eID, Memoization, SSO, Riot.im, Cloud, KDF, Pwd man, HCTR, HCH

  • Usage of eID (prev eIDAS) European Electronic Indentity project is progressing, now it can be used with suomi.fi Finnish authentication & official communication portal.
  • Added clock-pro caching (memoization) to one project, shortening it's execution time about 20 times. If it used to take one hour , now it's less than three minutes. That's awesome boost, no need to calculate percentages of performance improvement, when it's totally obvious boost. But that's more than 95% cut.
  • Federated login into different services sounds nice, but you'll have to be careful to read the actual terms the federation is made on. In this case they advertised easy login using federation with other service. When the authorization request came it stated "Grant complete read/write access to the API, including all groups and projects". Ouch! There's no way in h*ll, I'm grating that kind of access, just to avoid creating new password. Nope! This won't fly. I guess this is exactly what Facebook warned, it's so easy to lure users into giving full API access to their account. Even if in this case it was about GitLab account federation.
  • Riot.im community features seem to be in early alpha. So it's technically working, but you can't properly manage community logo / access rights and so on. But you can still group bunch of rooms, which work much better. Also it seems that the request for previous encryption keys from other authenticated device which does have the keys, doesn't seem to be working.
  • Beauty of cloud hosted stuff. Microsoft Skype for Business (SfB) was broken for around two weeks. It just didn't work with IPv6 because meet.lync.com wasn't accessible. Now it works again. Nobody knows why. But it seems likely that Microsoft was blocking access for some reason over IPv6. Also the Skype for Business client sucks as usual, and didn't try to connect over IPv4 if IPv6 failed. Now after two weeks, it's working again. Microsoft never gave any statement or comments about this. Cloud is nice and reliable, or not. It's just broken at times, and nobody knows why. - For a while there was a workaround which was to disable IPv6 on all hosts using Skype for Business. Yep, that sucks for sure and caused secondary problems, meh. Another way would have been using meet.lync.com and specifying IPv4 address there. But depending how the client connects the network, it's likely that it wouldn't have fixed the problem.
  • Key stretching - aka key expansion algorithm. Nothing new. I've referred this earlier as password strengthening, even if that's incorrectly said, there's subtle difference between strengthening and stretching. Because often passwords are really weak, if just hashed. Because people aren't using proper passwords like ~20 chars random, as recommended for 128 bit ciphers/hashes or ~40 for 256 bit ciphers / hashes of course including wide variety special characters and so on. All of this can be summarized into Key Derivation Function (KDF). And of course the modern Argon2.
  • Password mangers leak? - Nothing new. Quite expected, also if your system is compromised, it's still really hard for any application running in the compromised system to keep secrets. But for sure, there's room for improvement. Especially clearing data when it's not necessary to keep it in memory. Anyway, for high security tasks, you shouldn't use your "daily" system nor the "daily" password manager password / content and so on. For secure purposes, always use separate hardened platform, with minimized attack surface and access. Also compromised system will be probably running keyboard logger, so ouch!
  • HCTR and HCH cipher modes in Adiantum. Which over quadruples the encryption & decryption performance with ARM on models which do not provide AES hardware acceleration instructions. Also see: Google blog entry about Adiantum.
  • Duplicati - Bad software is everywhere? Real trap product. Backup testing says that everything is all good. But backup restore still fails. This means that there's at least two overlapping bugs with this process. 1) It doesn't detect errors in backup and 2) It doesn't recover from those errors. - Ouch! Luckily I'm testing. But oh boy, I would be so mad if I would have disk crash and would need to run restore, and found out that the backup is unrestorable. Btw. This is from backlog, so situation is much better nowadays. As well as this is also one of the reasons why you should run at least two completely different backup solutions in parallel.

2020-05-10