I am trying to solve a multi device app problem using mnemonics and generating a bip32 keypair. But as far as I have read, there was no mention of public key encryption using these bip32 keypair, so is it possible to achieve public key encryption using this at all?
After going through a lot of articles, websites, I didn't find anything helpful. So I switched to another approach where I could generate RSA keypair using passphrases. This is one example of this - https://github.com/joekir/deterministics
Related
When creating a GitHub App you have to generate a private-key and set a webhook-secret.
The first is used to sign JWT tokens, with which access tokens can be obtained: https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-a-github-app
You'll use this key to sign a JSON Web Token (JWT) and encode it using
the RS256 algorithm. GitHub checks that the request is authenticated
by verifying the token with the app's stored public key.
The latter for making sure the webhooks are from GitHub: https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks
The intention is to calculate a hash using your SECRET_TOKEN, and
ensure that the result matches the hash from GitHub. GitHub uses an
HMAC hex digest to compute the hash, (...)
I'd like to understand why they use two different encryption methods. Can't one of them not be used for both use cases?
Thanks!
Though cryptography is involved in both cases, those are not encryption methods. In both cases we're talking about digital signatures for authentication.
The first article is about your application accessing the GitHub API by providing a JWT token. In this case you're using a private key to sign the token. That's the safest option, because GitHub only knows the public keys, and nobody else but you stores the private one. It also has the least impact on GitHub threat model, because they don't have to worry about yet another secret to store. If your private key leaks, they can't be blamed.
In the second scenario that's GitHub who calls you back, and needs to authenticate itself. In that case, they can't avoid storing some secret, so they're using a simpler schema: HMAC with a shared secret.
In symmetric crypto systems where several parties need's to use the same key, you always have the problem of how to distribute the key securely. This is solved in asymmetric key systems where you freely can distribute the public key. So from a functionality point of view a asymmetric algorithm might seem to solve all our needs.
However, currently used asymmetric algorithms are quite a bit slower than the symmetric algorithms. The asymmetric RSA is eg. 100-1000 times slower than AES (depending on key size etc.). For this reason alone, asymmetric algorithms are often used for establishing a symmetric key that are then used for bulk encryption.
I have an app built on java, and a server built on vb.net
I'm using https to communicate between server and client
I also encrypt my post data using AES encryption
My question is how can secure my key and iv used in AES , so if someone decompile the apk he wont be able to decrypt and encrypt the data
Anyone who knows please provid an example, especially for client side
Have a look at http://truelicense.net/xref/net/truelicense/obfuscate/ObfuscatedString.html
It can hide your key from being shown as plain text when the apk file is decompiled.
But using it just adds more security layer to your app, some guys with strong reverse engineer knowledge still can figure out how to de-obsfucate your key.
I have a PKCS#11 library that contacts with the vendor's smart card. The low level details are not provided and I'm not interested in them either.
BTW the smart card has no internal certificate associated with it, its just a dumb smart card with a private key store.
So my question is:
What kind of code should I write to obtain a certificate from the PKCS#11 library, or do I need to write such code? does PKCS#11 supports exporting certificates?(I heard openssl supports using 3rd party PKCS#11 libraries. Can I use that to export a certificate from a smart card?)
If the answer to previous question is yes, in what kind of format is the certificate created? What kind of conversions should I to do in order to convert the raw created certificate into office supported format certificate?
and the last question is how to apply that certificate into microsoft office(2013) in order to digitally sign documents? It looks like that office itself doesn't like internal certificates and it keeps requesting us to get one from verisign (?) what's wrong here and how can I force office to use my own created certificate using the aforementioned method?
PKCS#11 interface lets you read ("export") the certificate from the hardware. However you need not just a certificate, but also a private key. Most hardware devices won't let you export a private key. PKCS#11 has a set of functions which let you perform cryptographic operations using private keys stored in the hardware, but not to export those keys.
The certificate is usually exported in native DER format, which can later be put to the PFX file. However without a private key it doesn't make sense.
Unfortunately I don't know what MS Office expects. I assume that Office in your case accepts only certificates which can be validated up to the trusted root certificate.
I have public key and encrypted data and i have to decrypt that data with Public key. As data is being encrypted with RSA in Server side so i have to decrypt with RSA in iPhone. I have googled but didn't got any good solution. I have gone through CryptoExercise provided by Apple but still not able to find out solution.
Pls guys help me to implement this decryption.
EDIT: Over Server, data is encrypted with Private key.
First, see Chris Luke's write up of how to turn a PKCS1 into iOS's non-standard key form. You can then use the resulting SecKeyRef with SecKeyDecrypt.
I would like to encrypt a string with AES 256 on the iPhone but have not found much via google. What I am trying to do is post some data to a web site as part of a game I am creating, but I do not want the user to be able to cheat by seeing how it is posted because it is plain text. So I want to post one encrypted string to my php page (ala www.test.com/test.php?encrypted= etc...) and then the php script will decrypt it and do what it needs to if it is valid.
You can just use the CryptoHelper which is adopted by CyrptoExercise Sample Project
A much easier approach here would be to use an HTTPS POST, which would give you similar protections with far less code, though there are still difficulties for solving the problem you're attacking. The kind of solution you're describing generally requires some kind of shared secret, and it's very hard to protect code using a shared secret for long. You may find these posts helpful:
Machine ID for Mac
Store an encryption key in Keychain while application installation process
Obfuscating Cocoa
Still, HTTPS is probably a much better solution than AES here.
Check out this site: http://iphonedevelopment.blogspot.com/2009/02/strong-encryption-for-cocoa-cocoa-touch.html