encryption – How Wifi prevent hacking in the same network(cell)? (No matter WPA2)

We all know that the client device and WiFi AP will perform the 4 way handshake to generate the session key (PTK). Here is the recap of the 4 way handshake.

1.Client device<—–ANonce—–WiFi AP

2.Client device——SNonce—->WiFi AP

3.Client device<–Install PTK—WiFi AP

4.Client device——–OK——->WiFi AP

I understand why Anonce and Snonce has to share to each other, they need to create a Initialization vector to increase the randomization of the PTK. PTK is actually the session key.

PTK=PRF (PMK + Anonce + SNonce + Mac (AA)+ Mac (SA))

My problem is that all those components here can be sniffed by another client device in the same network who share the same PMK(pre-shared key).
Mac address of AP is no secret, mac address of another device in the same network can be sniffed too.
Anonce and Snonce can be captured, the only problem is to distinguish it is nonce, but anyway it can be done.
PMK is shared to all the member.

so…

We all know wpa-psk is vulnerable but it should not be that vulnerable. Even no need to do brutte force!!!!!!
I believe i must miss some concept. Hoped someone can help

Recovery possibilities with Zero knowledge encryption

I have some encryption understanding however I fail to get my head around following scenarios. I would like to know if they are possible with a zero knowledge encryption system.

What the system can or can’t do can be added to the answer.
Example:

  • The system needs to keep a encrypted copy of the key.
  • The user has to have the key on a USB stick.

In the end, all scenarios ask the same questions.

  • Can the user access his data?
  • Does the system know about his data?

Scenario 1:
User logs in on a new computer.
Does not have the key with him.

Scenario 2:
User logs in on a new computer.
Does have the key with him (e.g. USB stick).

Scenario 3:
User lost his password. His identity has been verified and approved.

Scenario 4:
New sub-users are assigned to the same resource.

encryption – How to encrypt gist with someone else’s public key?

I’m looking to encrypt a gist file for an issue and the provider has there public key accessible for issuers to use. I’m new to this and finding a way to encrypt the file with the provider public PGP key so I can securing send an issue to them that is confidential.

I’m looking for an example so that I can use it.

currently on MacOS

encryption – I need to read the contents of a crd file as plain text

I lost all my passwords due to a dumb mistake I did yesterday. These passwords are really important. My computer has them saved under windows credentials. However, I can’t view passwords stored under windows credentials. When backing up the credentials I get a crd file. How do I view the passwords? I tried using Vaultpasswordview and credentialfileview but neither worked. I tried using John the Ripper but it didn’t work (probably because I don’t know how to use it). (I have experience in python if it helps)

With Vaultpasswordview I was able to view the web credentials but not the Windows credentials. The hex on Vaultpasswordview is the password separated by dots while it’s gibberish on Credentialfileview

encryption – How is VPN tunneling actually implemented?

I am new to VPNs, have used them a few times, have read about “how they work” (which is all very high level), and am now confused about how this is actually implemented (so I can come full circle and understand what kind of security they are providing me).

It sounds like a VPN is something you install on your computer. You then perform your actions in the VPN UI (whether it’s a terminal or a GUI). These “local” actions are then encrypted (what is the encryption method/protocol?) locally. Then, say I am at my house using WIFI or at the coffee shop. It uses my newly allocated public IP address (the one I’ve been assigned for only the past few hours), to send this encrypted data across the public internet, in the public WIFI at the coffee shop. So people can tell I am sending something over the internet, just not sure what (because it’s encrypted). The way these articles sound, they make it sound like magic and that you get a static IP address locally which no one can see. That’s not the case right? It is doing exactly what I’m saying. I ask this question to clarify and make sure I’m understanding correctly.

So then the encrypted traffic (going across the public internet, using my publicly known IP address), is sent to some remote server. That server then performs the real actions I was typing at my VPN terminal/GUI. It makes whatever internet requests and whatnot, or SSH’s into some computer I’m targeting, and pipes the info back, encrypted, over the public internet, to decrypt it locally on my computer. Hopefully I’m still on the right track. Then that remote computer I sent my encrypted traffic to, what does it do to obscure my message or secure my message from its standpoint? Does it dynamically change its IP address? Is it situated in some remote wilderness guarded by gates so no one can intercept the traffic? How does it stay secure in sending messages to the actual target location? Or is it just the fact that the requests are no longer coming from my computer, so no one can know its me, all the security its accomplishing?

Basically, I’m wondering if this is sort of how it’s implemented.

SFTP server with storage encryption

I’m looking for an unusual solution that uses SFTP server for data transfer but said SFTP server also should act an encryption proxy i.e. all the data it stores on the server side should be encrypted. Although I could use host (OS-wide) encryption it is not gonna be effective during runtime if the hoster I use decided to peek at it or will be forced by 3rd party or crappy government.

I did some googling but the only thing I found was: https://github.com/libfuse/sshfs
Problem is I dont want no custom clients, I want to hide ANY implementation from the client, it should be just your basic SFTP you can use anywhere, even on your microwave, let alone phone or notebook.

This variant:
https://serverfault.com/questions/887167/sftp-with-data-encryption-at-rest
seems useable but again, at runtime it only protects against other normal users (which I dont have).

encryption – Bitcoin core wallet backup corrupted by an external tool

A file with the AXX file extension is an AxCrypt Encrypted file. AxCrypt is a file encryption program that scrambles (encrypts) a file to the point that it’s unusable without first being decrypted with a specific password/passphrase.

When an AXX file is created, it’s automatically assigned the exact same name as the unencrypted file but with the .AXX file extension appended to the end. For example, encrypting vacation.jpg results in a file called vacation.jpg.axx.

You can double-click an AXX file to open it with the AxCrypt software. However, note that if you’re signed in to your AxCrypt account, double-clicking the AXX file will open the true file and not actually decrypt the AXX file.

Use the program’s File > Open Secured menu to open the AXX file but not actually decrypt it. To decrypt the AXX file requires that you either right-click it and choose AxCrypt > Decrypt or use the File > Stop Securing option

encryption – How to unencrypt my data on a Lenovo Tab M8 FHD TB-8705F device

I’m trying to unencrypt my data on my device.

My device is rooted with Magisk Manager.

This is what I have already tried.

  1. Uticked the box Preserve forced encryption in Magisk Manager.
  2. Patched the boot image in Magisk Manager.
  3. Flashed this patched boot image to my device.
  4. Formatted userdata thru ADB.

But after this my userdata is stilled encrypted.

Thank You,
Sruly

secret sharing – Key handling for shared-key encryption with sodium

Being not a cryptography expert, I am having some basic questions on how to manage keys wrt. sodium-plus. Let me briefly explain the context: the use case involves sending data from a web frontend to a backend, but the backend should not be able to read it (deliberate design choice due to privacy concerns). The data in question needs to be usable from different client machines (the same frontend used at different times on differnet machines). It should be en- and decrypted using a secret that is under the control of the user and not stored by the application. There is no second user involved that should be able to decrypt the data, so I see this as a scenario for using a shared-key encyption approach.

I am looking into using sodium-plus.js for this and in particular to use crypto_secretbox, but am actually not clear on how to manage the key part in the scenario — ultimately, the user needs to have a way to access the same data on a different machine. Looking through the API documentation, I see two options:

  1. Generate a random key, convert it to a hex string, present the hex presentation to the user and leave it up to the user how she stores it. Then the user could use this hex presentation on the next client machine to decrypt her data.
    Unfortunately, I seem to be unable to re-create a cryptographic key from the hex presentation (hex2bin returns a (Promise for a) string). Is this even feasible? Also, I’m not at all convinced that this approach is not entirely defeating the idea of generating a random key in the first place?
  2. Derive a key from a password via crypto_pwhash that the user has to specify. However, this requires also a salt, so I’m back in a similar unclear situation on how to handle it: if the user would give the same password on a different machine (on which to decrypt the data) I also have to use the same salt to generate the same cryptographic key. How do people handle this?

If I could easily have read up on all of this, I would appreciate pointers, as my search-fu seems to fail me.

encryption – Hello friends, problem with a bitcoin core backup that has become .axx

Do you know if my wallet.dat which has become wallet.axx due to incorrect handling of an external program
(I do not know the name of the program, but it is used to encrypt Windows files)
has the possibility of reverting to initial format “.dat”
by myself ?
And above all without damaging the backup “Core” that it is ?
Thank you in advance !!