Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Ferdinand Niedermann
    @nerdinand
    but since I can't get that to run with Amazon Cognito I may have to look for a different solution altogether...
    Tony Arcieri
    @tarcieri
    @nerdinand aah... did you check out #165?
    that has a full IUF API and also accepts variable-sized keys in HMAC's typical wonky fashon
    Ferdinand Niedermann
    @nerdinand
    i think i need to give up on this
    sirp doesn't seem to be doing what Amazon expects
    Tony Arcieri
    @tarcieri
    aah, ok
    I never liked SRP personally :wink:
    there's like 15 more modern PAKE algorithms and yet for some reason everyone implements SRP
    personally I like SPAKE2-EE, although here's a brand new one that looks pretty interesting https://eprint.iacr.org/2018/163
    Ferdinand Niedermann
    @nerdinand
    i see, fancy stuff
    for the record: i'm now using OAuth2 to authenticate with cognito, https://github.com/Sage/omniauth-cognito-idp works
    Tony Arcieri
    @tarcieri
    yeah, gotta take what you can get with something like that
    Stefano Gessa
    @sgessa
    Hey, is RbNaCl::VerifyKey.new(pkey) not detached right? Is verify detached supported?
    Tony Arcieri
    @tarcieri
    that's just the key, but detached verification is presently the only supported API
    Kevin Cheng
    @Kache

    Hi, is the documentation on https://github.com/crypto-rb/rbnacl/wiki/Secret-Key-Encryption still up to date?

    In particular, I'm comparing using one of the examples on that page with using the built-in OpenSSL lib in ruby core.

    Kevin Cheng
    @Kache
    for encrypting values in a key-value config file to be committed into a private repo, just to add one security layer over shared developer keys
    Tony Arcieri
    @tarcieri
    @Kache looks like some of the links were broken... I fixed them
    secretbox provides equivalent security properties to AES-GCM, except GCM has small nonces (96-bits). that doesn't really affect data-at-rest encryption for small amounts of data, so take your pick
    Kevin Cheng
    @Kache
    thanks @tarcieri, that's helpful
    ugran
    @ugran
    Hello guys
    why does the rbancl-libsodium gem doesn't install on windows? takes hours and nothing happens when I bundl
    e
    Tony Arcieri
    @tarcieri
    @ugran rbnacl-libsodium takes a long time to compile. it should eventually complete though
    Reggie Escobar
    @prodoxx
    Hey guys. Is anyone else experiencing this error: "FFI::NotFoundError: Function 'crypto_pwhash_memlimit_min' not found in [libsodium.so]"
    Tony Arcieri
    @tarcieri
    which version? I just released 6.0.1
    Ivica Milosevic
    @NekoNormalan_twitter
    Hey guys, I don't see that rbnacl support SHA512256 hash, for Hash functions I see only sha512 OR sha256. However HMAC does support SHA512256. Is there some way/gem that I can use to calculate SHA512256? Thanks in advance!
    Tony Arcieri
    @tarcieri
    It looks like SHA-512/256 is exposed through the generic hash API in libsodium and is not presently wrapped by RbNaCl
    SHA-512-256 is also available via the higher-level interface crypto_hash().
    Ivica Milosevic
    @NekoNormalan_twitter
    Thanks @tarcieri ! Are you aware of any way to calculate sha 512-256 in ruby? I couldn't find any and as a dirty solution I used shell call for to shasum -b -a 512256 but I'm losing precious time there. It take between 25 and 30ms for a shell call :(
    Tony Arcieri
    @tarcieri
    not offhand... is there something specific you need it for?
    it might be possible through the OpenSSL API
    Ivica Milosevic
    @NekoNormalan_twitter
    Well I'm working on some API for a new blockchain, wallet address is calculated by sha512_256 hash of publick key + checksum (and then base32 of that). I need to transform public key into wallet address and I'm depending on that hash. It's a long story, API need to support at least 1K TPS and I'm trying to save each ms that I can and this is by far biggest time consumer (shell call to calculate hash)
    I guess that I will need to dig into RbNaCl and make a PR with support for sha512_256, I was just hoping that there's an easy way to do it in ruby...
    Tony Arcieri
    @tarcieri
    yeah if you really need it, wrapping crypto_hash() is probably your best bet
    Florian Wininger
    @fwininger
    Hi everyone, I'm working to add curve25519-sha256 key exchange to Net::SSH librairie with the x25519 gem.
    I have compile openssh 8 with DEBUG_KEXECDH option to have the hex output of all secret.
    I realy don't understand why ma "shared secret" is not calculate correctly. :(
    The output of my openssh server :
    debug1: kex: algorithm: curve25519-sha256 [preauth]
    debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
    debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha2-512 compression: none [preauth]
    debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-512 compression: none [preauth]
    debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
    client public key 25519:
    debug3: receive packet: type 30 [preauth]
    0000: 08 55 d5 7d b8 ea 43 56 f0 18 15 d8 49 fe 00 91  .U.}..CV....I...
    0016: 2d 3c 25 dc 79 96 ee 19 12 cc 49 74 1d 2b dc 42  -<%.y.....It.+.B
    shared secret
    0000: ba 25 3d c6 b1 87 8f a1 5b 18 3d 70 ed b9 22 57  .%=.....[.=p.."W
    0016: 88 f1 ad de 25 7c 6f 42 46 8b fc db 56 80 8f 60  ....%|oBF...V..`
    server public key 25519:
    0000: fd d8 09 04 33 09 06 b0 b0 58 e2 9f 39 c7 97 f3  ....3....X..9...
    0016: 32 99 c0 d9 a5 74 57 f1 46 47 45 7d 2a 2a 03 60  2....tW.FGE}**.`
    encoded shared secret:
    0000: 00 00 00 21 00 ba 25 3d c6 b1 87 8f a1 5b 18 3d  ...!..%=.....[.=
    0016: 70 ed b9 22 57 88 f1 ad de 25 7c 6f 42 46 8b fc  p.."W....%|oBF..
    0032: db 56 80 8f 60                                   .V..`
    debug3: mm_sshkey_sign entering [preauth]
    On my ruby code:
    ecdh = ::X25519::Scalar.generate
    
    to_hex(ecdh.public_key.to_bytes) => "8 55 d5 7d b8 ea 43 56 f0 18 15 d8 49 fe 0 91 2d 3c 25 dc 79 96 ee 19 12 cc 49 74 1d 2b dc 42"
    to_hex(result[:server_ecdh_pubkey]) => "fd d8 9 4 33 9 6 b0 b0 58 e2 9f 39 c7 97 f3 32 99 c0 d9 a5 74 57 f1 46 47 45 7d 2a 2a 3 60"
    
    pk = ::X25519::Scalar.new(result[:server_ecdh_pubkey]).public_key
    to_hex(ecdh.diffie_hellman(pk).to_bytes) => "b6 e3 ec 89 65 d1 67 a0 ea d2 da f1 aa 80 f 3e 31 6c 0 b3 53 50 8e 78 c9 be 6f eb c6 a0 11 1e"
    Florian Wininger
    @fwininger
    So the ruby client and the openssh-server has the same information for "client public key" and "server public key"
    but when a I do the multiplication operation ecdh.diffie_hellman(pk) I don't have the same result has openssh
    but I realy don't understand the difference
    Have you any idea to help me ?
    Florian Wininger
    @fwininger
    Forget my message, I have found the solution by myself

    Replace :

    pk = ::X25519::Scalar.new(result[:server_ecdh_pubkey]).public_key

    with

    pk = ::X25519::MontgomeryU.new(result[:server_ecdh_pubkey])
    Tony Arcieri
    @tarcieri
    yes, the scalar is the private key, and should be randomly generated locally and never shared
    Florian Wininger
    @fwininger
    thanks for the quick answer :)
    Tony Arcieri
    @tarcieri
    note one problem with the x25519 gem right now, versus the ed25519 gem, is that it doesn't have JRuby support
    however if you're interested in using it for Net::SSH that's something I can look into
    Florian Wininger
    @fwininger
    Thanks for the tips.