security - Authenticate public-key which is coming from a database -


i wrote small chat application, users can write each other messages:

  • on first login, user generate public/private keypair, derived users password.
  • the public-key sent server (database).
  • if user (a) wants write user (b) message, user encrypts message public key of user b , sends server (and server send user b).

but what, if database-access change public-key of user b in database? attacker can read messages.

is somehow possible authenticate public key in database , make sure, not changed , 100% belongs user b?

so you're trying protect against scenario attacker has control on server , server cannot trusted. since can't trust any information server, cannot use directly in form of verification either. server can relegated being dumb transport, , verification needs happen directly against other peer.

being able exchange key out-of-band lot here, meaning can somehow facilitate direct peer-to-peer exchange of key. since difficult trust identity of random remote peer on general internet, you'd need employ strategy threema: can remote peer's public key anonymously, relationship peer not verified then. if you're able meet in person , exchange/verify keys physically scanning each others qr codes key trustworthy.

to facilitate sort of key exchange remote peer via untrustworthy server, you'd need implement diffie-hellman key exchange; server can facilitate communication, have no visibility data being exchanged. have happen both peers being online @ same time (or it's slow offline back-and-forth), may problematic in practice depending on use case.


-

Comments

Post a Comment

Popular posts from this blog

amazon web services - S3 Pre-signed POST validate file type? -

i know it's possible put limit on file size content-length-range header. possible validate file type? https://docs.aws.amazon.com/amazons3/latest/dev/httppostforms.html#policyconditions i see there content-type header, if set say, audio/mp3 allow mp3 files , return error if file not mp3? i found previous question answers mention validating file size: s3 direct upload restricting file size , type you can specify content-type @ post request. you can specify @ signature, post must done content-type: { "expiration": "2007-12-01t12:00:00.000z", "conditions": [ {"acl": "public-read" }, {"bucket": "johnsmith" }, {"content-type: "audio/mp3"} ] } creating html form (using aws signature version 4) edit: @ previous question found, checking content-type.
Read more

c# - Check Keyboard Input Winforms -

i wondering if instead of doing this protected override void onkeydown(keyeventargs e) { if (e.keycode == keys.a) console.writeline("the key down."); } i set bool method , this: if(keydown(keys.a)) // whatever here i've been sitting here ages trying figure out how it. can't wrap head around it. in case wondering, plan call bool inside different method, check input. since want perform action after pressing key, using keydown event enough. but in cases suppose want check if specific key down in middle of process, can use getkeystate method way: [dllimport("user32.dll", charset = charset.auto, exactspelling = true)] public static extern short getkeystate(int keycode); public const int key_pressed = 0x8000; public static bool iskeydown(keys key) { return convert.toboolean(getkeystate((int)key) & key_pressed); } you should know, each time check key state using example iskeydown(keys.a) method returns true if ke...
Read more