In my cisco router setting, am trying to connect my device using wep security type.
In wep security types, hexadecimal password are supported.
Reference:
https://developers.google.com/android/management/configure-networks#multiple_wifi_networks:~:text=For%20WEP%2DPSK%20passphrases%2C%20only%2040%2Dbit%20(10%2Ddigit)%20or%20104%2Dbit%20(26%2Ddigit)%20passphrases%20are%20supported.
While converting passphrase to hexadecimal,i got below (104/128bit) hashed key: "FDACCFD4471EEC4F3D03CCB88F" for passphrase (Chennai#12345)
Reference :
My Question is how hashed key value is calculated?
Is there any algorithm exist to achieve the above (104/128bit) hashed key conversion from passphrase in java?
Related
So, I'm building an application for MTLS authentication and generate X509 certificates using AWS ACM PCA and bundle them together with a private key in PKCS#12 format.
At the moment I generate key pairs programatically in Java which are never stored.
But since I'm not a security expert I thought maybe it's better to use AWS KMS for creating key pairs.
So, it seem like what I need is a CMK which can generate data key pairs which are stored in KMS.
If they're stored in KMS and I can fetch the private key at any time, how is that more secure than not storing it at all?
Or is the purpose of KMS only to store keys securely?
If you have a use for the encrypted private key that kms.generateDataKeyPair will provide, then it would be of use. It would also be a nice way to ensure that your keys are being generated securely (secure randomness, etc).
It’s important to note, KMS will not store the generated key pair. The idea is that you would store the plaintext public key, and the encrypted private key, and call kms.decrypt to turn the encrypted private key into plaintext whenever you need it.
I'm getting an encrypted md5 base 64 string encrypted with a key, this encryption is done in .Net, I need to decrypt that string using swift 4, but i can't find the way to to this, has anyone know if this is possible?
MD5 is what's known as a hashing algorithm, which is fundamentally different from an encryption algorithm. It was designed to be a one-way process whereas encryption can be decrypted to obtain the original data.
If you're looking to decrypt the data passed from .Net then it's going to need to be passed as encrypted, not hashed. There are many encryption options to choose from and some of the more popular ones are easily incorporated into a .Net project via NuGet.
If you have the key and the string, and need to ensure the hash sent wasn't tampered with then the link Ryan posted in the comments is what you're looking for.
How do I get the KMS key information from the ciphertext blob?
Taking the example from the aws website
AWS KMS doc
aws kms encrypt --key-id 1234abcd-12ab-34cd-56ef-1234567890ab --plaintext fileb://ExamplePlaintextFile --output text --query CiphertextBlob | base64 --decode > ExampleEncryptedFile
Is there any way to look at ExampleEncryptedFile and figure out which KMS key was used to encrypt it?
I ask because I'm having a problem reading something I encrypted and I want to verify it was encrypted with the key I thought it was.
Yes, you can get the key id by using aws kms decrypt (pass it the ciphertext and region) which does not require a key id to perform decryption. The information about the key that was used to encrypt is part of the ciphertext, therefore, KMS will be able to get this information and return you the "Plaintext" and the "KeyId".
I'm afraid you won't be able to do it. The encrypt API uses a customer master key (CMK) to encrypt the data, and that key never leaves AWS. Unless you saved the key ID somewhere (which is not a great practice), you won't be able to derive it from the encrypted file.
A couple things that can help, in case you have administrative access to the AWS console:
literally try calling aws kms decrypt using the master keys you have (assuming they are not many and the original one has not been deleted);
looking at your CloudTrail logs, you might be able to figure out which key was used if you have a rough idea of the time when it was used (assuming you have CloudTrail enabled on your KMS operations).
The encrypted blob contains the key information required to decrypt it. There is no way to figure out what key an encrypted blob was encrypted with as its part of the encrypted value.
If you’re you’re unsure which key you used, you will have to either roll the value and encrypt it again or start attempting to decrypt with permissions that only have access to one key at a time..
I would like to know what type of hash used for active directory passwords and if there is a way to change the type of hash
A user's password hash can be stored in Active Directory using two different proprietory hash algorithms: LM hash and NT hash.
The less secure LM hash is disabled by default by group policy on later Server OS versions but can be reenabled again.
Aside from that the only other way you can affect this is to enable storing passwords with reversible encryption using group policy.
After that is enabled, when you change your password a password filter called RASSFM.DLL is used to store the password using reversible encryption. The key that is used to do this is G$MSRADIUSCHAPKEY, which is stored as a global LSA secret. This key is decrypted using a static key (hardcoded in the DLL). The result of this operation is combined with a 16-byte random value (generated every time someone changes their password) and that key is used to encrypt a Unicode version of the password using the RC4 algorithm.
This information is then saved in the userParameters attribute.
I am using the PKCS#5 standard to generate a key using a random and unique salt and the user`s password in input. Consider this key as the "encryption" key.
The "encryption" key is used to encrypt a random AES key. Each users have an AES key associated to their profile.
So, a user`s profile will contains this informations:
--> password hash for authentication purpose.
--> salt used in the PKCS#5 algo. (From the PKCS#5 V2.0 documentation, we know that this information needs no protection).
--> the encrypted AES key generated randomly and encrypted with the "encryption" key generated by the PKCS#5 algo with the salt and the user`s password
I was asking myself if it is dangerous to be in possession of the password`s hash, the salt and the encrypted AES key IN THE SAME TIME. I am 99.9% sure that this is not a problem, but can it facilitates the work of an attacker being in possession of all those details?
The password hash also needs to use a salt, otherwise dictionary attacks are possible and two users who happen to pick the same password will have the same hashed password stored in the DB.
I would suggest this: Just use PKCS#5 twice; once to generate the hashed password (which you store in the clear), and once to generate the encryption key (which you do not).
Make sure the salts are large, random, and independent, and then there will be no detectable relationship between the password hash and the encryption key. That is what the salt is for, after all.
[update, to elaborate a bit]
Pick two salts s1 and s2. Make sure each is at least 64 bits, random, and independent.
Use the password + s1 as input to a PKCS#5 HMAC on the empty string. This is the "hashed password".
Use the password + s2 as input to a PKCS#5 encryption scheme to encrypt the actual data.
Store the hashed password, s1, and s2 in the clear in the database. Done.