fingerprint authentication systems – Information Security Stack Exchange

Password authentication systems check for full equality. If you make a typo in your password, you will not be authenticated*.

You cannot check a fingerprint for full equality; it’s a ‘scan’ and there will always be some minor differences: perhaps you have a small cut in your finger, or you put your finger slightly rotated on the device and the digitalization process displaces a few pixels.

A hash is designed to implement the avalanche effect; a small change in the input causes a large difference in the output. That means that two slightly different passwords or two slightly different fingerprints produce two completely different hashes. If you have the hash of a fingerprint, there’s no way of verifying whether it matches a slightly different fingerprint.

*: such a verification system would work by verifying the hash with not only the hash of the actually entered password, but also the hash of all possible typos.

Password protected wall – Information Security Stack Exchange

I’m currently building a website where you have an account and can do “dangerous” things with it. I want to password-protect these things, so the user has to type their password, if they want to continue.
I couldn’t find any ressources on this, so I came up with this idea.

My method works this way:

  1. User navigates to dangerous action
  2. The server redirects the user to the password prompt website
  3. The user types the password
  4. The server checks if the typed in password matches the currently logged in user
  5. If check was successfull, the server redirects the user to the action with a uniquely created token associated to the user as a GET parameter
  6. The dangerous actions checks if the token matches to the user
  7. If match, the server will continue as normal

My question: Is this secure?

I think this is secure because I will probably make the token like 511 chars long and bruteforcing it would be very unlikely and I couldn’t find any other security holes in this.

security – Is it possible to use conditional logic to determine where a file shortcut points in Windows 10?

I use a password manager for all of my passwords. The preferred .exe is run from an encrypted USB-Drive (my portable manager that I can use anywhere). I have a backup on my laptop in a VeraCrypt container, and on a server. The Laptop file is obfuscated so someone browsing the File Explorer could not identify it as a password manager.

I prefer to only use my portable version unless I happened to lose it or don’t have access to it.

Is it possible to set up a single Desktop Shortcut with conditional logic, such that for:

File pManager = PasswordManager.exe
File U = USB.pManager
File L = Laptop.pManager
File S = Server.pManager

if (USB.isConnected && U.isPresent): Run --> U
if (!USB.isConnected && L.isPresent): Run => L
else (Server.Connect)   // Kudos if there is a way to run SSH cmd to check for server file here
  if (S.isPresent): Run=> S
    else:
     Message("Find your USB Key!")

If this is not possible with a shortcut, I think the next option would be creating a shell script or a small app/widget to handle the logic.

privacy – How to contact Microsoft regarding security flaw?

Here I see:

If you believe you have found a security vulnerability that meets Microsoft’s definition of a security vulnerability, please submit the report to MSRC at https://msrc.microsoft.com/create-report

Also here:

We want to know about a security vulnerability as soon as you’ve found it.

But..

When signing into the create-report page (via google auth or MS account), it signs in as expected but signs out ~5 seconds later (using Chrome, also in Chrome incognito, and safari on macOS Catalina).

After signing out, it redirects to https://msrc.microsoft.com/create-report:

enter image description here

I have called MS’s tech support number (the call center did not come across as knowledgable about cyber security), and emailed bounty@microsoft.com, but have not received a reply.

How can one submit a bug report on a security vulnerability – is there a direct phone number for MS Cyber Security?

security – How to handle creating first Admin users in a web app

I’m creating a complex web app (written in Nodejs with many containerised instances running in k8s). I may end up decomposing it into microservices down the line but for now it is monolithic.

Regular users will be able to sign up for an account via the web interface, but I need a small number of specific users to have admin privileges. Admin privileges may include inviting new users while in closed beta, or modifying resources belonging to regular users. At the moment, I have a user schema with a ‘roles’ field, which will allow a regular user to be elevated to an admin role – but how do I ‘bootstrap’ these users into place when there are no existing admin users?

These admin users need to exist in multiple environments, including testing environments where the db gets regularly wiped, as well as in production where the user should persist until the credentials are revoked (say if the person leaves the company).

The obviously stupid approach would be to just hard-code the creds for one admin user but that is clearly the worst idea of all time. I could manually insert the user into the database outside of the control of the app but allowing access to the db this way seems like it could present data integrity issues.

I’m using Amazon Secrets Manager to inject things like database credentials where they live as environment variables in the pod/container so it occurs to me I could do something similar for admin credentials, but how should the code handle this to create a user?

One option would be to have a function that runs once on startup each time a new instance of the code starts up which grabs the user credentials from AWS, checks if the users exist in the db already, and if they don’t create a new user with the Admin role – and when the person leaves I’d need to delete the credentials from AWS and get another admin user to delete them from the app also. Or I could just store a list of known Admin email addresses and when they sign up as a regular user they automatically get the Admin role. Both of these options seem kind of off to me.

Or should the Admin users not be users at all? Should there instead be a separate Admin “login” system, where the credentials are just checked against the AWS creds each time the Admin logs in, instead of creating a regular user in the db? This would mean I would only have to worry about revoking the creds stored in AWS secrets when the user leaves, and the code wouldn’t have to redundantly check for existing Admin users each time a new instance spins up. Down side is I’d have to restructure my permissions system a little but this approach seems to be more secure. Are there any negative implications of doing it this way?

Smooth root certificate rotation – Information Security Stack Exchange

I am surprised that I couldn’t find one concrete example of how to do root certificate rotation. For example:

  • Root CA has 2 years validity period
  • Intermediate CA has 9 months validity period
  • leaf certificate has a 3 months validity period

The renwal/replace time are:

  • Root CA is going to be replaced every 1 year
  • Intermediate CA is going to be replaced every 6 months
  • leaf certificate is going to be renewed every 2 months

This gives

  • 1 month buffer for service to renew its certificate before the certificate expires.
  • 3 months buffer for intermediate CA to sign new service certificate. By the time the old intermediate CA expire, all the old issued certificates are expired as well.
  • 1 year buffer to distribute the new root certificates to client. We want to give enough time for clients to pull the new root certificate before the old one expires.

Questions:

  • We have root 1 and root 2 overlapped for 1 year, when should we start signing new CSR using root 2 certificate?

If the one year overlapped time is just for cert distribution, by the time root 1 expired, all clients should already have root 2 trusted. However, by the time root 1 expires, we haven’t signed any new server certificates with root 2. It means when the time root 1 expires, all the services will be down. I guess we will need to ensure all services are using cert from root 2 before we can retire root 1? and we also have to ensure all clients have root 2 key before issuing server certificates using root 2? I think that makes sense but in terms of timeline, how should we managed that? In the 1 year overlapped time, maybe we can do 6 months distribution time, and 6 months signing time. so by the time root 1 retire, everything will be running on root 2 already?

And if we are using private CA, (lets say AWS private CA) , do we need to implement a service to ensure things above will happen?

Given that we own all the clients and servers.