome-c: A curated list of awesome C frameworks, libraries, resources and other shiny things. Inspired by all the other awesome-... projects out there.

    A curated list of awesome C frameworks, libraries, resources, and tools.

  17. 17
    Article
    Avatar of communityCommunity Picks·2y

    Paseto is a Secure Alternative to the JOSE Standards (JWT, etc.)

    Paseto (Platform-Agnostic Security Tokens) is introduced as a secure alternative to JSON Web Tokens (JWT) and related JOSE standards. Paseto simplifies security by eliminating the complexities and vulnerabilities associated with JWT, like choosing algorithms and handling encryption keys. It offers versioned protocols with predefined ciphersuites to avoid configuration errors and downgrade attacks. Paseto aims to be secure by default, and its straightforward design makes it easy to implement and use. The new version 0.5.0 is ready for production use, with talks of submitting it as a standard to the IETF.

  18. 18
    Article
    Avatar of bitfieldconsultingBitfield Consulting·2y

    Cryptography in Go: AES encryption — Bitfield Consulting

    This post discusses AES encryption in the Go programming language, covering key cipher modes such as Electronic Code Book (ECB) and Cipher Block Chain (CBC). It provides practical examples of how to use the `crypto/aes` package to encrypt and decrypt data. The author also introduces Galois Counter Mode (GCM) for added security through message integrity checks, and challenges readers to implement their own CLI tools for encryption and decryption.

  19. 19
    Article
    Avatar of hnHacker News·2y

    project-oak/oak: Meaningful control of data in distributed systems.

    Oak is a platform for building distributed systems that provide externally verifiable claims about system behaviors. It focuses on Enclave Applications, which operate in isolated and remotely attestable environments. Oak uses Trusted Execution Environments (TEEs) for secure computations and remote attestation to establish trustworthiness. Its architecture minimizes the need to trust the service provider by ensuring encryption and verifiable integrity. Oak supports various TEE configurations, including minimal microkernels and full Linux containers. Transparent Release processes ensure that any modifications to Enclave Applications are logged and verifiable.

  20. 20
    Video
    Avatar of davidbombalDavid Bombal·1y

    Hacker explains Crypto (Cryptography tutorial)

    The post explains the fundamentals of cryptography, starting with basic concepts such as the birthday paradox, exclusive OR (XOR) operations, and different types of ciphers. It emphasizes the importance of knowing the basics of cryptographic algorithms and operations before diving into advanced topics. Additionally, it covers symmetric key cryptography and the significance of initialization vectors in encryption. The post also touches on more complex topics like stream ciphers and block ciphers, highlighting the importance of rekeying and managing initialization vectors properly to maintain security.

  21. 21
    Article
    Avatar of glwGolang Weekly·2y

    Golang Weekly Issue 523: September 17, 2024

    Explore different methods for creating Retrieval-Augmented Generation (RAG) servers in Go, ranging from Gemini + Weaviate to LangChain and Genkit. Learn about WorkOS, a B2B SaaS identity platform that simplifies the integration of SSO and RBAC. Understand how to run Go in the browser using WebAssembly, including reducing WASM binary size with TinyGo. Discover the benefits of using Go instead of Bash for scripting across platforms. Delve into AES encryption in Go with practical examples and explanations. Also, check out the latest GoLand IDE features and the enhanced TinyGo Playground for simulating hardware and measuring power consumption.

  22. 22
    Video
    Avatar of davidbombalDavid Bombal·2y

    Is this the best Cybersecurity beginner cert? (Includes Giveaway!)

  23. 23
    Article
    Avatar of elmahelmah.io·2y

    What's new in .NET 9: Cryptography improvements

    Microsoft is introducing significant cryptography updates in .NET 9, set to release in mid-November 2024. Notable updates include the new CryptographicOperations.HashData method, which simplifies and enhances the process of hashing data, and the incorporation of KMAC (KECCAK Message Authentication Code) for improved data integrity and security. KMAC offers various modes and flexible output lengths, supporting modern cryptographic needs while ensuring compatibility with the latest systems.

  24. 24
    Article
    Avatar of communityCommunity Picks·2y

    Implementing RSA in Python from Scratch

    Learn how to implement RSA encryption in Python from scratch. Explore the math behind RSA, generate keys, and encrypt and decrypt messages.

  25. 25
    Article
    Avatar of hnHacker News·2y

    Programming ZKPs: From Zero to Hero

    This tutorial introduces software engineers to Zero Knowledge Proofs (ZKPs), providing a step-by-step guide on programming ZKPs from scratch. It covers setting up the environment, writing basic circuits, performing a trusted setup, and generating and verifying proofs. Examples include creating a simple ZKP for proving knowledge of secret values, implementing constraints, and building a digital signature scheme using hash functions and commitments. The tutorial also touches on group signature schemes and provides exercises for deeper understanding.

See all Cryptography archives