Qvault

By Lane Wagner –  @wagslane  on Twitter Go is becoming very popular for backend web development, and JWT’s are one of the most popular ways to handle authentication on API requests. In this article, we are going to go over the basics of JWT’s and how to implement a secure authentication strategy in Go! What is a JWT? JSON Web Tokens are an open, industry standard  RFC 7519  method for representing claims securely between two parties. https://jwt.io/ More simply put, JWT’s are encoded JSON objects that have been signed by the server, verifying authenticity. For example, when a user logs in to a website secured via JWTs, the flow should look something like this: The user sends a username and password to the server The server verifies username and password are correct The server creates a JSON object (aka claims) that looks like this: {“username”:”wagslane”} The server encodes and signs the JSON object, creating a JWT: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2Vybm

By Lane Wagner –  @wagslane  on Twitter Perpetual Motion Machine If you are familiar with the laws of thermodynamics , you may recognize the second law as dealing with entropy. In the realm of physics, entropy represents the degree of disorder in a system. Because systems tend to degrade over time, thermodynamic energy becomes less available to do mechanical work. In cryptography, entropy has a distinct but similar meaning. In cryptography, entropy refers to the randomness collected by a system for use in algorithms that require random data. A lack of good entropy can leave a cryptosystem vulnerable and unable to encrypt data securely. Computers are Deterministic Deterministic machines do exactly what we tell them to do. Every. Single. Time. In order to coax a machine into doing something random, we have to introduce a source of random input from outside the machine. Linux Let’s take a look at how the average Linux machine generates secure random numbers. Because Linu

Brute force attackers guess passwords, passphrases, and private keys in an attempt to eventually get the right answer and crack the security of a system, but how do they know when they have the right key? It depends on the system. Let’s answer the question three times, once for three different common systems. Cipher Text With Authentication In this case, let’s assume we have direct access to an encrypted hard drive (like that of a MacBook) that has been ciphered using AES-256-GCM . Because we have access to the raw encrypted data, we can’t be locked out for too many failed attempts. Since we are free to guess as hard and as fast as we can, all we need to know is when to stop deciphering. This is easy if the encryption was done using an authentication tag as required by GCM mode . When we get the correct password, the authentication tag will check out. Web Application Brute forcing your way through the front door of a web application will prove difficult if not impossible. Be

By Lane Wagner –  @wagslane  on Twitter Need to encrypt some text with a password or private key in Python? You came to the right place. AES-256 is a solid symmetric cipher that is commonly used to encrypt data for oneself. In other words, the same person who is encrypting the data is typically decrypting it as well (think password manager ) Dependencies For this tutorial, we will be using Python 3. Make sure you install pycrypto , which will give us access to an implementation of AES-256: pip install pycrypto Padding AES-256 requires that the data to be encrypted is supplied in 16-byte blocks. We will naively add spaces to the end of our ciphertext to satisfy that requirement: # pad with spaces at the end of the text # beacuse AES needs 16 byte blocks def pad(s): block_size = 16 remainder = len(s) % block_size padding_needed = block_size - remainder return s + padding_needed * ' ' We will also create an unpad() function that strips the extra spaces

By Lane Wagner –  @wagslane  on Twitter CMDR Shane Politicians in the United States have been claiming recently that end-to-end encryption is too dangerous to allow. The movement is serious, and a bill was even introduced which would remove protections that we currently have to be able to legally encrypt information. Lindsey Graham is one such proponent of this restrictive legislation: Senator Lindsey Graham, a top Trump ally, is targeting giant internet platforms with a child protection measure that could threaten tech companies’ use of encryption and a liability exemption they prize. Bloomberg What Is End-To-End Encryption? James Sutton End-to-end encryption  ( E2EE ) is a system of  communication  where only the communicating users can read the messages. In principle, it prevents potential eavesdroppers. Wikipedia Every production worthy website uses end-to-end encryption in some sense. Data is encrypted when it leaves your computer and is decrypted again as it en

By Lane Wagner –  @wagslane  on Twitter jannerboy Caching images in React Native can be easy, even if you are using Expo’s managed workflow. The problem many devs run into is that React Native only supports caching images on IOS out of the box. Other popular community packages that work on Android contain native code, and as such don’t work with Expo’s managed workflow . For this reason, I open-sourced the code I’m using on my latest project. Behold, react-native-expo-cached-image ! Quick Start Install the module: yarn add react-native-expo-cached-image Import the component: import CachedImage from 'react-native-expo-cached-image'; Use the component in a render() method: <CachedImage isBackground source= /> The CachedImage component has the same props and API as React Native’s Image and ImageBackground components. To use CachedImage as a background image, just pass in the isBackground prop: <CachedImage isBackground source= /> What Is I