Custom made algorithm for access token - jwt

I want to create custom made algorithm for web access token vs using JWT.
My algorithm will use XOR with secret key in order to encrypt.
so for example : for {username : user, timestamp : 1212121, md5 of the above} I will xor it with secret key and send it to the user.
The benefit for me is that attackers will have hard time to guess how I built the encryption vs well known JWT. So trying to send me a cookie with admin/another user will be harder for him.
My main question is why to use JWT and not creating your own algorithm which will be harder for attacker to reverse engineer ?
Tnx

It's because no algorithm is fully sound; people make mistakes, a lot, in ways that you probably wouldn't have predicted. Then there is the maintainability aspect that even if you're an A grade expert on these kinds of things, you have to maintain that algorithm. And is that really something you want to be doing over providing business value?
Also, the advantage of using well known standards for authorization, encryption, etc. is that they have proven (as far as possible) that they are secure 'enough' for at least the near future and extensively tested as they are used by billions of sites/apps on a daily basis.
So summarizing: it's just not worth the effort, and the probabilty and cost of a mistake is too high..

Using xor with a secret key means that you will not be able to use asymmetric keys, so any client which needs to decrypt the token will have to know the secret, and thus will be able to encrypt tokens as well.
If your client does not need to decrypt tokens, then you can just use opaque tokens, you don't need JWTs. (Or use the Phantom Token Pattern if your APIs do need JWTs but clients don't).
If your client does encrypt the token, then any attacker can easily read your solution and it's no longer that secure. Also choosing your own solution because it will be harder for anyone to guess it is security by obscurity and does not add real value (e.g. a hacker could do a research about you and your code and maybe will find this post on SO, which will give her valuable information about your solution).
When you choose standards for security solutions at least you know what are the potential issues, and how to properly address them so your project remains secure. If you choose a proprietary solution, then you will not know the security issues that you have.

Related

How to exploit vulnerability(Use of Hard-coded Cryptographic Key) in web project?

Most of security guide say that Use of Hard-coded Cryptographic Key is dangerous because if cryptographic key in code is leaked to hacker, hacker can read encoding data used crypto algothrim (e.g. AES256)
so guide say that developer have to store cryptographic key outside source code. (like below pitcure)
enter image description here
but, i wonder it is safe that store cryptographic key outside source code?
let's suppose that cryptographic key is leaked to hacker, that mean hacker have got entire project source code because thare are no other way that can know cryptographic key in source code.
therefore although developer store cryptographic key in outside sourcode, it is dangerous
so my question is that
in web proejct is there any means of knowing cryptographic key stored in source code except way which get entire project source code?
In a web project, assuming I'm understanding what you're saying correctly, all of your code is private. You only output what you tell your server to output, and source code is inaccessible... unless someone really doesn't know what they're doing. Just make sure to use HTTPS to secure your cleint side, otherwise the whole World Wide Web could find out too.
Using a disassembler, most of your unique strings in any application are up for grabs. So are files, the best I know. Certificate pinning sounds close to what you're talking about, and I have modified a Snapchat APK to accept my certificate authority so I could perform a MITM on it. Trusting the CA on my phone wasn't enough, because the app had a not-so-easily defeated security feature. It only really works when either a.) a user wants to decrypt their own data, or b.) someone has way too much access to their phone.
This may be slightly outside of scope, but a good way to protect system function on the server side from abuse by your clients is to write an API for them to control their input precisely. Just food for thought.

How to store credit card info on iphone?

I have requirement to store credit card number in iPhone app. How to store the data secure manner. I have looked at keychain. Apart from it, is there anything i can use.
As mentioned above, you should first look into the legality of this, especially with Apple restrictions on what goes in the app store.
That said, I have had to encrypt sensitive information before, and decided to go overboard with AES-256 encryption. Since usernames, passwords and personal data were being sent over a network, it was necessary. I used FBEncrypt for this - it's a great wrapper around CCCrypt.
https://github.com/dev5tec/FBEncryptor
That will allow you to do base-64 encoding and AES-256 encoding, among other things, and it is really convenient. Check it out if you really need it!
This question as stated is difficult to answer. It is up to author(s) of the requirement to determine the level of security needed. They may wish to get some legal advice about what, if any, liability may be incurred for leaking the data.
Once you know the appropriate level of protection, then you can start evaluating solutions. Keychain is good, but there are quite a few encryption options available.
Questions you may want to get answers to besides how to store the number include:
What authentication will be needed to expose the number?
What is the expected lifecycle of the exposed number?
How long can the number stay exposed?
How will the number be purged from memory?
How can the exposed number be used?
Can the number ever be displayed to the user?
Will you allow the number to be copied to the clipboard?
If you want to be serious about protecting information (any information), you need to do some serious design work.
Encryption and the use of SSL/HTTPS seems enough for this case. If you are new to the subj, good general guidelines here: Mobile App Development Tips: How to Ensure Data Security
There are many implementations, e.g. you can use AES256 algorithm mentioned above:
When an app saves a credit card number for the first time, a random
masterKey and initialization vector (IV) are generated. Use them
later for encryption.
A masterSalt is generated and saved locally.
Using plainPassword and masterSalt, a hash (PBKDF2) is calculated.
Using the AES256 algorithm, the calculated hash is used to encrypt
both MasterKey and IV.
Encrypted MasterKey and IV are saved locally.
Decrypt the MasterKey and IV using plainPassword and masterSalt hash
(PBKDF2).
Now, encrypt the data with MasterKey and IV using the AES256 algorithm.
You need to do very serious research into this and not necessarily accept what people on this site say without thorough research and confirmation on your part.
Storing information like credit card info is not something you should implement just based on responses on this site IMO.
If you are serious you need to read, understand and apply the material in the book "Hacking And Securing iOS Applications" to understand what the dangers are and how you can mitigate against them, and how techniques that people say are secure really aren't as secure as you think they might be.

Encrypt a string and prevent reverse engineering in iOS

I am building an iPhone app, and I currently need to encrypt a string, store it in a file and be able to decrypt it later. As I understand, I can use symmetric encryption to do this but my key for encryption/decryption can be reversed-engineered. Assymetric encryption can solve this problem but it seems I would need a server to send the data to decrypt with the private key. Does anyone know of a way I can encrypt/decrypt the string securely in a stand-alone app?
Thanks!
As with all matters concerning security, the question is: who are you defending against?
If you are trying to prevent the casual thief (or script kiddie) from reading an encrypted string, using the built-in iOS cryptographic services, such as the Keychain, can provide adequate-to-good security. Obviously the strength of the security will hinge in part on various factors beyond your control (notably, what sort of password lock, if any, the user has configured for the device).
The next level up would be symmetric encryption using a symmetrically encrypted key (i.e. one protected by a user passphrase). As #lukas noted, of course in principle this can be cracked, but from a practical standpoint if the user chooses a sufficiently strong passphrase for a sufficiently large key, a casual to intermediate-level attacker will be effectively thwarted.
If, on the other hand, you need to keep secrets, as Bruce Schneier would say, not from your kid sister but from major world governments, these approaches are likely to be insufficient, and you will have to explore other options, including but not limited to storing the string in multiple locations, using multiple keys, and multiple factors of authentication.
The lead Apple reference for all this (save the last option) is the Secure Coding Guide, which has references at the end of the opening page to the other more specific programming guides (covering, e.g., the Keychain and Cryptographic Services). I also heartily recommend Graham Lee's Professional Cocoa Application Security. If you want a theoretical foundation, the gold standard is Schneier's Applied Cryptography.
This basic question is asked pretty constantly on Stackoverflow. The answer is that you cannot obfuscate yourself to security against your own customers, and you should never spend excessive money trying. I recommend the following links to find the many previous discussions:
Best practices for iOS applications security
Secure https encryption for iPhone app to webpage
From the above you will find several more links. But the final answer is that you are likely trying to solve the wrong problem, and the problem you think you want to solve is unsolvable.
Does anyone know of a way I can encrypt/decrypt the string securely in a stand-alone app?
No. If someone have the physical access to the data it can be cracked. Make a webservice to solve the problem.
Have you considered using Keychain Services?

How safe is the apple binary (secret key saftey)

I'm developing an application for iPhone which uses a HTTP request to get quote data from a webserver.
I am working with another developer who is managing the web service. We are using an MD5 encryption (simple xor) to pass the data between iPhone and webserver.
He posed a question to me this morning which is quite frankly way out of my pool of knowledge.
'How safe is the apple binary?'
He is worried about whether someone could obtain the .app bundle via iTunes, and then decode that bundle and access my source code directly, allowing them to obtain the secret key we are using to encode the data.
I personally, wouldn't even know where to begin, but i'm sure there are more knowledgeable/crafty fellows out there.
So, is it possible? if is it, what can I do to try and safe guard my source?
The binary is not even remotely safe. Whether through the iTunes download or on a jailbroken iPhone, there's nothing you can do other than obfuscation, which a determined adversary will always get past. Do not ever rely on the "secrecy" of something embedded in a client application, it is not secret. Ever. On any platform, in any language, with any technique.
If you need to limit who can access your system, you need per-user accounts. There is no other safe mechanism. Apple does provide ways to "authenticate" users via their iTunes accounts, you may want to look into that.
Also, "MD5 encryption" means nothing. MD5 is a hash function with cryptographic applications, but saying you're doing "MD5 encryption" and "simple XOR" is just meaningless. I can use XOR and MD5 to do any number of things, few if any would serve as a meaningful encryption scheme, and would have no advantages whatsoever over a real algorithm designed by experts, such as AES.
Use HTTPS (HTTP over SSL). There is no reason not to, the iPhone fully supports it. If you need to, you can get free SSL certificates for your server from at least http://www.startssl.com/ . There are lots of cheap SSL certificate providers out there these days, too. Google a bit.
I'd strongly recommend you and your co-developer start reading up on information security, both in theory and practice, because it appears you have very little grounding in the subject, and probably several significant misconceptions that will lead to easily-broken systems.

Encrypt and compress html-codes in iPhone app bundle, unpack on first start

My client wants to encrypt/compress the html-code for their medical books in the iPhone bundle, to protect their IP.
Whats is a good way to prepare this file for the app bundle, and what complementary libraries (C, Obj-C) should I use to do the decryption and decompressing on the first launch of the app?
Copying the file to ~/Documents, then working on it seems like the best solution. Thoughts?
Here's a few thoughts.
If the book text is all alphanumeric data, then don't save the data as ASCII - save them in your own binary encoded format (for instance use 5 bits instead of 8 and pack into words). That gives you a bit of compression, slight obfuscation and a very cheap (in clock cycles) decompression. You would have a data format that is quick to access on the fly and will keep the casual curious hacker out of the text. Clock cycles would be my main concern and security second.
Another idea is store the decrypt key for a typical Blowfish encryption in obfuscated format in the app. Split into two or three constants that require some odd operation to restore for instance. But of course, now the overhead of Blowfish or whatever will be your concern.
Since you will not be able to implement perfect security (perfection is extremely expensive), the IP owners will have to use traditional copyright and trade secret techniques to fully protect their property. You've made it harder to hack, but it's still up to the lawyers to be diligent, just a book on the shelf in the reserved section of the library (no photocopies please!).
Cheers
This is quite tricky... almost impossible to make it really unbreakable. Any reasonnably motivated person will be able to pierce through it. You'll only make it a little harder to do. In any case, you definitely can't store any secret key in the bundle itself. You'd need to securely obtain the decryption key over a secure channel from a server and use it as needed. Even then, someone doing jailbreak would probably be able to run GDB over your running program and extract the secret key in RAM + the secret key would be shared amongst all users of your app... You're essentially trying to implement a DRM scheme, which is inherently flawed by design... Unless you need offline access, you might want to pull the data as needed from a secure erver... at least you "could" throttle information leakage...
I would keep the documents encrypted if I were you and just decrypt them as needed. One would easily be able to access the decrypted documents on a jailbroken device.
See the "Security Overview" document and the CryptoExercise sample code for encryption techniques
You probably won't like it, but the best way is to just not use HTML. Once you pass the decrypted HTML to UIWebView, it is very easy for a malicious user to steal it at that level, defeating any purpose your encryption algorithm had. A UIView subclass with custom drawing code and a custom encrypted backing format will be much more difficult to work around
From Mac OS X and iPhone OS Security Services:
You can use Keychain Services to
encrypt and store small amounts of
data (see Keychain Services Reference
and Keychain Services Programming
Guide). If you want to encrypt or
decrypt larger amounts of data in Mac
OS X, you can use the Common Security
Services Manager (CSSM) Cryptographic
Services Manager. This manager also
has functions to create and verify
digital signatures, generate
cryptographic keys, and create
cryptographic hashes. In iPhone OS,
the Certificate, Key, and Trust
Services API provides functions for
generating encryption keys, creating
and verifying digital signatures, and
encrypting blocks of data; see
Certificate, Key, and Trust Services
Reference.
It's always a choice between performance (encryption just doesn't come free) and security (security and everything else, really). But what else is new? If you keep the individual files small enough, maybe decryption doesn't slow you down much. Alternatively, you may consider predictive decryption such that you have certain files being decrypted in the background, say those linked from the currently viewed file, etc. I realize, however, that concurrancy on the iPhone may be pretty spotty (I don't know as I haven't dropped the cash for a license). You may also realize performance gains by only encrytping those files that really need it; does an index/table of contents or other often accessed file really need to be encrypted? Does that count as IP your client is worried about?
For compression I can recommend QuickLZ (fastest engine I saw, great compression ratio).