Tag: keys

hashing – Why do sites store user data all in one user table? Why not separate with salted and hashed unique keys?

Say I’m a Big Company with a bunch of user data, including usernames, email addresses, and salted and hashed passwords. I recognize that I’m susceptible to attack in some way shape or form, despite everything that I’ve done to try to prevent an attacker from gaining access (phishing is stupidly effective, after all).

Suppose I want to separate a hacker from getting to more data. Would it not make more sense for me to set up one table with user data consisting of a unique identifier, their salted and hashed password, and any other relevant data, then create another table of email addresses that has two columns; the email address, and a unique key. However, that unique key is based on a salted and hashed version of the unique key from the original users table that can be replicated (assuming you know the salt and the algorithm used.)

Now, assuming someone enters maliciously, they will have to determine two sets of salts and hashes– one to decrypt the password, and one to decrypt which email address is associated with that username and password. Gaining the email addresses is still valuable for stuff like spam mail, but it’s now double the effort if someone wants to figure out how to log in as a user. This obviously is n

MySQL 8.0 Metadata Lock Extension for Foreign Keys causing requests to hang

We are using AWS RDS and we upgraded from MySQL 5.6.41 to MySQL 8.0.21 last December.

Since mid-January, we noticed some problems causing our replica to be stuck after running migrations adding foreign keys to new tables referencing our main table (in the sense that it is queried for almost all API calls).

Typically, we can have the following Django migration:

    migrations.AddField(
        model_name='artifactpresenter',
        name='event',
        field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='pittsburgh.Event'),
    ),

This would translate to some kind of ALTER TABLE ... ADD CONSTRAINT ... FOREIGN KEY ... REFERENCES ... DDL query (verified by checking the SQL generated by the Django ORM).

When running this migration on production, it would execute fine on our master that mostly processes write requests and a small portion of our read queries. However, our replica will suddenly hang on the referenced table (pittsburgh.Event in the above migration).

More specifically, here is what we can see from RDS Performance Insights:

enter image description here

As you can see, all the read requests to this pittsburgh.Event model would just hang on the MDL_context lock (a.k.a., the table metadata lock).

When this happens, our entire production pretty much goes down and our only solution at the moment is to restart the replica.

We first thought this was coming from multi-threaded replication that we inadvertently enabled. However, the issue persisted after we disabled multithreaded replication.

After digging more, I was actually able to reproduce the issue with 3 sessions:

  • In one session, I start a transaction and read something from the pittsburgh.Event table, but I do not commit or rollback the transaction yet: I just leave it opened
  • In another session, I run a CREATE TABLE statement adding a foreign key constraint referencing pittsburgh.Event (autocommit enabled): this statement will just hang, waiting to acquire the metadata lock on the pittsburgh.Event, but it is already acquired by the transaction in the first session
  • In a third session, I try to read something from the pittsburgh.Event table: this one will also hang because MySQL will apparently queue the query until the second session can acquire the lock on pittsburgh.Event (write prioritized over reads)

I tried to reproduce on MySQL 5.6, 5.7, and 8.0:

  • on MySQL 5.6 and 5.7, the second and third session never hangs, even if the first session did not commit yet
  • on MySQL 8.0, what I described above occurs

Clearly, this seems to be a change in how MySQL 8.0 implements metadata locks. When digging through the MySQL change log, I found this in the MySQL 8.0.3 release changelog

MySQL now extends metadata locks, as necessary, to tables that are related by a foreign key constraint. Extending metadata locks prevents conflicting DML and DDL operations from executing concurrently on related tables. This feature also enables updates to foreign key metadata when a parent table is modified. Previously, foreign key metadata, which is owned by the child table, could not be updated safely.

If a table is locked explicitly with LOCK TABLES, any tables related by a foreign key constraint are now opened and locked implicitly. For foreign key checks, a shared read-only lock (LOCK TABLES READ) is taken on related tables. For cascading updates, a shared-nothing write lock (LOCK TABLES WRITE) is taken on related tables that are involved in the operation.

If LOCK TABLES is active for a table in a foreign key relationship, ALTER TABLE … RENAME is not permitted for that table. This is a temporary restriction, lifted in MySQL 8.0.4 by the patch for Bug #26647340.

I’m not 100% certain this is the cause of our problem, but the description seems to clearly match what I’m observing. If this is the case, it seems that this behavior is apparently expected for MySQL 8.0.

From there, I’m not sure what to do and how to handle this problem. We can’t really downgrade to MySQL 5.7 (RDS only allows you to upgrade, and manually trying to re-build the database at an older version using some backup would incur way too much downtime and sounds quite risky):

  • Are there some configuration options we can use to disable this new behavior? We have been running on MySQL 5.6 for years without issues, and we run migrations infrequently: it does not appear as if this new mechanism is solving any of our problem (in fact, it is causing us a lot of troubles)
  • If we can’t disable, what are some appropriate way to mitigate this? I saw some people playing with the lock timeout, but it does not seem to solve anything and I’m not even clear whether it would work on a replica
  • Some recommendations are to track down the long-running transaction that can cause this hang. But how to prevent this to be reintroduced later on with a mid-size engineering team where you can’t oversee all code changes? Again, we used 5.6 for years without having any issue with this, so it’s suddenly a lot of burdens to oversee any database query change or implement some monitoring to track this down
  • We are also planning to improve our database requests routing to detect some problems with the replica and stop routing requests there. That would prevent our application to go down completely for too long and will improve our overall reliability, but it’s again just going around the problem without solving it

oauth2 – API keys or Client Credentials flow? Good practice to control application access to a deployed web component

Company A developed a widget (Web Component) deployed on several clients/partners.

Only clients/partners must be authorized to use the widget.
No need to distinguish between each end users (clients’ users), because only the application itself, the widget itself must be authenticated/authorized.

I thought about using a relevant API KEY per client stored on a reverse proxy (mini-backend), the latter stored on the client’s infrastructure.
This way, the widget could target the reverse proxy, this one providing the hidden API KEY in order to deal with Company A’s backend.

Pros of this solution:
No front developments required on client’s infrastructure.
Cons:
If the API is stolen (in extreme cases), as there is no expiration by default, anyone could benefit of its power at any time except if additional check on domain + IP/DNS are carried out.

Other way, what about the Client Credentials flow of OAuth, that would consist in ensuring a communication between Company A’s backend AND client’s backend to generate a token allowing client/partner to ask for a business token that can expire in a short run.
Thus, the widget would be passed the business token in order to deal with Company A’s backend features at any time, before expiration.

Pros of this solution:
The token can expire and has therefore less potential of damages than a potential stolen API KEY that does not expire.
Cons:
Backend developments required on clients side in order to deal with the client credentials flow (service to service).
Front developments required on client’s infrastructure to provide the business token to the widget.

What would you suggest?

mysql – SQL: How to get all tables’ columns & keys + the primary key?

I’m trying to get all tables in a database, with their column definitions and keys.

Given the following tables

create database test;
use test;

CREATE TABLE authors (
  id int NOT NULL AUTO_INCREMENT,
  `name` varchar(255) NOT NULL UNIQUE,
  PRIMARY KEY(id)
);
CREATE TABLE books (
  id int NOT NULL AUTO_INCREMENT,
  author_id int NOT NULL,
  title varchar(255) NOT NULL UNIQUE,
  summary varchar(255),
  FOREIGN KEY (author_id) REFERENCES authors(id) ON DELETE CASCADE,
  PRIMARY KEY(id)
);
CREATE TABLE authors_books (
  author_id int NOT NULL,
  book_id int NOT NULL,
  FOREIGN KEY (author_id) REFERENCES authors(id) ON DELETE CASCADE,
  FOREIGN KEY (book_id) REFERENCES books(id) ON DELETE CASCADE,
  PRIMARY KEY(author_id, book_id)
);

The end result should look something like:

authors
id,int,no,auto_increment
name,varchar(255),no,UNIQUE
PK(id)

books
id,int
author_id,int,FK->authors.id
title,varchar(255),UNIQUE
summary,varchar(255),NULL
PK(id)

authors_books
author_id,int,FK->authors.id
book_id,int,FK->books.id
PK(author_id,book_id)

Now, the following query gets me everything except the keys. It’s a mess in mysql output, but running it with the command helps it look digestible.

mysql -u root -p -NBre "SELECT CONCAT_WS('n', table_name, GROUP_CONCAT(
    CONCAT_WS(',', column_name, column_type)
    ORDER BY ordinal_position
    SEPARATOR 'n'
  ),
  'n'
)
FROM information_schema.columns
WHERE table_schema = 'test'
GROUP BY table_name"

I’ve tried many combinations to get the keys, but could only get as close as the following.

SELECT a.table_name, a.column_name, GROUP_CONCAT(CONCAT_WS(',', a.column_type, b.constraint_name, b.ordinal_position ) SEPARATOR '|')
FROM columns a
LEFT JOIN key_column_usage b
  ON (a.table_name = b.table_name AND a.column_name = b.column_name)
WHERE b.table_schema = 'test'
GROUP BY a.table_name, a.column_name
ORDER BY a.table_name;

Which gives:

| TABLE_NAME    | COLUMN_NAME | GROUP_CONCAT(CONCAT_WS(',', a.column_type, b.constraint_name, b.ordinal_position) SEPARATOR '|') |
|---------------|-------------|------------------------------------------|
| authors       | id          | int,PRIMARY,1                            |
| authors       | name        | varchar(255),name,1                      |
| authors_books | author_id   | int,PRIMARY,1|int,authors_books_ibfk_1,1 |
| authors_books | book_id     | int,PRIMARY,2|int,authors_books_ibfk_2,1 |
| books         | author_id   | int,books_ibfk_1,1                       |
| books         | id          | int,PRIMARY,1                            |
| books         | title       | varchar(255),title,1                     |

Notice, books.summary is missing, so I’m thinking all fields without a constraint will be missing from the results.

Another thing is when a primary key is a composite key, such as in the bridge table authors_books, they should not be part of the GROUP_CONCAT in the 3rd column but instead be its own record at the end of the table_name group.

I might be on the wrong track but.. How can I also get the columns that don’t have key constraints, plus the table’s primary key as its own row?

x.509 – openssl SubjectDN parameter, abbreviaton of argument keys and how to add extra ones

openssl command allows to create x509 certificates, and to add subjectDN using the -subj parameter.
The parameter accepts a string of slash-delimited values in the form of:

"/UPPERCASE_ABBREVIATED_KEY=VALUE/.../"

i.e.

"/C=IT/ST=Italy/L=Milan/O=myservice/CN=localhost"

I could not find a complete list of the allowed keys, and I need to create a certificate with the following attributes:

  • organizationName (O)
  • commonName (CN)
  • uri (?!)
  • organizationIdentifier (?!)
  • countryName (C)
  • localityName (L)

of which uri and organizationIdentifier I have no clue on how to include.
to my knowledge (fairly limited, i am just starting in the digital signature world), the values this parameter can incorporate are:

  • Country Name (C)
  • State or province (ST)
  • Locality (L)
  • Organization Name (O)
  • Organizational Unit Name (…)
  • Common Name (CN)
  • Email Address (…)

Is there a place where I can find the complete list of possibile attributes and their abbreviation?
or maybe something other than openssl that allows to build the certificate ?
Is it possible that to add the extra fields (uri, OrganizationIdentifier) the addtext argument must be used?
Thank you in advance for your time and understending.
Best regards

wallet – Mycelium – understanding of keys

Under the Accounts tab in Mycelium, it says that Account 1 “Contains 3 private keys.” My understanding is that a public/private key pair is generated for each address type/format (p2sh, p2pkh and bech32) and we are free to choose which to use when receiving bitcoins.

  1. Is any of those three private keys known as the Extended Private Key from which all remainder and future private keys get derived? Or, are all private keys within ‘Account 1’ derived from the 12-word master seed and none of them are Extended Private Keys? Or, are the 3 of them Extended Private Keys (one for each address type)?

  2. Now when I’m receiving bitcoins I can choose which of the three addresses I want to use, right? Are the bitcoins now associated with the public/private key pair or the account? Say the three public/private key pairs are xpub/xprv, ypub/yprv and zpub/zprv … now if I received A bitcoins on xpub and B bitcoins on ypub, does that mean when I want to send A+B bitcoins I have to make two seperate transactions and therefore pay transaction fees twice?

  3. After receiving some bitcoins on, say ypub, does that mean another public/private key pair gets generated because it’s an HD wallet? If yes, next time you’re receiving bitcoins, can you choose which of the 4 addresses you want the coins to be associated with?

  4. If I create a new account (say ‘Account 2’) will it have it’s own master seed? Or is the 12-word master seed for all accounts within the wallet? If the master seed is for all accounts, where do the Extended Private Key and Extended Public Key reside?

public key infrastructure – How roaming works with ssh private keys?

This occurred to me when looking at the security model wireguard is using. Instead of relying on users credentials and Radius authenticating central server each user has a private key used to authenticate VPN. This is modeled after SSH PKI.

But how does it work when users switch computers. In big organisation it is common for employees to move around a lot and login to different machines. Is the idea for them to only have access VPN, SSH from their own desks? Or are the keys stored on some local network file share?

8 – Override specific configuration keys in settings.local.php

I’m trying to learn the Drupal 8 configuration override system based on the documentation here:

https://www.drupal.org/docs/drupal-apis/configuration-api/configuration-override-system

As a simple test, I have disabled the Shield module and exported config. Here’s a diff:

diff --git a/config/sync/shield.settings.yml b/config/sync/shield.settings.yml
index 3f7482f18..d9f019ca4 100644
--- a/config/sync/shield.settings.yml
+++ b/config/sync/shield.settings.yml
@@ -1,4 +1,4 @@
-shield_enable: true
+shield_enable: false
 credential_provider: shield
 credentials:
   shield:

Now, in my settings.local.php I have attempted to override this config key:

/**
 * Disable Shield (HTTP Basic Authentication).
 */
$config('shield')('shield_enable') = FALSE;

This approach does not seem to work.

Do I need to do anything else to override the configuration?

NOTE: This is a contrived example. I could use configuration splits to disable HTTP basic auth in the production environment, even if it’s enabled in the active database configuration. In fact, I am hoping this approach will allow me to use environment variables to provide environment-specific values for authentication tokens, API keys and other secrets that may change in sandbox and production environments, but details are irrelevant to the question.

Where does it go and who verifies private keys?

The private key is used when signing a transaction. The private key usually goes into a bitcoin wallet, and the wallet software handles the signing and storage of your keys. Do not give your keys to anyone. Anyone with your private keys can spend just the same as you so it is important to keep these safe and preferably offline.

Yes your wallet software will verify the signature (not the key) before broadcasting as well as any listening nodes.

bitcore – Can Parent keys access child keys bitcoin?

I’m using bitcore to generate a parent key and multiple child keys.

I’ve sent 0.00001 BCH to the parent key and 2 child keys. The 0.00001 BCH is currently on each of them. Can the parent key access the child keys BCH or does it need to send the BCH from each child to the parent?

Here are the exact docs I’m reading

https://github.com/bitpay/bitcore/blob/master/packages/bitcore-lib-cash/docs/hierarchical.md