I am completely new to pgp, as far as i can see pgp is being used to encrypt files and emails.
1) Can it be used for single sign on
2) Their is pgp and gnupg (which is based on openpgp) , can anyone tell me what is the difference ?
3) How would i do this in .net
Any references will be helpful.
There might be some solution for single sign-on using PGP keys, but it's definitely not widespread. Maybe PGP Corporation offers something, you can check...
The standard is called OpenPGP. PGP is the name of the company and their trademark. GnuPG is an open-source implementation of the standard. Software by PGP can use some proprietary extensions added by the company to OpenPGP standard.
Do what? If you want to implement OpenPGP operations in .NET, you can use BouncyCastle or OpenPGPBlackbox package of our SecureBlackbox. If you want to implement single sign-on in particular, then you need to learn how to implement custom single sign-on authentication first, then decide how to use PGP keys in the process.
Related
When creating a GitHub App you have to generate a private-key and set a webhook-secret.
The first is used to sign JWT tokens, with which access tokens can be obtained: https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-a-github-app
You'll use this key to sign a JSON Web Token (JWT) and encode it using
the RS256 algorithm. GitHub checks that the request is authenticated
by verifying the token with the app's stored public key.
The latter for making sure the webhooks are from GitHub: https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks
The intention is to calculate a hash using your SECRET_TOKEN, and
ensure that the result matches the hash from GitHub. GitHub uses an
HMAC hex digest to compute the hash, (...)
I'd like to understand why they use two different encryption methods. Can't one of them not be used for both use cases?
Thanks!
Though cryptography is involved in both cases, those are not encryption methods. In both cases we're talking about digital signatures for authentication.
The first article is about your application accessing the GitHub API by providing a JWT token. In this case you're using a private key to sign the token. That's the safest option, because GitHub only knows the public keys, and nobody else but you stores the private one. It also has the least impact on GitHub threat model, because they don't have to worry about yet another secret to store. If your private key leaks, they can't be blamed.
In the second scenario that's GitHub who calls you back, and needs to authenticate itself. In that case, they can't avoid storing some secret, so they're using a simpler schema: HMAC with a shared secret.
In symmetric crypto systems where several parties need's to use the same key, you always have the problem of how to distribute the key securely. This is solved in asymmetric key systems where you freely can distribute the public key. So from a functionality point of view a asymmetric algorithm might seem to solve all our needs.
However, currently used asymmetric algorithms are quite a bit slower than the symmetric algorithms. The asymmetric RSA is eg. 100-1000 times slower than AES (depending on key size etc.). For this reason alone, asymmetric algorithms are often used for establishing a symmetric key that are then used for bulk encryption.
I have an app built on java, and a server built on vb.net
I'm using https to communicate between server and client
I also encrypt my post data using AES encryption
My question is how can secure my key and iv used in AES , so if someone decompile the apk he wont be able to decrypt and encrypt the data
Anyone who knows please provid an example, especially for client side
Have a look at http://truelicense.net/xref/net/truelicense/obfuscate/ObfuscatedString.html
It can hide your key from being shown as plain text when the apk file is decompiled.
But using it just adds more security layer to your app, some guys with strong reverse engineer knowledge still can figure out how to de-obsfucate your key.
I am trying to solve a multi device app problem using mnemonics and generating a bip32 keypair. But as far as I have read, there was no mention of public key encryption using these bip32 keypair, so is it possible to achieve public key encryption using this at all?
After going through a lot of articles, websites, I didn't find anything helpful. So I switched to another approach where I could generate RSA keypair using passphrases. This is one example of this - https://github.com/joekir/deterministics
I have a PKCS#11 library that contacts with the vendor's smart card. The low level details are not provided and I'm not interested in them either.
BTW the smart card has no internal certificate associated with it, its just a dumb smart card with a private key store.
So my question is:
What kind of code should I write to obtain a certificate from the PKCS#11 library, or do I need to write such code? does PKCS#11 supports exporting certificates?(I heard openssl supports using 3rd party PKCS#11 libraries. Can I use that to export a certificate from a smart card?)
If the answer to previous question is yes, in what kind of format is the certificate created? What kind of conversions should I to do in order to convert the raw created certificate into office supported format certificate?
and the last question is how to apply that certificate into microsoft office(2013) in order to digitally sign documents? It looks like that office itself doesn't like internal certificates and it keeps requesting us to get one from verisign (?) what's wrong here and how can I force office to use my own created certificate using the aforementioned method?
PKCS#11 interface lets you read ("export") the certificate from the hardware. However you need not just a certificate, but also a private key. Most hardware devices won't let you export a private key. PKCS#11 has a set of functions which let you perform cryptographic operations using private keys stored in the hardware, but not to export those keys.
The certificate is usually exported in native DER format, which can later be put to the PFX file. However without a private key it doesn't make sense.
Unfortunately I don't know what MS Office expects. I assume that Office in your case accepts only certificates which can be validated up to the trusted root certificate.
I hope to encrypt sqlite file which store my app data.
Is there a simple way to do this?
Welcome any comment.
Thanks
interdev
There are a few commercial options which provide add-ons to SQLite for encryption. The most likely candidate is:
The SQLite Encryption Extension which is developed by the original author of SQLite. This is distributed as source and can be compiled for any platform. In this way, you could compile your own embedded version of SQLite instead of using the system one. It provides both RC4 and AES encryption.
There are two other products, but appear to require Windows:
SQLiteCrypt - AES encryption
SQLite-Encrypt - AES encryption
Both seem to have very similar features, but it isn't clear if you get the source to recompile on iOS.