Comments (6)
I have simplified the ciphering part using Google Tink API in order to allow users to use this API created and maintained by several crypto specialists.
I have also simplify others code samples of the ciphering section to enhance the readability of the cheat sheet.
from cheatsheetseries.
I think that it is important to clarify some points according to your post:
- The migration to GitHub has for objective to allow more people to contribute in order to fix the issue in the project like potentially one that have raised.
- Even if OWASP is a foundation working on security topics, it do not means that we never doing mistake, we are human (and doing this on our spare time) and the open source approach is used to allow eveyone wathever is origin (pro or not) to fix the potential error.
- OWASP contribution is not reversed to only so called "experts" on some topics, everyone can propose some technical proposal for an security issues and this can be used as foundation to enhance it.
- The elements that you raised only highlight a paranoic approach usage of AES/GCM and do not proof that the ciphered value can be retrieved (that is the main goal of this section). Feel free to technically proof the inverse...
- Instead of saying that you suspect that the cheat sheet contains many errors, proof them or better propose a pull request to fix the issue that you have identified.
from cheatsheetseries.
My goal was not to blame anyone, nor do I expect every document to be free of mistakes. I highly respect the volunteers who do this work in their spare time.
I looked at the document because I'm not an expert myself. I don't know all the ins and outs necessary to securely implement JWT and can't review the rest of the document with the appropriate scrutiny. I just noticed the unusual AES construction and from what I learned about encryption, unusual is not a desired property for solutions to standard problems.
While the proposed scheme does not seem to weaken the encryption, I disagree with the notion that not weakening the encryption is reason enough to pile more complexity on top.
You highlighted that you welcome community contributions. Why not use the issue tracker for readers to raise issues and requests for clarification? You can even stick "contributions welcome" labels on these to encourage people to look at potential issues.
Maybe we can get someone else to chime in on this!
from cheatsheetseries.
Thanks vou very much for your feedback and the clarification about your intention.
In order to clarify the error, I have discussed with a crypto specialist about this point and indeed the NONCE and AAD are public so I will update the implementation proposed in this way to remove the DB and pass the NONCE and AAD along the ciphered value to the entity in charge of the deciphering.
Thanks for the proposal for the label I will update the labels and the readme in this way.
from cheatsheetseries.
Thanks for taking the time to clarify! Just a small addendum:
You don't need any AAD in this case. If you don't set it GCM will still work and authenticate the payload.
from cheatsheetseries.
You are welcome, the objective the have this project here is to discuss and handle the issue 😃
Thanks you for your addendum, I will take it in account...
from cheatsheetseries.
Related Issues (20)
- Update: User Privacy Protection Cheat Sheet HOT 3
- Update: CSRF - Form tag clarification HOT 1
- Update: DotNet Security Cheat Sheet HOT 5
- Update: CSRF - fix untrue statements HOT 3
- Update: [Cross-Site_Request_Forgery_Prevention_Cheat_Sheet] HOT 3
- Update: Docker Security HOT 1
- Update: Abuse_Case_Cheat_Sheet.md HOT 2
- Update: [XML External Entity Prevention Cheat Sheet] HOT 2
- New CS proposal: Software Supply Chain Security HOT 3
- Update: Cross-Site_Request_Forgery_Prevention_Cheat_Sheet HOT 2
- Update: Error_Handling_Cheat_Sheet HOT 2
- Update: LDAP_Injection_Prevention_Cheat_Sheet HOT 2
- Update: CSRF: Also document `__Secure-` prefix for cookies against double submission attacks HOT 3
- Update: CSRF Broken Markup? HOT 3
- Update: Authentication Cheat Sheet HOT 7
- bug: 404 link: docker icc canonical info is gone. HOT 3
- Update: OAuth2_Cheat_Sheet.md HOT 2
- Update: Cross-Site Request Forgery Prevention Cheat Sheet HOT 1
- Update: [XSS Filter Evasion Cheat Sheet] HOT 3
- Update: HTTP_Headers_Cheat_Sheet HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cheatsheetseries.