IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [custom-scheme]

21 questions
282
votes
11 answers

Why shouldn't we roll our own?

Why shouldn't we create our own security schemes? I see a lot of questions around here about custom crypto and custom security mechanisms, especially around password hashing. With that in mind, I'm looking for a canonical answer, with the following…
Polynomial
  • 132,208
  • 43
  • 298
  • 379
178
votes
12 answers

Why is it wrong to *implement* myself a known, published, widely believed to be secure crypto algorithm?

I know the general advice that we should never design¹ a cryptographic algorithm. It has been talked about very extensively on this site and on the websites of professionals of such caliber as Bruce Schneier. However, the general advice goes…
gaazkam
  • 5,607
  • 11
  • 24
  • 37
8
votes
3 answers

Defense in depth vs low complexity - Balancing point?

I've asked a few questions relating to schemes for various security-related functions, and posited schemes to accomplish those goals. In the responses, I see a conflict between two fundamental principles of IT security; "defense in depth" (make an…
KeithS
  • 6,678
  • 1
  • 22
  • 38
8
votes
4 answers

How much security expertise does a general application programmer need to develop software ethically?

I am curious about this. I saw this thread: Why shouldn't we roll our own? and this answer: https://security.stackexchange.com/a/18198/144241 which had on it this comment, which had the second highest number of votes and that can't just be…
The_Sympathizer
  • 181
  • 3
6
votes
2 answers

What are the weaknesses of my authentication scheme?

So, recently, after going through some infosec training (FutureLearn's Introduction to Cyber Security, which I heavily recommend as well-explained newbie material), I decided to take the plunge and finally up the security of my authentication in…
Hadrien G.
  • 61
  • 2
5
votes
1 answer

Security and authentication problem

We have a sample scenario and we would like to receive some feedback and some solutions regarding possible security schemes. First of all, lets imagine a real world scenario: Imagine that a user owns a locker in a university (owners) and the…
glarkou
  • 169
  • 2
3
votes
1 answer

What is this QR code authentication scheme called?

What is this pattern for mobile authentication called? It's more convenient than entering complex password on mobile phone, and I wanted to read about it more A user is authenticated within webapp and he wants to bind his mobile app with his…
joozek
  • 253
  • 1
  • 7
3
votes
1 answer

Are there any uses of having a non-deterministic salt value for hashes?

So I've been toying with the idea of having non-deterministic salt values for hashes. Let me explain what I mean: Basically, I applied some properties from Bitcoin including a "difficulty" (ie, hashed value must begin with a certain number of 0…
Earlz
  • 604
  • 2
  • 6
  • 15
3
votes
1 answer

Is this a valid secure cookie scheme?

I have a scheme for a cookie with high-level confidentiality of information. The information to be hidden from the client is the expiration time of the cookie. I am wondering what insecurities i am opening myself up to with this scheme. Note below…
lluisrojass
  • 131
  • 1
2
votes
1 answer

Slow Hashing Without a Salt?

I'm trying to design a security scheme that involves a shared secret but isn't a traditional account password situation. The server would store a set of "keys", each of which has a blob of data associated with it. In order for anyone to access the…
Chris Graham
  • 23
  • 2
2
votes
2 answers

Simple-to-implement ad-hoc password validation scheme

I'm writing a level for a game in which the player has an advantage if they know a password. I want it to be infeasible to find the password from looking at the level's source code. The problem is that the language's levels are written in an ad-hoc…
cardboard_box
  • 123
  • 4
2
votes
0 answers

Distributed Shared Secret for RNG that only Distributor knows?

For one of my projects I want to create a way to sync up all participants' RNG with a seed where each participant does not know the seed of the RNG but also in a way that minimizes the number of times that the central distributor that knows the…
sethmlarson
  • 1,479
  • 10
  • 17
1
vote
1 answer

Is This DIY Password Authentication Scheme Acceptable?

This is mostly a thought experiment for client/server communication, and I want to know the flaws. When a user account is created (with U as the username and P as the password,) I generate a random salt (S) and store these values in the database (on…
yzt
  • 113
  • 5
1
vote
1 answer

is this data encryption scheme viable?

My goal is to be able to encrypt the data so that no one would be able to make use of it if it was stolen. User data - the one that will be encrypted - can be any type of data Data encryption key - the key for encrypting and decrypting the user…
Gene Diaz
  • 113
  • 4
0
votes
1 answer

Where can I find a list of Indicators of Compromise (IOC) conditions?

OpenIOC.org has several schemas defining Indicators of Compromise. The Schema is defined here: http://schemas.mandiant.com/2010/ioc/ioc.xsd While under IndicatorItemContext/search says it is xs:string, the actual list of search terms is listed…
A G
  • 161
  • 1
  • 6
1
2