IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [secret-sharing]

107 questions
147
votes
8 answers

How should I set up emergency access to business-critical secrets in case I am "hit by a bus"?

I work as the primary developer and IT administrator for a small business. I want to ensure that business can continue even if I suddenly become unavailable for some reason. Much of what I do requires access to a number of servers, (through…
AndrewSwerlick
  • 1,489
  • 2
  • 10
  • 7
108
votes
6 answers

Why can't I MitM a Diffie-Hellman key exchange?

After reading the selected answer of "Diffie-Hellman Key Exchange" in plain English 5 times I can't, for the life of me, understand how it protects me from a MitM attack. Given the following excerpt (from tylerl's answer): I come up with two prime…
orokusaki
  • 1,342
  • 2
  • 10
  • 13
49
votes
6 answers

Is a website published in an obscure directory comparably secure to being placed behind a login?

Let's say I create a microsite for a client that contains confidential business information. We need to place this in a location the client can access, in order for them to approve for launch. If we place this microsite behind a login, we have a…
CodeMoose
  • 601
  • 5
  • 10
31
votes
3 answers

Can I use WhatsApp to securely send public key, symmetric key and private key?

I am asking this because WhatsApp says it is end-to-end encrypted. Are there any problems with sending a public key through WhatsApp? There might be some objections to sending symmetric and private keys. Under what circumstances can I send…
Olle Hudga
  • 419
  • 1
  • 3
  • 4
24
votes
1 answer

Is it unsafe to use environmental variables for secret data?

After reading this blog post in which the author lays out arguments against using environmental variables for storing secrets, I am unsure how to proceed with deploying my application. His primary arguments are as follows: Given that the…
temporary_user_name
  • 436
  • 1
  • 5
  • 15
22
votes
3 answers

What is the worst that can happen if your OAuth client secret is leaked?

Let's say you have an app which uses OAuth so app can log in to the user's services (e.g. OneDrive, Google Drive, etc.) Inside the app you have included the OAuth client secret (and client ID) as string constants. An attacker extracts these from…
Rumstall Fengleblunt
  • 221
  • 2
  • 3
18
votes
1 answer

What security advantages does Hashicorp Vault have over storing secrets (passwords, API keys) in environment variables?

There seems to be a general recommendation to store secrets in the Hashicorp Vault instance (or similar key-management software) and avoid passing secrets via environment variables. In what particular scenarios using Vault is better from security…
user148622
  • 183
  • 1
  • 4
17
votes
2 answers

Encrypting something with multiple keys such that k out of n keys are needed; what's it called?

I am trying to find information on how to encrypt something in such a way that there are n keys, and k of them are needed for decryption. However, I have been searching Google for half an hour but because I do not know what this is called (and am…
user31890
  • 181
  • 1
  • 3
17
votes
4 answers

What to do when you can’t protect mobile app secret keys?

We have a mobile app for iOS and Android available in the Apple and Google Play stores. The app communicates with our server’s Web Services over HTTPS. We have attackers able to spoof the app traffic. This probably means our attackers are decrypting…
Edward Barnard
  • 672
  • 6
  • 17
11
votes
2 answers

What is the best strategy to store and share pem files between team?

Our company's small tech team works with several different servers, to which we connect with pem files. What is a good way of storing the pem files so that it can be accessed by other team members if necessary? A (probably bad) example of how to…
juuga
  • 211
  • 1
  • 2
  • 4
10
votes
2 answers

Is it a bad idea to have the user choose the TOTP secret instead of generating it automatically?

Reading about TOTP-based authentication systems that use smartphones as one-time code generators, I seem to understand that typically the shared secret is generated automatically by the "server" (the system to which the user must authenticate), then…
SantiBailors
  • 391
  • 2
  • 11
9
votes
2 answers

Securely generate and store public/private keys on Android

I am making a web application that distributes data encrypted with the public keys of its clients. At this moment this is working for dedicated devices which I distribute myself. Before they are shipped, I flash the public/private keypair into the…
CryptoGuy51
  • 91
  • 1
  • 1
  • 2
8
votes
5 answers

How to securely share key between two remote devices?

Assuming I have a server/client topology, currently I'm facing the problem that I want to generate some key on the client side and somehow make the remote server get it securely. I'm using AES on both parts, so basically what I need is to generate…
nKn
  • 669
  • 2
  • 8
  • 14
7
votes
3 answers

Bash command argument security

Suppose I want to call a program that takes in a username and password to start. What are the risks with calling the program like ./prog --user 'User' --password 'Password' other than the obvious leak of a user looking over your shoulder?. Is there…
Anthony Kraft
  • 1,139
  • 1
  • 8
  • 18
7
votes
3 answers

What would be the application-level equivalent of dynamic communication secrets?

I'm probably just thick and sufficiently new to security related issues in software development, but since I can't find information and I've been stuck on Googling this for a while. Recently I came across a book, Dynamic Secrets in Communication…
Veksi
  • 259
  • 2
  • 8
1
2 3 4 5 6 7 8