cryptography – Why public key systems involve private keys

Public key cryptography means that the entire communication between both parties is public, including the setup. Contrast this with the case of two parties $A,B$ meeting in secret, agreeing on some keyword, and using this keyword to encrypt future communications.

Clearly, if $A,B$ decide on the encrpyption scheme in public, something has to be kept private (otherwise you could decipher the messages just like the parties involved). This is the private key, so the flow is something along the following lines: $A$ and $B$ publicly discuss and share some information with each other and the world, then they do something in private and send each other encrypted messages. Witnesses to the public exchange alone can’t recover what is being said.

The child version of such scheme which I like is the following. Suppose $A$ and $B$ want to agree on some secret color, only known to them, however the entire exchange must be public. Under the assumption that mixing colors is easy, but given a mixture recovering its components is hard, then they could do the following: $A$ and $B$ each choose a secret (private key) color denoted by $a,b$. Then $A$ sends $B$ the color $c$ (public key), and the mixture $(a,c)$. $B$ now creates the mixture $(b,c)$ and sends it to $A$, and also mixes $(a,b,c)$ and keeps this compound to himself. Finally, $A$ adds $a$ to $(b,c)$ and is now also in the possession of the secret mixture $(a,b,c)$, known to $A,B$ but unknown to anyone who solely witnessed the interaction between them.

Is it ok and safe to import master public key from electrum wallet into bluewallet to be a watch-only wallet?

I want to use my iPhone (Blue wallet) to be the watch-only wallet for my offline wallet generated on electrum. So that I can generate unsigned transaction on the bluewallet and send it back to my offline wallet to be signed on electrum. And then send the signed transaction back to bluewallet to be broadcasted.

Is it safe to do so? Is there any better way to do it so I don’t have to send the unsigned and signed transaction back and forth?

sharepoint online – How to migrate a public library view from one library into another

From SharePoint Online, I was able to go into Site Settings, create my custom content type, and add new columns to it.

I then created a new SharePoint site, added my custom columns from my custom content type and saved a public view for my library in this site.

I then created a new library within the same site, and added my columns to it (from my custom content type), but how do we copy over the public view that was in the previous library into this new library?

In this case, does the view have to be re-created when going from library to library?

How do many public keys correspond to one private key?

I have read online that hardware wallets can generate new public keys to facilitate transactions. Ie if someone has BTC on an exchange and they want to send that BTC in different installments to a single private key/hardware wallet, that hardware wallet can generate a different public key for each transaction. I’m a bit confused on how this works? Would the ledger not indicate that each of those installments now belongs to a different address? Or is it simply that each time a new public key is generated, the private key in the hardware wallet has the ability to sign for all of those? (Thus creating a persistent, growing list of public keys associated with one private key?).

Additionally, what is displayed on the ledger if that hardware wallet, after multiple installments with different public keys, now wants to send BTC elsewhere? Which of the previous public keys is used? Does it create a new one? Wouldn’t this show up on the ledger as a public key sending more BTC than it ever acquired?

wallet – is the public key the same as the Bitcoin address?

No, they’re not the same thing. Paper wallets are not generated differently as/in to comparison to normal wallets.

a bitcoin adress is part of a public key.

The address is at its most basic just a hash of the public key. The hash functions involved (RIPEMD-160 and SHA256) are cryptographic hash functions. They are often also referred to as one-way functions, which is exactly the reason why you cannot derive the public key from the address.

Oneway functions provide exactly that a = f(pk) so that given a you cannot derive pk.

So, an adress is basically the hash of a public key. x/x

Some good more indepth explanations of the differences here ->

And, how the adress is derived from the public key is explained here ->

How to join public group in Telegram group based on an invite code

Someone provide this: tg://join?invite=xxxxxxxx
(UIApplication sharedApplication) openURL:(NSURL URLWithString:@"tg://join?invite=xxxxxxxx") options:@{} completionHandler:^(BOOL success) {});

  1. if the xxxxxxx is private invite code, it worked.
  2. if the xxxxxxx is public invite code, the telegram show "This invite link has expired"
    What do I do?

networking – Accessing WSL2 From Public IP Address

I have installed WSL2 with Ubuntu 20.04 on Windows 10.

I have an Apache server running in WSL2, and this works fine when I use a browser in Windows (Chrome) to access it via WSL IP address.

As the WSL2 IP address may change, I’ve created the following Powershell script which restarts WSL, grabs the new WSL IP address, restarts the services (Apache and MySQL for the website itself, and also Cron to run “certbot” for SSL certificate renewal), then I set up port forwarding from Windows to the WSL IP for ports 80 and 443, ensure that the Windows Firewall is open for those ports, then update the hosts file for the domain to the new WSL IP address.

Write-Host "Shutting down WSL"

wsl --shutdown

Write-Host "Starting services..."

wsl sudo service mysql restart
wsl sudo service apache2 restart
wsl sudo service cron restart

$wsl_ip = wsl hostname -I

Write-Host "Port forwarding to $wsl_ip"

netsh interface portproxy reset
netsh interface portproxy add v4tov4 listenport=80 connectport=80 connectaddress=$wsl_ip
netsh interface portproxy add v4tov4 listenport=443 connectport=443 connectaddress=$wsl_ip
netsh interface portproxy add v4tov4 listenaddress= listenport=80 connectport=80 connectaddress=$wsl_ip
netsh interface portproxy add v4tov4 listenaddress= listenport=443 connectport=443 connectaddress=$wsl_ip
netsh interface portproxy show all

Write-Host "Open Firewall"
Remove-NetFirewallRule -DisplayName "Apache2 Port 80 TCP"
Remove-NetFirewallRule -DisplayName "Apache2 Port 443 TCP"
New-NetFirewallRule -DisplayName "Apache2 Port 80 TCP" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow -EdgeTraversalPolicy Allow
New-NetFirewallRule -DisplayName "Apache2 Port 80 TCP" -Direction Outbound -Protocol TCP -LocalPort 80 -Action Allow
New-NetFirewallRule -DisplayName "Apache2 Port 443 TCP" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow -EdgeTraversalPolicy Allow
New-NetFirewallRule -DisplayName "Apache2 Port 443 TCP" -Direction Outbound -Protocol TCP -LocalPort 443 -Action Allow

Write-Host "Updating hosts..."

$domain = ""
$line = "$wsl_ip`t$domain"
$hostsPath = "$env:windirSystem32driversetchosts"
$items = Get-Content $hostsPath | Select-String $domain

if($items -eq $null)
    Add-Content $hostsPath $line
    foreach($item in $items)
        (Get-Content $hostsPath) -replace $item, $line | Set-Content $hostsPath


I’ve tested the script and it does complete all the tasks correctly. The “hosts” file is updated, the firewall rules are added (this one could just be run once and needn’t be in this “restart server” script, but I’ve bundled all the steps together into this script).

The script shows all the portproxy rules and they are set up as expected (there’s not necessarily a reason for listening on all addresses and then also specifically listening on the Windows LAN IP – this is just paranonia and testing different things, when it wouldn’t work).

And the server itself is up and running, because if I browse to the WSL IP address (or use the domain name, thanks to the hosts entry – using the correct domain name matches the SSL certificate to not have to wave away browser warnings) or “localhost” then the website comes up just fine.

But If I try to browse to “” or the Windows LAN IP address (, as shown in the script) then I get “connection refused”.

Note that I’ve directly placed portproxy commands in the script for IP to the WSL IP address (which works when used directly), so this portproxy is being explicitly refused (by the firewall? But I’ve added Firewall rules to open those ports, right?).

And if I try to use the public IP address (or real domain name) then the browser just spins until it says “timed out”. Which is interestingly different, as and the LAN IP address are “connection refused” (returning immediately) but this is timing out from no response at all.

The server itself is in the DMZ and the public IP address is NAT’d to the LAN IP address, which is why I’m specifically trying to get that one working, as it should make it publicly accessible.

I did have this server up and running previously – with full public access and all was fine – but the server suffered a power outage, and now I can’t get it to work again.

It’s possible that there was some command or setting I did previously, that wasn’t saved and got lost in the power outage, but I can’t think what it could be.

Any ideas what could be making the LAN IP / fail with “connection refused”, while “localhost” and the WSL2 IP works just fine?

Though is less important, as it’s the LAN IP that needs to be working to get it publicly accessible, because that’s what the NAT sends packets to.

authentication – Is PKCE really protecting public facing clients? Can’t a rogue app steal the ClientID and Secret and make a AuthCode request of its own?

From what I have understood, for public facing clients such as JavaScript apps that run on the browser or mobile apps which have no backend there is no secure place to store client id and secret. Therefore, the client will generate a random string code a.k.a code challenge (plain).

And then:

Client sends ClientID, secret, redirect URI and code challenge --> Authorization Server 
--> Auth Server sends back Auth Code --> Client --> Sends the previously generated code challenge (string) 
--> Auth Server --> Auth Server checks if the code challenge is same as the one that was sent earlier
 when it generated that particular Auth Code. --> Auth Server Sends back Access token.

How does this secure the client application? I mean that if someone can steal the ClientID and secret then it can also generate a random string and send all three to the Authorization server to generate Auth Code and then make another request to get the access token. Eventually the token would expire and then the person could repeat the process since it has the ClientID and Secret. It is just a matter of generating that random code challenge again.

I understand that Hacker App can not use the stolen AuthCode to get Access Token because of PKCE but – why can’t Hacker app use the clientID of your app and generate a code verifier then ask Authorization Server for a Auth Code and then again for Access Code?

Is it impossible to steal ClientID?
When Authorization sever sends back the AuthCode to the client. Is that the only point which is vulnerable?

I have been through this post but I am still not clear on this.