security

问题 I'm using Python 2.7 and am creating an HMAC using the hmac library. Python 3.3 includes a compare_digest() function that will compare two digests and resist timing attacks, but that's not available in 2.7. Prevailing advice is not to roll my own crypto, so are there any mature Python libraries that provide that functionality? PyCrypto does not appear to. 回答1: For anyone finding this from search, if using Django, then you can also use the constant_time_compare function in django.utils.crypto.

问题 my first public Node.js based web site (with Express) went to public couple weeks ago. I routinely checked the server log and sometimes there are some weird records. Here are some examples: - - - [Sat, 19 Oct 2013 08:44:38 GMT] "GET http://www.google.com/ HTTP/1.0" 200 3539 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 222.205.7.245 - - [Sat, 19 Oct 2013 19:54:57 GMT] "GET http://www.wikipedia.org/ HTTP/1.1" 200 3539 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)" 223.94.178.192

问题 I feel lost trying to figure out what my options are. Apache's programmers guide and administrators guide do not detail anything substantial. My O'Reilly Zookeeper book barely talks about security... did I miss something? I was hoping to find tutorials through google about authenticating client connections, authorizing actions, and encrypting messages sent between zookeepers and client. 回答1: I had a lot of trouble but I figured it out and the links at the bottom where a huge help to me. This

问题 I try to get my GCM registrationId from Google. my code: String SENDER_ID = "722******53"; /** * Registers the application with GCM servers asynchronously. * <p> * Stores the registration ID and the app versionCode in the application's * shared preferences. */ private void registerInBackground() { new AsyncTask<Void, Void, String>() { @Override protected String doInBackground(Void... params) { String msg = ""; try { if (gcm == null) { gcm = GoogleCloudMessaging.getInstance(context); } regid =

问题 I have this little program that prints out all of the supported providers in my JDK installation but I am wondering if anyone knows how I can change this program to also print out the "strength" of each of the Providers? import java.security.Provider; import java.security.Security; public class SecurityListings { public static void main(String[] args) { for (Provider provider : Security.getProviders()) { System.out.println("Provider: " + provider.getName()); for (Provider.Service service :

问题 I am developing a web application in which I need to encrypt sensitive information. My plan is to use use AES-256 where the private key is encrypted by a hash of the user's password. I need to store the hash of the password for authentication purposes, but it obviously can't be same used to encrypt the private key. My current thought is to use bcrypt to generate a key to be used to encrypt the private key. For authentication, my thought was to simply hash the password using bcrypt and then

问题 I am developing a web application in which I need to encrypt sensitive information. My plan is to use use AES-256 where the private key is encrypted by a hash of the user's password. I need to store the hash of the password for authentication purposes, but it obviously can't be same used to encrypt the private key. My current thought is to use bcrypt to generate a key to be used to encrypt the private key. For authentication, my thought was to simply hash the password using bcrypt and then

问题 I've been playing around with Bouncy Castle's implementation of RSA (Lightweight API) and got the basics figured out. Looking at their spec for JCE provider implementation I noticed that different padding schemes can be used with RSA. From what I understand, by default null padding is used. So I began exploring OAEP padding, particularly OAEPWithSHA512AndMGF1Padding . Searching with Google wasn't very helpful so I began digging through BC's source code and found org.bouncycastle.jce.provider

问题 This is related to a previous question, here: Converting a \u escaped Unicode string to ASCII I proposed a solution involving eval(parse(text=x)) , which for non-R users, means what it says: parsing the text string, then evaluating it. The aim was not to allow arbitrary code to be executed, but only to un-escape escaped Unicode text. Hence the solution: eval(parse(text=paste0("'", x, "'"))) While this should be fairly safe given the restricted objective, I'd be interested to know: how much

问题 I have program, say name giverootAccess. This program can receive a file name in the current directory (where giverootAccess resides) as a command-line argument. Then the file will get the root access. The file can be an executable or a shell script. Now the problem is that, A hacker can get root access by redirecting the request to bash. I want to restrict a user to give root access only on those files inside the directory where giverootAccess resides. hacker can redirect file name to