PKCS11# get certificate private key - pkcs#11

I would like to sign HttpWebRequest (c #) using a certificate stored on a smart card. Access to the private key only after the administration have PIN.
I tried at the outset to connect using:
PKCS11-tool.exe --module enigmap11.dll --list-slots --list-objects --show-info --login --pin 1111
Unfortunately it receives only identifier of the private key.
Is using PKCS11-tool can somehow retrieve the private key and save the file * .der so as to attach the file to the HttpWebRequest c #?
Or maybe you know some other method to download the private key but c #? I join the library enigmap11.dll maybe someone knows how to draw from it the method - it seems like pkcs11.dll.
enigmap11.dll

The sole purpose of a smart card is to prevent you from doing what you are trying to do.
You can never extract a private key from a smart card. Otherwise it wouldn't be a smart card.
Why are you trying to do this?

Most devices won't let the key out of the device for security purposes, so you are out of luck here. If you need to use PKCS#11 in HTTPS, it's possible with the components offered by our SecureBlackbox (free licenses are available). With them you can use the certificate stored in the PKCS#11 device for client-side authentication of the TLS or HTTPS client.

Related

Access to only one OpenShift application?

The simplest OpenShift account offers up to three applications.
How would I give access to a third party, restricted to only application? They need to be able to deploy code to only that one app.
I could create a second set of SSH keys - but it seems that keys are account level access: i.e. all applications on that account.
I could create an Authorization token - but that's also at account level.
I could just share the SSH details of the application - but then when I want to close access, how would I change the details?
Feel like I'm missing something obvious here.
Thanks in advance for any pointers.
ssh keys are the way to go. The third party can provide you their public key so you can add them to your account. Then, you can give them the UUID and App URL (or git url) for just that one app. They do potentially have access to all gears within your account, but realistically, its safe to assume they can't guess the UUID of your other apps.
To revoke access, just delete the public key from your account.

How SSH works with GiHub or BitBucket

All,
I am using SSH to talk to github/bitbucket, sometimes it works, but sometimes it just failed left me with no clue. When trying to figure out the problem, I realize I actually not quite clear about how this works:
How the private key is selected?
We could use ssh-add or pageant to load private keys, but mulitple keys could be loaded - how ssh client decide which private key to use when I receive a challenge after sending the request?
How the public key is selected?
There are tons of public keys on GitHub server, when I send a request to github (like git push), I don't remember I need to specify my username that registered on GitHub(we do need to config the user.name, but I think that is only for tag your commits) -so how GitHub figure out which public key to use when receive a request, and even GitHub knows which user is sending the request(how?), how could it select the right public key from multiple keys - remember I could add more than 1 keys to my account.
Thanks.
The ~/.ssh/id_rsa file is selected by default.
If you need to provide another key, you can use the IdentityFile directive in your ~/.ssh/config file.
Github knows which account simply because when challenged, your system provides a username as part of your key challenge sequence, and a lookup is done. The keys are then exchanged, and either validated or rejected.
I would suggest having the man pages at your disposal. Here is a good reference for the OpenSSH project, with a lot more information about how this works in a general sense.
Github has modified their ssh daemon for their needs, but mostly, they must follow the specifications, and so externally, we won't see a difference in behavior, though we get the benefit of being able to connect to the service quickly as authenticated/authorized for whatever actions we are allowed to perform on the repositories.

How to secure JSON requests from iPhone?

I have a web app with a JSONP API I'm using with my iPhone app. How do I secure this so requests from other places won't be able to access my API?
Clarification: My data isn't that important. You don't even have to sign in to view it. I just don't want by my DB to work on queries from other sources.
You have embarked on a very very complicated subject. Prepare yourself for some very long nights of reading various cat and mouse techniques of securing your app. I think your best bet is to put a secret string in the header of each request. Something like this:
Secret-Header: #$F#FQAFDSFE#$%#ADSF())*
Validate that header on the server side and use SSL. Someone could easily respond to this post with "Well that doesn't stop this, this and this" and they will be right. The question is, are you a bank that is worried about someone draining your client's accounts? Or are you just worried about 99.9999% of the population not being willed enough to hijack your junk?
Some people have all kinds of opinions on this, but if your users require authentication to access the web services, just require the username and password to be sent in the header via SSL. They can still hijack your services, but wouldn't be able to see anything that they weren't supposed to anyway. That only works on a user level type of setup though. If it's completely public, you have to consider how unimportant your data is. It may not be as important as you think.
You can embed a private RSA key in the iPhone client and send a signed timestamp with each request.
The server would verify the timestamp against the public key and reject unsigned requests.
The enemy can disassemble the iPhone client and steal the key, and you can't do a thing about it.
(other than a blacklisting arms race)
You can use TLS protocol with client certificate.
http://en.wikipedia.org/wiki/Transport_Layer_Security
The only problem with this solution (not solved today) is that the client certificate is stored in the app binary and can be retro-eenginered.
One traditional way to do this is to take all of the url variables you are requesting, add a 'secret' string, and hash the whole thing and add it as an additional url variable. On your API side, you do the same thing, and if the hash matches what you were given, it's probably coming from your app.

How to ensure/determine that a post is coming from an specific application running on an iPhone/iTouch?

Building an iPhone OS application that will allow users to anonymously post information to a web application (in my particular case it will be a Rails based site) ... and I want to ensure that I only accept posts that originate from a specific application running on an iPhone/iTouch.
How is this best accomplished?
(btw, if your answer applies to Android please feel free to post it here as well as I'm curious to know if the techniques are the same or vary).
Thanks
The best way would be to implement a known call and response pattern. Send a value of some sort (integer, string, hash of a timestamp) to the iPhone/iTouch application. Have the application modify this information in a known way and send it back for verification. Then all you have to do is use a different modification algorithm per-platform and that will verify what type of device is being used.
VERY simple example:
Server sends 100 with the response to an iPhone.
iPhone adds 10 to this value and sends back with request.
Server detects the value was increased by 10 and now knows it was from an iPhone.
Then on your Android clients add 20 and on another platform add 30 and so on...
You could also add a hidden field in the form. or in the data being passed up if it is XML or other format
Encrypt or sign something using the public key of a key pair, then decrypt or verify it on the server with the private key. Ultimately, anything that can be sent can be duplicated, be it a spoofed html header or an encrypted block. The app has to know the secret handshake, and anyone with access to it (and sufficient technical skills) can figure out the secret handshake.
I would suggest the following approach.
Build an ssl enabled access to your rails app.
Now create a user account for every plattform you want to use and enable your applications to log in with the correct key. If you use the ssl standard in a correct way there shouldn't be a way to sniff the password and you can use standard components on the rail and the phone side of your app.
You then need to secure the login credentials on your phone with the appropriate technics. Eg. put it in the keychain on the Iphone.

What is the best way to secure a RESTful API to be accessed on an iPhone

I am looking for some suggestions on how to secure access to a RESTful API which initially be used by an iPhone application, but will have other clients in the future. The data exposed by this API must be kept secure as it may contain health information. All access will be done over HTTPS.
I was thinking that I'd like to require pre-registration of the iphones at setup and then also some type of PIN/Password on each request. So, simply knowing the password without pre-registering the phone/client won't provide access. I was thinking about somehow tying it to the iPhone identifier if that is possible, but not sure it would provide any additional security. The iPhone identifier is just another piece of information and it may not even be that secret.
So, some requirements would be:
Use some type of pin-based solution on the iPhone, but want more security then a simple 4-6 digit pin can provide.
No passwords could be sent in the clear.
Not be subject to reply attacks
Having to pre-exchange some data between client and server when setting up client is OK.
I would think that, if the application contains medical records, you would want to have the user authenticate every time they use the application or, at least, have some way of pushing down a disable message that renders the app useless in the case where it is lost or stolen. The 4-6 character password (pin) would also concern me with respect to HIPAA, if it applies.
You might want to treat it as a standard web app from the server perspective and do session-based authentication and access with a session that times out, perhaps after a long period, and re-authentication on timeout.
You could use SSL with client authentication. If a device gets lost, you can remove the certificate on the server. There are some obstacles though:
It is not entirely clear if/how you can do client authenticated SSL on the iPhone Unfortunately, there is not much documentation about it. Have a look at Certificate, Key, and Trust Services Reference
You have to create a private key for every device
You also have to figure out a secure way to transfer the private key to the device