In the AppSync mapping request template, I need to generate MD5 hash from String array to get the same value which is generated in some other place using node.js library 'object-hash' (cannot change that).
Utility Helpers in $util offers only $util.base64Encode( byte[] ) : String
Am I missing something or there is definitely no hash MD5 support for now in AppSync VTL?
Related
.NET 6 MVC application uses Signature Pad from
https://github.com/szimek/signature_pad to create signatures.
Signature json strings from it are stored in PostgreSql database as strings like
[{"penColor":"blue","dotSize":0,"minWidth":0.5,"maxWidth":2,
"velocityFilterWeight":0.7,"points":[{"time":1664603146607,"x":87.11111450195312,"y":46.8194580078125,"pressure":0.5},
{"time":1664603146948,"x":92.44445037841797,"y":45.9305419921875,"pressure":0.5},
{"time":1664603146981,"x":100.44444274902344,"y":50.375,"pressure":0.5},
{"time":1664603147051,"x":105.77778625488281,"y":52.152801513671875,"pressure":0.5}]}]
How to convert this json to image data url in server side?
Github contains only javascript code for conversion in client side.
How to implement this in server? Should javascript converted to C# (no idea how to render canvas in C#), can this javascript run? Application also uses SixLabors.ImageSharp, maybe this can used.
I have an app that writes data to a file line by line. Once finished, the data needs to be zipped and transmitted to a server. I want to make sure that after zipping but before transmitting the data to the server, the data is secure. Thus, I want to encrypt the zip (or the contents). Moreover, I want to use asymmetric encryption because the source code will be viewed by others.
Is there any way to do this in flutter/dart?
My alternative solution would be to read the data back into the app, encrypt it, write it again, and then zip it. What are your thoughts?
As #Topaco accurately stated, asymmetric encryption of a large file comes with important performance drawbacks.
It can be achieved by splitting the file into smaller chunks of data and encrypting each part. But again, this is not recommended.
That said, you encrypt/decrypt a String with RSA using the rsa_encrypt package for Flutter:
import 'package:rsa_encrypt/rsa_encrypt.dart';
import 'package:pointycastle/api.dart' as crypto;
//Future to hold our KeyPair
Future<crypto.AsymmetricKeyPair> futureKeyPair;
//to store the KeyPair once we get data from our future
crypto.AsymmetricKeyPair keyPair;
Future<crypto.AsymmetricKeyPair<crypto.PublicKey, crypto.PrivateKey>> getKeyPair()
{
var helper = RsaKeyHelper();
return helper.computeRSAKeyPair(helper.getSecureRandom());
}
/*
- Generate KeyPair with the function getKeyPair() store the returned value in futureKeyPair.
- Once we get data from the future we can store that data in keyPair (Now we have acces to our private and public key).
- In order to view our keys as "a string" we need to use two functions encodePrivateKeyToPemPKCS1(keyPair.privateKey) & encodePublicKeyToPemPKCS1(keyPair.publicKey).
- In order to encrypt and decrypt strings you can use two functions
- encrypt() : use this function to encrypt a string, pass your string as first argument and a public key as the second one. [IMPORTANT]: this will return a string so you should store the returned value in a variable.
- decrypt() : use this function to decrypt an encrypted String, pass your encrypted String as first argument and a private key as the second. this will also return a string dont forget to store it :)
*/
A solution to encrypt a file would be to use a safe symmetric encryption algorithm with a random secret key, which is then encrypted with an asymmetric algorithm. This approach is commonly referred to as hybrid cryptosystem.
I am generating RSA signature using RSA_PKCS1_PSS_PADDING. I am setting digest algorithm as SHA256 using EVP_get_digestbyname() and EVP_DigestSignInit(). And salt length parameter as -1 using EVP_PKEY_CTX_set_rsa_pss_saltlen().
I have EVP_MD_CTX, EVP_MD and EVP_PKEY_CTX structures used for signature generation.
How can I get the name of Mask generation algorithm name used by OpenSSL by default? Is there any API provided for getting it?
Edit: OpenSSL version used: 1.1.0g.
RSASSA-PSS is in practice always used with MGF1 as the Mask Generation Function. The only variation is which Message Digest is used internally by MGF1.
Sometime that's the same Message Digest as the one used for hashing the message and building the tag in PSS, because that makes the most sense. Other times it is SHA-1 because that used to be the default MD for early RSASSA-PSS APIs, thus for the associated MGF1.
In an ideal world, some attribute (in the signature, or/and in the public key certificate used to check the signature) would tell MGF1-with-such-MD, perhaps by way of some Object IDentifier like we have to specify PSS. But crypto APIs are hell.
In order to control what Message Digest is used by MGF1, we want something on the tune of what -sigopt rsa_mgf1_md:sha256 does in the openssl dgst command.
My best guess is to set the MGF1 digest using
assert(EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, EVP_sha256)>=0);
or get it using EVP_PKEY_CTX_get_rsa_mgf1_md() as documented:
The EVP_PKEY_CTX_get_rsa_mgf1_md() macro gets the MGF1 digest for ctx. If not explicitly set the signing digest is used. The padding mode must have been set to RSA_PKCS1_OAEP_PADDING or RSA_PKCS1_PSS_PADDING.
Is there any way to convert NetNTLMv2 to ntlm hashes?
For instance ntlm value of the 123 is
3DBDE697D71690A769204BEB12283678
Same password for user "try" in computer "PC" which has private ip address 192.168.73.130 NetNTLMv2 value is
try::PC:d158262017948de9:91642a8388d64d40f6c31b694e79363e:010100000000000058b2da67cbe0d001c575cfa48d38bec50000000002001600450047004900540049004d002d00500043003100340001001600450047004900540049004d002d00500043003100340004001600650067006900740069006d002d00500043003100340003001600650067006900740069006d002d0050004300310034000700080058b2da67cbe0d0010600040002000000080030003000000000000000000000000030000065d85a4000a167cdbbf6eff657941f52bc9ee2745e11f10c61bb24db541165800a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e0031002e00310030003700000000000000000000000000
Can we convert this NetNTLMv2 to NTLM (3DBDE697D71690A769204BEB12283678) without knowing any credentials?
There is no answer :) But it is ok, because I did a little research and found the answer. For now, there is no way to convert NetNTLMv2 to NTLM. Actually NTLM hash is the first key to generate NetNTLMv2. I decided to explain how it works.
To calculate and compare NTLMv2 you should first calculate the NTLM value of the password which is 123 in this case. To demonstrate it, I'll use python 2.7. Before starting you should import those modules hashlib, binascii, hmac .
NTLM value of 123 calculated with python like this:
_ntlm = hashlib.new("md4", "123".encode("utf-16-le")).digest()
ntlm = binascii.hexlify(_ntlm)
The result is 3dbde697d71690a769204beb12283678 and this value will be used as key for the first HMAC_MD5 calculation.
To do that we should concatenate the user name and domain name. If you don't work on the domain, you'll use your computer name. In this case, my username is try and my computer name is PC.
When we concatenate it, it'll become tryPC. Then this value is converted into unicode uppercase in little-endian format. We'll generate HMAC_MD5 hash of this value with using NTLM of 123 as a key.
"tryPC"==> "TRYPC" ==> '54005200590050004300' (UTF-16-le in hexadecimal)
We calculate this in Python like:
"tryPC".upper().encode("utf-16-le").encode("hex")
Then we calculate HMAC_MD5(54005200590050004300) with key 3dbde697d71690a769204beb12283678
In python it is calculated like this:
firstHMAC = hmac.new("3dbde697d71690a769204beb12283678".decode("hex"),"54005200590050004300".decode("hex"),hashlib.md5).hexdigest()
firstHMAC ==> 2381ca3f5e9c4534722cd511f6a4c983
After that we'll use firstHMAC as a key to calculate the HMAC_MD5 value of the Type2 challenge.
Type2 challenge is combined with server challenge and blob.
Network response for NetNTLMv2 is like this:
try::PC:d158262017948de9:91642a8388d64d40f6c31b694e79363e:010100000000000058b2da67cbe0d001c575cfa48d38bec50000000002001600450047004900540049004d002d00500043003100340001001600450047004900540049004d002d00500043003100340004001600650067006900740069006d002d00500043003100340003001600650067006900740069006d002d0050004300310034000700080058b2da67cbe0d0010600040002000000080030003000000000000000000000000030000065d85a4000a167cdbbf6eff657941f52bc9ee2745e11f10c61bb24db541165800a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e0031002e00310030003700000000000000000000000000
When we split this response according to : index 3 is the server challenge which is d158262017948de9
Index 5 which starts like "01010000..." indicates the blob value. Blob value also consists of blob signature, reserved fields, timestamp, random client nonce and target information. I don't give detail about the blob.
To calculate NTLMv2 we should concatenate the server challenge and the blob to calculate the HMAC_MD5 value of this by using firstHMAC as a key.
In Python we do that like this:
firstHMAC = "2381ca3f5e9c4534722cd511f6a4c983"
type2Challange = "d158262017948de9010100000000000058b2da67cbe0d001c575cfa48d38bec50000000002001600450047004900540049004d002d00500043003100340001001600450047004900540049004d002d00500043003100340004001600650067006900740069006d002d00500043003100340003001600650067006900740069006d002d0050004300310034000700080058b2da67cbe0d0010600040002000000080030003000000000000000000000000030000065d85a4000a167cdbbf6eff657941f52bc9ee2745e11f10c61bb24db541165800a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e0031002e00310030003700000000000000000000000000"
ntlmv2 = hmac.new(firstHMAC.decode("hex"),type2Challange.decode("hex"),hashlib.md5).hexdigest()
ntlmv2 ==> 91642a8388d64d40f6c31b694e79363e
If this value is equal to the 4th index of the NetNTLMv2 response, you'll be verified. In this case, the 4th index is equal to 91642a8388d64d40f6c31b694e79363e and that means you have the correct password.
According to server challenge and blob value, you'll always get the different NTLMv2 value and you only can calculate this if you have the correct password.
In other words, we can produce NetNTLMv2 with NTLM. However, we cannot convert back NetNTLMv2 to NTLM because [cryptographic] hash functions are one-way functions.
I'm planning to use code similar to Amazon AWS samples to authenticate signed API requests. So users will have something like:
use Digest::SHA qw(hmac_sha256_base64);
my $digest = hmac_sha256_base64 ($request, $self->{SecretKey});
and attach $digest as a parameter to their request URI. The server-side will use the same algorithm to create a digest from the client URI and compare that to the value sent by the client.
What I can't find is Perl support for generating the SecretKey of the correct length to use when generating HMAC SHA256 digest.
For my Amazon AWS account I'm being given a 40 ASCII character base64 encoded string.
How do I generate a proper secret-key for my clients?
I suggest you use a PBKDF2 algorithm. PBKDF2 = "Password-based Key Derivation Function (#2)". It is defined in PKCS #5 (RFC 2898). This is the recommended way to derive a key from a password. You will need a salt, as well. A typical iteration count is 1000.
This page says it has a perl implementation of PBKDF2. I haven't tried it.
Apparently there is also a Crypto::PBKDF2, but it is saddled with dependencies you may not want.
EDIT
I just tried Anthony Thyssen's perl program for pbkdf2 - it works great. Simple, easy.