Questions tagged [key]
Physical or digital keys. Digital keys are used for encryption or signing, or for authentication (e.g. API key). For product keys, use the tag product-key.
213
questions
0
votes
1
answer
80
views
Why is the boot key used to access the encrypted SAM database hashes?
A quick something I’ve been wondering: why is the boot key used to access the encrypted SAM database hashes, (and not another key,) and also what encryption mechanism is actually used to encrypt the ...
- 1,021
0
votes
0
answers
77
views
Rotate or replace EMV keys?
I would like to better understand the mechanism of rotation of EMV keys used for payment cards.
Assuming that it intends to provide a rotation of the keys used for the production cards:
just recycle ...
- 11
2
votes
1
answer
428
views
PGP expired encryption subkey : renew or replace?
I am in the process of learning PGP (GnuPG more precisely).
I am trying to figure out which is the best strategy for my encryption ([E]) subkey in terms of expiration/revocation/renewal. Could you ...
- 123
0
votes
0
answers
177
views
HSM Thales PayShield vulnerabilities
My management requested to investigate about security of HSM Thales Payshield.
Have you ever heard of any security bugs on the HSM Thales Payshield? I mean, except for the known bugs reported in their ...
- 11
0
votes
0
answers
81
views
Security implication of loading untrusted private keys
The FIPS draft for Dilithium signature scheme (official name ML-DSA) had just been released not long ago. In the specification for skDecode (which is the subroutine that loads the private signing key) ...
- 374
1
vote
1
answer
124
views
Key Hash With Securely-Optimal Setting : For Encryption vs For Password
Do you have to make a key hash with securely-optimum setting (eg. 100MB memlimit, 3 opslimit) for encryption ?
So I'm making a text encryption function with javascript, using XChaCha20-Poly1305 and ...
1
vote
1
answer
601
views
CVV2 calculation with TR-31 Key
I need to use the CVK Key (in key block format) to calculate the CVV2.
In the past, I have always used single keys in variant format for this purpose (CVKa + CVKb), and the calculation procedure is ...
- 11
0
votes
1
answer
324
views
PCI compliance - use of ANSI X9.17 for export keys
we have a concern about a key export. We completed the migration to Key Block LMK in our environment (with HSM Thales 10K). Now, we have to exchange keys with third-parties that still use Keys in ...
- 11
0
votes
1
answer
240
views
Permanent Keys/Secrets in TLS 1.3
In TLS 1.3 (RFC8446), there are many secrets and keys. As far as I've understood, every certificate (usually only the server) has a long term key associated with it which is used with HKDF to generate ...
- 1
3
votes
1
answer
1k
views
What is the point of the “AES Key Wrap” algorithm?
What is the point of the “AES Key Wrap” algorithm prescribed for use with CMS-like contexts in IETF RFC 3394?
Just look at the algorithm (tacked on to the end of this post), informally, it smells a ...
4
votes
1
answer
542
views
Can someone with access to only my Yubikey gain access to my server that has SSH access via an ED25519-sk keypair?
My understanding is that an ED25519-sk SSH key generated by OpenSSH generates a private key stub that lives on your host machine. This stub is just a reference to the actual private key that lives on ...
- 121
2
votes
0
answers
190
views
How do you know what KDF was used to protect an SSH-Key?
Assuming I have found several OpenSSH private keys on my client's system, how can I detect (at scale) which of them are:
completely unprotected (i.e. no passphrase)
using an old hashing algorithm for ...
- 98
1
vote
1
answer
262
views
Detecting signal amplification attacks against PKE keyless fobs
During the early hours of the morning there was an attempt to enter and presumably steal various vehicles on my street, detected well after the fact via householders reviewing CCTV motion detection ...
0
votes
1
answer
114
views
Is my PGP key which I uploaded to sync.net compromised?
I just accidentally uploaded my PGP key in unencrypted format to rsync.net. As far as I know, nobody but me has access to the account. Is my key compromised?
- 169
3
votes
1
answer
4k
views
Is it safe to send an API key in an HTTPS request? [duplicate]
Q: Is it 'safe' to include a secret API Key in a HEADER (for a request) which prevents bad actors from creating their own evil-requests by using your API Key ?
We need to send data to a 3rd party from ...
- 133