I tried searching for the documentation of the Codename One Bouncy Caste library API, but the "Wiki" section won't open:
https://code.google.com/p/bouncy-castle-codenameone-lib/
I don't know where the API is documented, however I need a specific information: I need to write a desktop application capable of encrypting and decrypting files taken from FileSystemStorage with AES-256. Maximum level security is a requirement, I don't know if security in this use case depends only on password strength or also on other parameters.
This is the up to date repository: https://github.com/codenameone/bouncy-castle-codenameone-lib/
You can look at this for a sample of AES encryption: https://github.com/codenameone/bouncy-castle-codenameone-lib/blob/master/src/com/codename1/crypto/EncryptedStorage.java
Although I'm not sure about the key length.
Related
I heard that the reason one uses hashes like MD5 or Sha1 on large files is because it is hard to tamper with a large file and get the same hash. My questions is something different:
On every webpage that links to a large file (example Debian iso etc), there is normally either a link to another page which has the hash, or is listed on the same page. What is to stop a hacker MITM attack from tampering with both the .iso image and inserting the new signature on the page ? If he has the capability of making a user download his ISO (instead of the original version), it should be relatively simple to get the same user to download a modified webpage with the hash right ?
Is it a deterrent simply because a hash is so much smaller someone would notice the change on a page ?
If the hash is listed on a page that is available via https, then the certificate of the page is supposed to guarantee the authenticity of the hash you are downloading. Doing a MITM attack on https is supposed to be the hard part. If you download the hash via http, then you are correct that the MITM attack would work.
Some distro's produce a cryptographically signed hash of the ISO, and you're supposed to have their public key to verify that.
OpenBSD doesn't rely upon https...it does something different - https://www.openbsd.org/papers/bsdcan-signify.html
Is there a decent database for nodejs that is able to be embeded & encrypted so that if someone does get that file of data, a password also has to be known ?
I am coming up short & though things like nosql, nedb, etc. exists, none of them see to be able to handle encryption of said data.
sqlcipher can be built for mapbox/sqlite3
Also, using encryption with nedb is really easy, you just create a crypto cipher and perform the operation in and out. See this example from bitcrypt
You'd basically do the same thing as cipherHelper and decipherHelper, but you'd put them in the afterSerialization and beforeDeserialization callbacks.
I'm building a Windows Store application that uses SQLite for data storage. I have found out, that the database is easily accessible through User's local folder (actually all apps have all data publicly exposed). Is there a way to at least weakly protect the database from access?
you need to look at ProtectedData class
http://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.dataprotection.dataprotectionprovider.aspx
It exposes easy to use Protect / Unprotect methods that can be used to encrypt / decrypt that at app level. Encrypt data before writing to db and unencrypt before consuming
I also looking for the same solution and found sqlite-crypt at http://sqlite-crypt.com/download.htm
I don't know whether this one good enough or not. There is a trial version that limit passphrase to 6 characters and store it as plain text in the header. It won't be suitable if you want complete data protection. But for testing, maybe it's worth a try. I don't have a chance to test it yet since I still working on the server side of my project. I'll update it when I've test it in the future.
EDIT: Ok. I've test the trial version and it's worked well with modificated version of SqliteWinRT wrapper on codeplex. Note that the trial is limited to 5-6 characters of passphrase and this phasephrase is stored in plain text, plus it's in x86 compiled binary, which means it won't work for actual product which need ARM support. You have to purchase the binary to get the production-ready binaries.
I am writing a program for linux in C to extract the wpa/wep key from a windows registry hive.
Initially I was hoping to use wine's CryptUnprotectData function, but I realise now that wine uses a different algorithm and just mimics window's version. I also realise that only the user that encrypted the data can decrypt it.
I am using wzcook from the aircrack-ng suite as a guide.
http://tools.assembla.com/b6stFY7MOr2QtlaaeP0Qfc/browser/Windows/wzcook/wzcook.c
I've extracted the data from a hive without problems but I'm kind of stuck on how to decrypt the key.
If the key is encrypted in the registry for one user, then how does another user decrypt that data? I'm sure they don't have to retype the psk / passphrase if it has been already stored?
Is the data definitely encrypted even when offline (accessing the hive from linux)?
Any other solution for solving this, other than reverse engineering Microsoft's algorithm? :D
Any help / advise you can give is really appreciated,
Thanks.
As I understand it DPAPI uses a hash calculated from the user's actual password, so you would need both an open-source implementation of the Crypt functions and an explicit password from the user.
There has been some work on implementing CryptUnprotectData recently: DPAPIck
For Windows.Forms, I have an application that needs to get a unique install id for each install from my server, and then persist this data so once registered, the install ID is included on all communications back to the server. The application is in occasional contact with the server.
How can I persist this data on the client in a way that is not easily tampered with?
First, you should note that if the data is on the local file system and your application can read and write it, it will always be possible for a determined user to tamper with it... perhaps not easy, but possible nonetheless.
That said, there are a number of options you could consider, including (but not limited to) :
encrypting the data with a key defined in your assembly : pretty safe is the user has no programming skills, but an advanced user could disassemble your app to find the key. Obfuscation could make it harder to extract the key, but not impossible.
using an isolated storage : I'm not sure whether the data is encrypted or not, but at least it's not easily found, hidden in a deep folder hierarchy... Not so safe is the user knows where to look, however
writing the data in a binary format, which makes it harder to read or modify for a non expert user
using a piece of native code to encrypt the data : similar to the first option, but a native DLL is harder to disassemble than a .NET assembly, so it requires more skills to find the key
Again, all these approches are not bulletproof : as long as your program can access the data, an advanced user could always reverse engineer it and do the same...
You could save the data in the windows registry. You'll use the [HKCU\Software\YourAppName] hive key if it's a per-user setting, or [HKLM\Software\YourCompany] if it's a global setting. However, the data would need to be encrypted, because its trivila to get the values in these keys