@142395 I havent really gone into encryption in any kind of depth either, the math makes my head spin. You are probably more suited to understanding it than me. The link you posted gives an explanation I had not read before, thanks for posting it. So it seems there should be no mathematical link between these subkeys and the master keys at all because the sub keys are just signed by the master key. Hmmmm. So, if I create a signing key, this is a subkey pair, signed by my master identity key ? The public key of that pair is shared with people that wants to encrypt a message to me, so where is the private key that can decrypt ? I was looking at the usage options for generating subkeys, they are; None. (Subkey binding only.) Sign. Encrypt. Sign & Encrypt. Authenticate. Strangely none of them says decrypt. So if we make a signing subkey we might assume the public key from that pair is the shared key and its private key decrypts. But then what is the sign and encrypt key for? Isnt that the same thing? Then you have an encryption subkey, if it can encrypt it must have a decrypt private key too so isnt that also the same thing? I'm not sure what authenticate subkeys are for.
English often makes my head spin, haha. Yup, it seems the master key actually is one of the subkeys, only determined by signs which denote ownership. I searched a bit and it's what I got so far. Signing and encryption is completely different process. RSA is a special case where it can be used for both purpose, but DSA can only be used to sign while ElGamal encryption only for encryption. If you made a signing key pair, your private key is used for a digest of a file to make signature, then a receiver use your public key to the signature to confirm the digest of received file matches the 'decrypted' signature, but the term 'decrypted' may not be good, as you haven't encrypted the hash of the file. 'Encryption' means the contents should only be read by certain ppl who share the secret, but in digital signature it is meant to be confirmed by everyone. Also note the receiver don't need to decrypt the signature to acquire original contents, he only need to confirm it matches or not so hash is used. Importantly, the requirements for encryption and signature is different thus you can't use ElGamal encryption for signing. One requirement for encryption is that those who don't have decryption key can't decrypt encrypted contents, but NOT that those who don't have encryption key can't make the encrypted contents. For signing, it's that those who don't have signing key can't make the signature. If you use ElGamal for signing, those who got an original contents and its signature can make the valid signature for another contents. Another requirement for signing is that one can't derive signing key form confirmation (decryption) key. If you use ElGamal for signing, it's actually possible. RSA is special case where encryption & decryption function are symmetric AND the key is also in a sense symmetric(*). So you can use private key to decrypt contents encrypted by its public key while can use the same private key to sign. But it's only true to RSA, also note deriving public key from private key is always possible. I hope it answered some of your question. When you make 'sign & encrypt' key, its algorithm will be restricted to RSA (or combination of DSA & ElGamal but then you have 2 separate keys under a name of one subkey, which is unlikely). I guess auth key is for public key auth, for auth server relying on it. * Only when you used (n, d) for private key. If you use (p, q, d) for private key (it has advantage in performance), those who got public key for signing can derive signing private key like ElGamal. But it's perfectly fine for encryption.
Face, iris scanners gaining ground on fingerprint readers as a security measure May 30, 2018 https://www.scmagazine.com/face-iri...readers-as-a-security-measure/article/769591/
@Palancar: Virtual Credit Card? Details please. Specifically "I generate a virtual credit card". Is this a function of your bank? I would like to know more. Please provide details and links.
YES it is. Going through my bank's website and logged in (I am using U2F) I can access my credit cards and have a virtual number generated in a few seconds. I select the card's credit limit, which goes against my real card limit. I also select the expiration and I usually set it at 2 months. They provide a security code number just like the back of a real card. NO merchant would ever know this is not an actual card because it designed by my bank to pass all "smell tests". The first merchant that uses the virtual number is then the only merchant number that will be allowed to use that card. I set the limit just over what I am buying. So if I buy a 65 dollar item I may set the limit at 75 as an example. As soon as I see the charge hit my bank I then blow away the card (in a day or so) and now the card doesn't even exist so to speak. All virtual card(s) transactions appear on my ACTUAL card's billing statement the same as if the actual was used. Its really secure and easy to do if you have a decent bank. Obviously I will never say here which bank I have.
To Fool This Iris Scanner, You're Gonna Need a Really Fresh Eyeball July 24, 2018 https://gizmodo.com/to-fool-this-iris-scanner-youre-gonna-need-a-really-fr-1827830053 Research paper (PDF): https://arxiv.org/pdf/1807.04058.pdf
Fido Alliance adds a biometrics certification program to help fight spoofing September 06, 2018 https://techcrunch.com/2018/09/06/f...certification-program-to-help-fight-spoofing/
Estonia sues Gemalto for 152M euros over flaws in citizen ID cards issued by the company https://securityaffairs.co/wordpress/76682/hacking/estonia-sues-gemalto.html
