Channel: LibreCryptography
Back to Argon2 (briefly)
1. More corroboration that Argon2 uses Blake2b = https://security.stackexchange.com/questions/201714/is-there-any-advantage-to-combining-a-hash-algorithm-with-a-key-derivation-funct
2. Reminder that Argon2 is RFC approved for PHP (>7.3 ; we can implement that with Roundcube reliably now because of that) = https://wiki.php.net/rfc/argon2_password_hash_enhancements [shows their initial RFC application]
3. RFC debate with Argon2 team on PHP = https://externals.io/message/94854
4. SHA-3 Zoo = https://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo (has a comprehensive list of all the hashing algorithms)
^^^ While Blake2b is in there (and is slower than SHA512 - which may not be a bad thing ) - there is still
1. More corroboration that Argon2 uses Blake2b = https://security.stackexchange.com/questions/201714/is-there-any-advantage-to-combining-a-hash-algorithm-with-a-key-derivation-funct
2. Reminder that Argon2 is RFC approved for PHP (>7.3 ; we can implement that with Roundcube reliably now because of that) = https://wiki.php.net/rfc/argon2_password_hash_enhancements [shows their initial RFC application]
3. RFC debate with Argon2 team on PHP = https://externals.io/message/94854
4. SHA-3 Zoo = https://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo (has a comprehensive list of all the hashing algorithms)
^^^ While Blake2b is in there (and is slower than SHA512 - which may not be a bad thing ) - there is still
Information Security Stack Exchange
Is there any advantage to combining a hash algorithm with a key-derivation function?
Let's assume I would like to secure passwords using a modern KDF such as Argon2. The flow of information would look like this: $hash,$salt = argon2id($password, $salt).
Is there any advantage to f...
Is there any advantage to f...
We have to be skeptical of any and all NIST deployments (de facto) no matter what = https://mailarchive.ietf.org/arch/msg/cfrg/dtUZzdkrAFXf2Zth6WiWm3GkprM/ (and this makes that painfully clear)
This response to the 'Modern Crypto' mailing list is what personally has me a bit worried (to a certain extent) about using any NIST curves (which is why we had to swap out on our website) - but still = https://moderncrypto.org/mail-archive/curves/2015/000653.html
Schnorr DLEQ Concerns (referring to Schnorrkell) = https://moderncrypto.org/mail-archive/messaging/2020/002581.html [from moderncrypto.org]
Schnorr's has already been integrated into the $BCH blockchain (lol). Lets see how this rabbit hole goes at some point in the very near future
Schnorr's has already been integrated into the $BCH blockchain (lol). Lets see how this rabbit hole goes at some point in the very near future
Skein
1. More than likely the most secure hash function on planet earth.
2. Skein-1024 is integrated with 'Threefish' (with a threefish bit strength that matches that of the Skein implementation) ; 1024 = 1024 (ratio perfect)
2a. Addressing the concerns regarding Threefish and the alleged attacks that were found on several of its rounds (response from one of the co-authors of Threefish [as well as Skein] = https://crypto.stackexchange.com/questions/11725/has-threefish-successfully-been-attacked-practically-or-theoretically/11727
2b. Attack in question was mentioned in this paper (published by the team ) = http://www.skein-hash.info/sites/default/files/skein1.3.pdf
^^^ SHA-3 finalist (but Keccak was the hash function that won out ; Ethereum is using Keccak as we ll, but not the same iteration as w hat was submitted to the NIST)
3. Threefish McOE Mode = https://eprint.iacr.org/2011/644.pdf [exponentially more secure than the original Threefish - seems that there are *very few individuals out there right now that even know that this exists*] <— that's interesting, going to have to do more homework on this
—-
Is it possible to draw from an implementation of Skein-1024 that utilizes Threefish (1024) McOE mode?
Link that attests to the fact that SKein-1024 is the equivalent of 2^452
1. More than likely the most secure hash function on planet earth.
2. Skein-1024 is integrated with 'Threefish' (with a threefish bit strength that matches that of the Skein implementation) ; 1024 = 1024 (ratio perfect)
2a. Addressing the concerns regarding Threefish and the alleged attacks that were found on several of its rounds (response from one of the co-authors of Threefish [as well as Skein] = https://crypto.stackexchange.com/questions/11725/has-threefish-successfully-been-attacked-practically-or-theoretically/11727
2b. Attack in question was mentioned in this paper (published by the team ) = http://www.skein-hash.info/sites/default/files/skein1.3.pdf
^^^ SHA-3 finalist (but Keccak was the hash function that won out ; Ethereum is using Keccak as we ll, but not the same iteration as w hat was submitted to the NIST)
3. Threefish McOE Mode = https://eprint.iacr.org/2011/644.pdf [exponentially more secure than the original Threefish - seems that there are *very few individuals out there right now that even know that this exists*] <— that's interesting, going to have to do more homework on this
—-
Is it possible to draw from an implementation of Skein-1024 that utilizes Threefish (1024) McOE mode?
Link that attests to the fact that SKein-1024 is the equivalent of 2^452
Cryptography Stack Exchange
Has threefish successfully been attacked (practically or theoretically)?
Reading Schneier's "The Doghouse: Crypteto" dated September 30, 2009, I noticed Bruce Schneier stating:
Threefish, the block cipher inside Skein, encrypts data at 7.6 clock cycles/byte with a 25...
Threefish, the block cipher inside Skein, encrypts data at 7.6 clock cycles/byte with a 25...
Minio + Nextcloud (marriage) = https://autoize.ch/minio-as-nextcloud-primary-storage/
Autoize Europe
Definitive Guide to using Minio as NextCloud Primary Storage | Autoize Europe
Minio is an on-premises object storage server that can be deployed as a Minio cluster (with local storage) or as a gateway to other object storage services with their own API such as Backblaze B2, Azure Blob Storage, and Google Cloud Storage. Because Minio…
1. Blake2b Information (straight from one of the creators of the hash algorithm itself) = https://crypto.stackexchange.com/questions/31674/what-advantages-does-keccak-sha-3-have-over-blake2
2. Catalog of hardware implementations for SHA3 competitors = ehash.iaik.tugraz.at/wiki/SHA-3_Hardware_Implementations#High-Speed_Implementations_.28ASIC.29
3. Catalog of Hash Functions = https://www.cs.rit.edu/~ark/662/module11/notes.shtml
4. Threefish McOE Mode =https://eprint.iacr.org/2011/644.pdf
5. Php Code for Implementing Argon2id = https://www.php.net/manual/en/function.password-hash.php
6. Argon2id Winner of the Password Hashing Competition =https://password-hashing.net/
Notably, password hashing is in a different category than 'regular' hash functions (for data) - like SHA-based functions.
2. Catalog of hardware implementations for SHA3 competitors = ehash.iaik.tugraz.at/wiki/SHA-3_Hardware_Implementations#High-Speed_Implementations_.28ASIC.29
3. Catalog of Hash Functions = https://www.cs.rit.edu/~ark/662/module11/notes.shtml
4. Threefish McOE Mode =https://eprint.iacr.org/2011/644.pdf
5. Php Code for Implementing Argon2id = https://www.php.net/manual/en/function.password-hash.php
6. Argon2id Winner of the Password Hashing Competition =https://password-hashing.net/
Notably, password hashing is in a different category than 'regular' hash functions (for data) - like SHA-based functions.
Cryptography Stack Exchange
What advantages does Keccak/SHA-3 have over BLAKE2?
Keccak/SHA-3 is new NIST standard for cryptographic hash functions. However, it is much slower than BLAKE2 in software implementations. Does Keccak have compensating advantages?
Internet Routing (RPKI) = https://rpki.readthedocs.io/en/latest/rpki/bgp-routing.html [this is a solution that we want to start looking toward in the near future to simply enhance security even more (at least w our website) to ensure that *correct*, non-hijacked routes are being taken in order to visit our site)
^^^ We're quite a bit aways from obtaining such an infrastructure.
^^^ We're quite a bit aways from obtaining such an infrastructure.
(there's a surprising amount of cryptography-related information that we need to disseminate in relation to what we've been working on, on the 'personal' side of things)
So, without further ado - let's get started.
So, without further ado - let's get started.
PrivateBin
Many have heard o this app - but if you haven't go ahead and take a look at their website here: https://privatebin.info/jsdoc/privatebin.js.html
—
Its already pretty well designed (we've peered all through the code).
Some of the things that we're working on now, however, to enhance its efficacy:
1. Mixing in better ciphers for AEAD. While AES-256 is great, its more so for raw encryption (keeping contents private vs. authenticating information) <— not to say that AES can't do a great job at this as well.
2. In particular, since we're dealing with data streams, xchacha20-poly1305 doesn't seem like a bad option.
Pending RFC for xChaCha20-Poly1305 = https://tools.ietf.org/html/draft-arciszewski-xchacha-00
—-
3. We're also working on upgrading the hashing algorithm (preferably implementing Argon2 as a drop-in replacement or, at the very least, swapping the PBKDF-256 algo for ssha-512 instead <— this is necessary because of the proliferation of Bitcoin miners that are out here capable of mining 110TH/s
The issue here is that the code authenticates some of the web client data to the fingerprint of the deployment (there are also some Web Crypto issues as well)
^^ These are not things that cannot be worked around, but they're still issues nonetheless.
*Edit* = Relevant code can be found here - https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-the-loading-message-not-go-away
Many have heard o this app - but if you haven't go ahead and take a look at their website here: https://privatebin.info/jsdoc/privatebin.js.html
—
Its already pretty well designed (we've peered all through the code).
Some of the things that we're working on now, however, to enhance its efficacy:
1. Mixing in better ciphers for AEAD. While AES-256 is great, its more so for raw encryption (keeping contents private vs. authenticating information) <— not to say that AES can't do a great job at this as well.
2. In particular, since we're dealing with data streams, xchacha20-poly1305 doesn't seem like a bad option.
Pending RFC for xChaCha20-Poly1305 = https://tools.ietf.org/html/draft-arciszewski-xchacha-00
—-
3. We're also working on upgrading the hashing algorithm (preferably implementing Argon2 as a drop-in replacement or, at the very least, swapping the PBKDF-256 algo for ssha-512 instead <— this is necessary because of the proliferation of Bitcoin miners that are out here capable of mining 110TH/s
The issue here is that the code authenticates some of the web client data to the fingerprint of the deployment (there are also some Web Crypto issues as well)
^^ These are not things that cannot be worked around, but they're still issues nonetheless.
*Edit* = Relevant code can be found here - https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-the-loading-message-not-go-away
GitHub
FAQ
A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES. - PrivateBin/PrivateBin
Read Command for Linux
Somewhat outdated, but its still entirely relevant to this channel - for those of you that may be running cryptographic operations in your terminal.
Links:
1. https://medium.com/@blackode/read-command-linux-shell-ee84a45591f5
2. https://www.geeksforgeeks.org/read-command-in-linux-with-examples/
3. https://linuxhandbook.com/read-command/
4. https://www.baeldung.com/linux/read-command
^^ All of these are great resources to read up on when it comes to the Linux 'read' command.
This is what you want to use in order to pipe in passwords on the terminal (versus typing them out directly).
For most UNIX OSes, they keep a pretty robust log of all of the commands run.
Somewhat outdated, but its still entirely relevant to this channel - for those of you that may be running cryptographic operations in your terminal.
Links:
1. https://medium.com/@blackode/read-command-linux-shell-ee84a45591f5
2. https://www.geeksforgeeks.org/read-command-in-linux-with-examples/
3. https://linuxhandbook.com/read-command/
4. https://www.baeldung.com/linux/read-command
^^ All of these are great resources to read up on when it comes to the Linux 'read' command.
This is what you want to use in order to pipe in passwords on the terminal (versus typing them out directly).
For most UNIX OSes, they keep a pretty robust log of all of the commands run.
Medium
Read Command Linux Shell
Reading is a good habit.
Argon2id
We've been doing a *ton* of work with Argon2id lately!
If you're not up to date on this password bashed hashing algorithm, then we'd recommend that you read up!
^^^ That doesn't mean that the most popular alternatives (i.e., ssha512 / ssha256) are inferior as solutions to Argon2 when it comes to password based hashing (there are other things that PBKDF / HMAC-based hash functions from the SHA family are superior in, we'll get to those thigns later)
Relevant Links & Resources:
1. Argon2 Specification = https://password-hashing.net/argon2-specs.pdf
2. Password Hashing Competition Winner (yes, this is a legitimate competition) = https://password-hashing.net/
3. Official GitHub for Argon2 = https://github.com/p-h-c/phc-winner-argon2
4. Another Great Git Repo for Argon2 (if you're going to visit the other, it only makes sense to check this one out as well) = https://github.com/antelle/argon2-browser
^^ *side note*: 'Keeweb' (open source password manager, been around 10+ years - very much trusted by the community) has already implemented a version of their password vault client (100% free, as always) that incorporates the Argon2 hash + salting algo.
The relevant code for that facet of its functionality can be found here:
https://github.com/keeweb/keeweb/blob/develop/app/scripts/util/kdbxweb/kdbxweb-init.js#L11
We've been doing a *ton* of work with Argon2id lately!
If you're not up to date on this password bashed hashing algorithm, then we'd recommend that you read up!
^^^ That doesn't mean that the most popular alternatives (i.e., ssha512 / ssha256) are inferior as solutions to Argon2 when it comes to password based hashing (there are other things that PBKDF / HMAC-based hash functions from the SHA family are superior in, we'll get to those thigns later)
Relevant Links & Resources:
1. Argon2 Specification = https://password-hashing.net/argon2-specs.pdf
2. Password Hashing Competition Winner (yes, this is a legitimate competition) = https://password-hashing.net/
3. Official GitHub for Argon2 = https://github.com/p-h-c/phc-winner-argon2
4. Another Great Git Repo for Argon2 (if you're going to visit the other, it only makes sense to check this one out as well) = https://github.com/antelle/argon2-browser
^^ *side note*: 'Keeweb' (open source password manager, been around 10+ years - very much trusted by the community) has already implemented a version of their password vault client (100% free, as always) that incorporates the Argon2 hash + salting algo.
The relevant code for that facet of its functionality can be found here:
https://github.com/keeweb/keeweb/blob/develop/app/scripts/util/kdbxweb/kdbxweb-init.js#L11
What's the Big Deal?
Many that aren't really familiar with cryptography often confuse hashing with encryption.
There is a marked difference between the two operations. As such, both functions require entirely different operations.
The cryptographic 'primitive' that you are probably most familiar with = SHA-256 (used in Bitcoin)
To be clear, there are no native encryption mechanisms for Bitcoin - so when we dig into the cryptography laced within its protocol we're working with someone of a 'deficit' (if we're to consider a privacy a desired solution)
^^ But we digress
—
SHA-Based Hash Algorithms Are Designed or Speed
Contrary to Argon2 (which is memory-intensive to a much greater extent than 'Scrypt') - SHA-based algorithms are designed to be optimized by hardware.
This may seem counterintuitive, but when in an environment where quickly hashing & validating information is of importance (i.e., 'live-time' encryption "on the fly" where hash algorithms are needed to rapidly assess the integrity of whatever assets are being transferred / obtained /etc.)
One example of an app that we have deployed (open source) where this means of hashing (plus authenticating data) is favorable vs. Argon2id = StandardNotes (encrypted, synced notes manager)
Link = https://standardnotes.org/
Every note created on the app has its own signature & the notes are encrypted + synced constantly in live time, so its critical that an effective hash algorithm can be deployed in this situation that allows for efficient authentication / verification.
Many that aren't really familiar with cryptography often confuse hashing with encryption.
There is a marked difference between the two operations. As such, both functions require entirely different operations.
The cryptographic 'primitive' that you are probably most familiar with = SHA-256 (used in Bitcoin)
To be clear, there are no native encryption mechanisms for Bitcoin - so when we dig into the cryptography laced within its protocol we're working with someone of a 'deficit' (if we're to consider a privacy a desired solution)
^^ But we digress
—
SHA-Based Hash Algorithms Are Designed or Speed
Contrary to Argon2 (which is memory-intensive to a much greater extent than 'Scrypt') - SHA-based algorithms are designed to be optimized by hardware.
This may seem counterintuitive, but when in an environment where quickly hashing & validating information is of importance (i.e., 'live-time' encryption "on the fly" where hash algorithms are needed to rapidly assess the integrity of whatever assets are being transferred / obtained /etc.)
One example of an app that we have deployed (open source) where this means of hashing (plus authenticating data) is favorable vs. Argon2id = StandardNotes (encrypted, synced notes manager)
Link = https://standardnotes.org/
Every note created on the app has its own signature & the notes are encrypted + synced constantly in live time, so its critical that an effective hash algorithm can be deployed in this situation that allows for efficient authentication / verification.
Standardnotes
Standard Notes | End-To-End Encrypted Notes App
Standard Notes helps you gain control in a world that often feels out of control. Protect your life's work with end-to-end encryption, advanced security measures, and unmatched privacy controls.
For Password-Based Algorithms You Want to Seek the Opposite
It goes without saying, but when it comes to securely storing one's password, whatever cryptographic primitives that are used to secure it should be:
A) Memory intensive (i.e., 'Argon2id' ; this is a variation of the Argon2 hash / salt scheme we've been discussing up to this point, but we'll get to that later)
B) Extensive to hash (even i this results in somewhat of a higher load for the hardware / chip that's going to need to ultimately run the cryptographic scheme in live time) .
We need to keep in mind that we don't need to access passwords that often. And, comparatively speaking, they're very tiny pieces of data (vs. the amount of encrypted data that must be encrypted + decrypted + synced back & forth continuously when it comes to ensuring StandardNotes continued functionality).
C) Encrypt, then MAC (in that order, specifically) = https://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html
This is age old wisdom handed down from the OGs of cryptography and math.
Pay heed.
D) Understand **what kind of mode you should be using if you're implementing AES encryption (yes, it does matter - substantially - in terms of both performance + security).
E)
It goes without saying, but when it comes to securely storing one's password, whatever cryptographic primitives that are used to secure it should be:
A) Memory intensive (i.e., 'Argon2id' ; this is a variation of the Argon2 hash / salt scheme we've been discussing up to this point, but we'll get to that later)
B) Extensive to hash (even i this results in somewhat of a higher load for the hardware / chip that's going to need to ultimately run the cryptographic scheme in live time) .
We need to keep in mind that we don't need to access passwords that often. And, comparatively speaking, they're very tiny pieces of data (vs. the amount of encrypted data that must be encrypted + decrypted + synced back & forth continuously when it comes to ensuring StandardNotes continued functionality).
C) Encrypt, then MAC (in that order, specifically) = https://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html
This is age old wisdom handed down from the OGs of cryptography and math.
Pay heed.
D) Understand **what kind of mode you should be using if you're implementing AES encryption (yes, it does matter - substantially - in terms of both performance + security).
E)
Libraries / Languages That Already Contain 'Out of the Box' Implementations For Argon2id
(keep in mind that if you're upgrading a system that is already in production use, you're going to lock yourself out by default (assuming that the salted and/or hashed version of your password is stored in data vs. the actual clear text, "raw" password that's used).
If you have a means of logging back in, then this is a trivial matter. However, if you don't then...
1. NodeJS Implementation = https://www.npmjs.com/package/argon2
2. Python Integration (for Argon2 ; among other algorithms) :
a. https://passlib.readthedocs.io/en/stable/lib/passlib.hash.argon2.html
b. https://cryptobook.nakov.com/mac-and-key-derivation/argon2
3. Golang Implementation = https://godoc.org/golang.org/x/crypto/argon2
4. Java = https://github.com/phxql/argon2-jvm
5. Argon2 Rust Implementation = https://docs.rs/just-argon2/1.2.0/argon2/
6. php reference docs = https://www.php.net/manual/en/function.password-hash.php
—
Argon2 comes pre-packaged with php in versions 7.3 & aboe
(keep in mind that if you're upgrading a system that is already in production use, you're going to lock yourself out by default (assuming that the salted and/or hashed version of your password is stored in data vs. the actual clear text, "raw" password that's used).
If you have a means of logging back in, then this is a trivial matter. However, if you don't then...
1. NodeJS Implementation = https://www.npmjs.com/package/argon2
2. Python Integration (for Argon2 ; among other algorithms) :
a. https://passlib.readthedocs.io/en/stable/lib/passlib.hash.argon2.html
b. https://cryptobook.nakov.com/mac-and-key-derivation/argon2
3. Golang Implementation = https://godoc.org/golang.org/x/crypto/argon2
4. Java = https://github.com/phxql/argon2-jvm
5. Argon2 Rust Implementation = https://docs.rs/just-argon2/1.2.0/argon2/
6. php reference docs = https://www.php.net/manual/en/function.password-hash.php
—
Argon2 comes pre-packaged with php in versions 7.3 & aboe
npm
npm: argon2
An Argon2 library for Node. Latest version: 0.43.0, last published: 2 months ago. Start using argon2 in your project by running `npm i argon2`. There are 458 other projects in the npm registry using argon2.
(peripherally related - some 'AJAX' coverage) — Inter-language Support for php Using 'AJAX'
If you need your cherry busted on this topic, go ahead and visit this link here = https://www.geeksforgeeks.org/php-json_encode-function/
—-
Relevance
When we were tweaking the 'PrivateBin' code to enhance the cryptographic primitives (partially for fun), one of the 'roadblocks' that we ran into was porting our php code and created environment variables into some of the 'javascript' packages that come pre-packaged with 'Private Bin'.
Obviously, if you're creating a script / config file that is written in a certain language (the suffix almost always gives that way), then it becomes damn near infeasible to run said code in a co-dependent manner.
There's certainly no way to 'authenticate' or 'meld' commands between languages "on the fly" - so this isn't something that we're going to consider entertaining for the time being.
*edit* = Here's a fairly thorough guide on how it works = https://www.w3resource.com/ajax/working-with-PHP-and-MySQL.php
If you need your cherry busted on this topic, go ahead and visit this link here = https://www.geeksforgeeks.org/php-json_encode-function/
—-
Relevance
When we were tweaking the 'PrivateBin' code to enhance the cryptographic primitives (partially for fun), one of the 'roadblocks' that we ran into was porting our php code and created environment variables into some of the 'javascript' packages that come pre-packaged with 'Private Bin'.
Obviously, if you're creating a script / config file that is written in a certain language (the suffix almost always gives that way), then it becomes damn near infeasible to run said code in a co-dependent manner.
There's certainly no way to 'authenticate' or 'meld' commands between languages "on the fly" - so this isn't something that we're going to consider entertaining for the time being.
*edit* = Here's a fairly thorough guide on how it works = https://www.w3resource.com/ajax/working-with-PHP-and-MySQL.php
GeeksforGeeks
PHP | json_encode() Function - GeeksforGeeks
A Computer Science portal for geeks. It contains well written, well thought and well explained computer science and programming articles, quizzes and practice/competitive programming/company interview Questions.
More Relevant, Password-Based Hashing Resources
1. 'Reading Passwords From 'STDIN' in PHP' = https://dev.to/mykeels/reading-passwords-from-stdin-in-php-1np9 ; this was of particular importance for us because PrivateBin is built on php modules (so are many other apps - including our main web client)
^^^ This guide addresses how to create & pipe in commands using the 'password' variable (or another suitably secure alias for the command).
Obviously, Argon2 was our target algorithm here (which has yet to be depoyed fully in any of our solutions up to this point)
1. 'Reading Passwords From 'STDIN' in PHP' = https://dev.to/mykeels/reading-passwords-from-stdin-in-php-1np9 ; this was of particular importance for us because PrivateBin is built on php modules (so are many other apps - including our main web client)
^^^ This guide addresses how to create & pipe in commands using the 'password' variable (or another suitably secure alias for the command).
Obviously, Argon2 was our target algorithm here (which has yet to be depoyed fully in any of our solutions up to this point)
DEV Community
Reading Passwords from STDIN in PHP
I needed a PHP script to have access to a user's password. An environment variable didn't seem secure enough.
Php Documentation RE: Generating Argon2 Keys (plus validating / verifying said keys as well)
1. https://dev.to/mykeels/reading-passwords-from-stdin-in-php-1np9 (yes, this guide was on the previous post, but since it covers Argon2 + php , its extremely relevant once again [a couple of the commands may not have been correctly]
—— (official resources form the php website / code examples) ——
2. 'getpassword' function samples = https://hotexamples.com/examples/-/-/getpassword/php-getpassword-function-examples.html
3. Laravel Documentation re: hashing, in specific = https://laravel.com/docs/7.x/hashing
4. Documentation on php's website re: 'password_hash' command = https://www.php.net/manual/en/password.constants.php
(again, to be clear, the '7.3' base image is needed in order to leverage 'Argon2' functionality ([out of the box])
5. As a side note, there are plenty of other really potent cryptographic libraries that can accessed w little to no barriers to entry (assuming that your interests are actually rooted in cryptography, and not **cryptocurrency <— similar, but extremely different)
6. Php Main Cryptographic Modules Webpage = https://www.php.net/manual/en/refs.crypto.php [pretty extensive to say the least]
The 'libsodium + NaCL Libraries Are the 'Sweet Spots to Visit if you have a strong urge for leveraging high-powered cryptographic functions <— make sure that you read the cipher functions + algorithms respective guides & all other available information at your disposal to ensure that you're using these tools correctly. *
1. https://dev.to/mykeels/reading-passwords-from-stdin-in-php-1np9 (yes, this guide was on the previous post, but since it covers Argon2 + php , its extremely relevant once again [a couple of the commands may not have been correctly]
—— (official resources form the php website / code examples) ——
2. 'getpassword' function samples = https://hotexamples.com/examples/-/-/getpassword/php-getpassword-function-examples.html
3. Laravel Documentation re: hashing, in specific = https://laravel.com/docs/7.x/hashing
4. Documentation on php's website re: 'password_hash' command = https://www.php.net/manual/en/password.constants.php
(again, to be clear, the '7.3' base image is needed in order to leverage 'Argon2' functionality ([out of the box])
5. As a side note, there are plenty of other really potent cryptographic libraries that can accessed w little to no barriers to entry (assuming that your interests are actually rooted in cryptography, and not **cryptocurrency <— similar, but extremely different)
6. Php Main Cryptographic Modules Webpage = https://www.php.net/manual/en/refs.crypto.php [pretty extensive to say the least]
The 'libsodium + NaCL Libraries Are the 'Sweet Spots to Visit if you have a strong urge for leveraging high-powered cryptographic functions <— make sure that you read the cipher functions + algorithms respective guides & all other available information at your disposal to ensure that you're using these tools correctly. *
Continuing On (we weren't done earlier - and there are a lot of tabs that we simply want to close to clear room for other tasks)
*Another Note About 'PrivateBin'*
If you're looking to configure PrivateBin, here is their Git = https://github.com/PrivateBin/ ; specifically, their code provides all information necessary for users that are looking to tweak its settings (we're referring to adjustments to the cryptographic signatures). As a recommendation: Do not tweak the initial sha-256 signatures in the privatebin.js file or you will most likely break your app. We will provide a guide soon (on the confirmation + guidance of the PrivateBin team) that gives greater detail on what adjustments can be made to PrivateBin's source code to enhance the cryptographic primitives w/o undermining the app's setup.
*Another Note About 'PrivateBin'*
If you're looking to configure PrivateBin, here is their Git = https://github.com/PrivateBin/ ; specifically, their code provides all information necessary for users that are looking to tweak its settings (we're referring to adjustments to the cryptographic signatures). As a recommendation: Do not tweak the initial sha-256 signatures in the privatebin.js file or you will most likely break your app. We will provide a guide soon (on the confirmation + guidance of the PrivateBin team) that gives greater detail on what adjustments can be made to PrivateBin's source code to enhance the cryptographic primitives w/o undermining the app's setup.
Importance of OpenSSL (part 1)
If you're using a modern desktop (laptop , too) computer that's not running OpenBSD or some obscure form of Linux, then your computer most likely comes with 'openssl' packaged by default.
*'What is open OpenSSL?'*
OpenSSL is a software is a software package, written in 'C', that contains an expansive suite of cryptographic ciphers, digests, encryption mechanisms, and other commands that utilize or interact with cryptography in some facet.
Its most common usage is enabling the processing of various cryptographic primitives in our browser (that we may not pay attention to), such as:
A) Assessing whether a website has a 'secure' certificate or not [this is what enables your browser to assess website certificates + your SSL connection strength to other sites; which is an extremely important process for users & general user security]
B) Connecting & establishing a secure connection with various websites (with any level of cryptographic strength at all) ; this is a critical facet of the 'handshake' process that's classically included in TLS
C) Running any sort of cryptographic operation on our computers for things such as storing user passwords / generating or verifying checksums / etc.
D) This goes w/o saying (probably) - but if you're a blockchain user and you're using software that generates your wallet's keys client side (which it absolutely should be), then it is more than likely that openssl is interfaced in order to process and compute the cryptographic operations necessary there as well
—
There are obviously several other very noteworthy and critical crypto libraries, such as:
1. 'WebCrypto API' = Comes pre-packaged in Firefox + Chrome. is meant to provide capability for performing cryptographic operations in the browser (client side) ; this is part of what makes such a thing possible. Well written web apps will insert functions that are designed to call upon this functionality in one's browser in order to generate / utilize / utilize data provided or extracted from certain cryptographic operations that logic dictates should not be performed server side.
2. GPG = GPG comes equipped with its own library. It also benefits from (a solid explanation of its cryptographic properties is broken down here: https://hashrocket.com/blog/posts/encryption-with-gpg-a-story-really-a-tutorial) ; there are certain complementary cryptographic libraries that can be utilized by gpg via API though, such as:
a.) 'libgcrypt' (url = https://gnupg.org/software/libgcrypt/index.html)
b.) 'ntbtls' (url =https://gnupg.org/software/ntbtls/index.html)
there are other popular implementations listed on GnuPG's actual website, which users can look up at their leisure.
If you're using a modern desktop (laptop , too) computer that's not running OpenBSD or some obscure form of Linux, then your computer most likely comes with 'openssl' packaged by default.
*'What is open OpenSSL?'*
OpenSSL is a software is a software package, written in 'C', that contains an expansive suite of cryptographic ciphers, digests, encryption mechanisms, and other commands that utilize or interact with cryptography in some facet.
Its most common usage is enabling the processing of various cryptographic primitives in our browser (that we may not pay attention to), such as:
A) Assessing whether a website has a 'secure' certificate or not [this is what enables your browser to assess website certificates + your SSL connection strength to other sites; which is an extremely important process for users & general user security]
B) Connecting & establishing a secure connection with various websites (with any level of cryptographic strength at all) ; this is a critical facet of the 'handshake' process that's classically included in TLS
C) Running any sort of cryptographic operation on our computers for things such as storing user passwords / generating or verifying checksums / etc.
D) This goes w/o saying (probably) - but if you're a blockchain user and you're using software that generates your wallet's keys client side (which it absolutely should be), then it is more than likely that openssl is interfaced in order to process and compute the cryptographic operations necessary there as well
—
There are obviously several other very noteworthy and critical crypto libraries, such as:
1. 'WebCrypto API' = Comes pre-packaged in Firefox + Chrome. is meant to provide capability for performing cryptographic operations in the browser (client side) ; this is part of what makes such a thing possible. Well written web apps will insert functions that are designed to call upon this functionality in one's browser in order to generate / utilize / utilize data provided or extracted from certain cryptographic operations that logic dictates should not be performed server side.
2. GPG = GPG comes equipped with its own library. It also benefits from (a solid explanation of its cryptographic properties is broken down here: https://hashrocket.com/blog/posts/encryption-with-gpg-a-story-really-a-tutorial) ; there are certain complementary cryptographic libraries that can be utilized by gpg via API though, such as:
a.) 'libgcrypt' (url = https://gnupg.org/software/libgcrypt/index.html)
b.) 'ntbtls' (url =https://gnupg.org/software/ntbtls/index.html)
there are other popular implementations listed on GnuPG's actual website, which users can look up at their leisure.
Hashrocket
Encryption with gpg, a story (really, a tutorial)
GPG is a compatible replacement of PGP. That, in and of itself, is confusing.
HTML Embed Code: