I am working with Mifare DESFire EV2 card, I am trying to authenticate with the master file using AES Key.
I have achieved the authentication with master file using DES successfully, but when trying with AES using the command INS=0xAA, i get response 0x91AE.
is there any setting for the master file to enable AES Authentication? or only DES is the available authentication with master file?
If it is a blank new card, AES is the the wrong cipher. The default cipher is 2K3DES, not AES. You must first change the cipher from the default to AES if you want to use it.
Related
I have a dsc token, im aware that they can be only signing, or they can be signing and encryption. How do i check?
KeyUsageFlag for X509 certificate is a bitwise flag.
Please refer: X509KeyUsageFlags Enum
There can be a single certificate with both the flag set (addation of values for DigitalSignature and KeyEncipherment) i.e. 128 + 32 or two different certificates. This depends on how Certifying Authority choses to issue the certificate.
How do i check?
Method 1: You must have Smartcard or USB Token driver installed which pushesh Certificates in token to Windows Certificate Store on inserting the token. Then run certmgr.msc to open Certificate Manager; go to Personal Certificates, double click the required certificate to open the Certificate Details and check Key Usage property in Details tab. Values displayed here are in Hex. like: Digital Signature (80)
Method 2:
You may filter on key values and check as above.
Install Signer.Digital Browser Extension as described here
Once Extension is installed and available in the browser, open any site so that browser loads extension script and execute below commands from the console of the browser
SignerDigital.getSelectedCertificate("", 32) - to list only Encryption Certificates
SignerDigital.getSelectedCertificate("", 128) - to list only DigitalSignature Certificates.
Here 32 and 128 are X509KeyUsageFilter values as discussed above.
I am trying to register new RSA agents automatically via the RSA Authentication API. I have the RSA AM (Authentication Manager) API Access ID & Access Key from the console. How would I pass these via PowerShell Invoke-RestMethod/Invoke-WebRequest Headers to complete the createAgent operations?
I cannot find any information about how the filesystem storage backend encrypts data at rest in the Hashicorp Vault Community Edition. Does anyone know the details of the encryption cipher(s), hashing algorithms, etc.? Is it configurable or is there a way to inspect the ciphers on an existing filesystem vault?
Quoting from the official documentation:
Vault uses a security barrier for all requests made to the backend. The security barrier automatically encrypts all data leaving Vault using a 256-bit Advanced Encryption Standard (AES) cipher in the Galois Counter Mode (GCM) with 96-bit nonces.
So the cipher used for storing secrets is an AES 256 with GMC. I think that this is an architecturale choise that cannot be changed.
Ok , this is a little off . I have a XMPP sever that supports XEP-00178 (SASL-External)(namely : openfire) and I am using Gajim client to test it. Now I created a .p12 file(using openssl) for the registered user on the server with the common name equal to the user name. The .p12 file is encrypted. But when I use the Gajim to add the user's corresponding encrypted .p12 file , it prompts for the pass phrase , which I supply correctly but it just fails with the error :
Unknown error while loading certificate from file /root/sslCA/alice.p12
I tried opening the same alice.p12 using OpenSSL and everything works just great. Would it be wise to remove the password from the .p12 file? or Is there something that I am doing wrong with regards to Gajim?
We are following the below article for over the air enrollment and profile delivery feature
http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html#//apple_ref/doc/uid/TP40009505-CH3-SW1
We could able to complete steps in Phase 1 and Phase 2. Once the device acquires the certificate from SCEP server(as part of phase 2), it sends the response back to the MDM server. This response is signed by the new certificate.The response consists of signature, plist content and certificate in binary format. Ideally, we need to extract the public key from this certificate and use that to sign the configuration profile (.mobileconfig). However we have difficulty extracting the certificate from the response. Looks like the certificate is corrupted somehow. We tried different encodings. But it didn't help :(
Has anyone successfully extracted the certificate in Phase #3.
Really appreciate any help in this regard.
Thanks
The response from the device is a DER-encoded SMIME string. You can use openssl smime to extract the public key.
if you are using C#, this can be accessed as part of the Pkcs library.
using System.Security.Cryptography.Pkcs
...
//get the data as a byte[]
var signer = new SignedCms();
signer.Decode(input)
//signer.Certificates[0] contains the cert
To extract the certificates you can use openssl cli :
openssl pkcs7 -print_certs -in requestFromDevice.p7s -inform DER
You can then easily parse the output using stdout.split('-----END CERTIFICATE-----') & stdout.split("\n") (in javascript).