Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
I would like to ask if it is dangerous to pass on an SSH public key {name}.pub file to others, or if this only applies to the private file. (2nd question) Is the SSH key reset when I reset Windows?
The file was for a friend so that he can log me on to a server. I don't really have any security concerns, I'm just a bit paranoid.
Thanks for reading :D
First of all public key is meant to be public (i.e) You can share it without fear (this doesn't mean it should be public).
Assuming that you use ssh for login remote server. The public key is the place for the server and the private key lives in the client machine.
How public key authentication works?
To keep things simple, You probably generate an RSA(a cryptographic algorithm) public and private key pair, then you place the public key in a remote server and keep the private key within your client machine. When you log in with ssh, the server sends a challenge (some data encrypted with the public key). This challenge can only be decrypted with the private key in your machine. Your machine will decrypt and re-encrypt the challenge with your private key (again this can only be decrypted with the public key in the server). If the process goes correct, then the server knows that you have the right private key and it allows you access(here no secrets are shared).
You can't generate a private key with the public key, so there is no issue if the public key is leaked.
To answer your second question:
The private key is stored in your local machine, if you reset your OS, probably the key will be lost and you cant access the server. You can copy the private key safely somewhere before resetting OS and paste the key after the new OS installation (not recommended, do with caution). Or you can create a new RSA key pair and add the public key to the server(recommended).
Note: As you mentioned in the question The file was for a friend so that he can log me on to a server. Your friend cannot actually log in with a public key. The private key is required at the client-side.
Related
I know there are plenty of discussions regarding this topic, but I am a newbie with certificates and keys and, honestly, I haven't find nothing helpful similar to what I need to do.
Briefly, I am managing an embedding procedure between Salesforce and Tableau Server in order to let users to access Salesforce ONCE and visualize their Tableau dashboards.
I enabled Salesforce as the identity provider and I created a certificate .crt that I have downloaded, as well an .xml file.
Now, these files must be sent to the Tableau Administrator that should upload them into TSM.
Once he opened TSM, I noticed this SAML key file, that must be uploaded in .key format.
I have read all the Tableau/Salesforce documentation, but I don't find anything regarding where the private .key must be taken from.
When creating the .crt in Salesforce, I noticed a checkbox "exportable private key" and another field that described the key size as "2048".
So, should the private key be extracted from .crt file through some SSL commands?
I asked the same on Tableau Community and an expert told me to utilize the same key of the SSL configuration in Tableau (as well as the same .crt). This led me to another doubt.. because the documentation clearly reports that the .crt to upload in Tableau must be the one provided from Salesforce..
Other experts told me to try with a conversion of the .crt in another format from which I should have been able to extract the private key..
Obviously, this is just a small part of the procedure, but the one in which I am stuck.
If someone could make some clarity there, I would appreciate a lot.
Thank you,
Gian
I tried what I described in the previous section.
All the examples I found in the documentation are encrypt with public key and then decrypt with private key.
Therefore, can I decrypt with a public key, using EVP_XXX api? Or the only way to decrypt with public key is using RSA_XXX api?
Any answer is welcome.
Is it possible to decrypt with public key using openssl's EVP api
No. Its not a valid cryptographic operation. You won't be able to do it with most security libraries, like Botan, Crypto++ or OpenSSL.
Therefore, can I decrypt with a public key, using EVP_XXX api? Or the only way to decrypt with public key is using RSA_XXX api?
Usually folks want a Signature Scheme with Recovery when they start asking for "encrypt with private key" and "decrypt with public key" questions. But we don't know what your use case is, so we can't really make a recommendation.
Asking for cryptosystem recommendations is probably off-topic for Stack Overflow. Maybe you should describe your problem and seek guidance on Cryptography Stack Exchange or Information Security Stack Exchange.
I have done some search, both here and on the web, but apparently it seems to be difficult to find a similar issue around, so I decided to post a question here.
I have the following task to accomplish (and unfortunately I am not an expert in OpenSSL encryption), having the following ingredients:
a SQL Server database (where I have 'sa' access rights, if necessary);
a DER certificate with a public key only.
I am requested to encrypt some DB data using that public key, and the result of the encryption must be the same I would obtain by using the following command (it uses the PKCS#1 v 1.5 padding, if I understood well):
.\openssl rsautl -encrypt -inkey <public key cert> -certin -pkcs
I know that SQL Server can import a certificate and encrypt data, but I don't know how/if I can set any options to drive the encryption process (e.g.: which padding it should use) in order to make sure that I really reproduced the template I was given.
On the other hand, if I am not wrong, since I have no private key, then I cannot test my encryption by just encrypting some data via SQL Server and then de-crypting them via the openssl command.
As an alternative, I thought that a check method could consist in encrypting the same data via openssl and via SQL Server, and then check if the returned strings are the same. Unfortunately, I learned from another StackOverflow question the every time a data is encrypted it is applied some random padding which cause the encrypted string to be always different.
Then, the first question: is it possible, both in the openssl command and in SQL Server, to temporarily 'fix' the used random seed, in order to make sure that every time one encrypts a string, it will always be applied the same padding, in order to be able to compare the results?
As an alternative, I would try to do my tests with a test certificate which I could try to generate with a pair of keys, but in this case I have some silly questions:
how can I generate a pair of keys and then create a certificate with the public key which will be an analogue to the one I was provided by the entity I will have to send data to?
how can I make sure that the format of this 'test' certificate is compliant to that of the production certificate provided to me?
Thanks a lot for every help and best regards. Sorry if my question can appear silly, but I am not an expert in this topic.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
I created an smtp mail server and it was successfully configured using postfix, dovecot, and roundcube.
Wanting to add functionality and to get active directory users to authenticate, I chose to use pbis (http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True) and found that I was able to easily add to the Active Directory domain ultimately using this command after install and completing a few prerequisites:
$ ./domainjoin-cli join TEST.LOCAL testuser
where "TEST.LOCAL" is the domain in active directory and "testuser" is a user account I set up in the active directory domain.
When logging into the account on roundcube:
I use: TEST\testuser and I am able to successfully login
This required a slight change to the dovecot configuration file /etc/dovecot/conf.d/10-auth.conf and adding the "\" to the list of characters under "auth_username_chars"
I can send an e-mail to a system linux account "user" and verify receipt of that e-mail. I have to change the outgoing e-mail address from TEST\testuser#test.local to testuser#test.local because of incorrect syntax.
What I can't seem to do is send mail to the active directory account "testuser"
I get the following error when attempting this:
SMTP Error (550): Failed to add recipient "testuser#test.local" (5.1.1 <testuser#test.local>: Recipient address rejected: User unknown in local recipient table).
This seems to correspond to alias mapping but I don't know how to do that and the guides I am finding online don't seem to quite fit what I am looking to do. No, I do not have virtual mapping. The user accounts I am trying to map to are all under this directory:
/home/local/TEST/
My question is basically this: How do I map "testuser#test.local" to "TEST\testuser#test.local" in postfix?
Actually submitted this a bit prematurely because I found my answer but had to alter it to my environment to get it to work.
Following the directions on: www.electrictoolbox.com/update-postfix-virtual-alias-map was incredibly helpful.
The exception was the /etc/postfix/virtual file had to have the windows slashes in it.
Basically what I did was
Add a line to /etc/postfix/main.cf
virtual_alias_maps = hash:/etc/postfix/virtual
Created a /etc/postfix/virtual file with the following contents:
testuser#test.local TEST\\testuser
Applied the settings:
postmap /etc/postfix/virtual
I am implementing an automatic update feature and need some advice on how to do this securely using best practices. I would like to use the downloaded file's Authenticode signature to verify that it is safe to run (i.e. originates from our company and hasn't been tampered with). My question is very similar to question #2008519.
The bottom-line question: what's the best, most secure way to check Authenticode signatures for an automatic update feature? What fields in the certificate should be checked? Requirements being: (1) check signature is valid, (2) check it's my signature, (3) old clients can still update when my certificate expires and I get a new one.
Here's some background information / ideas from my research: I believe this could be broken into two steps:
Verify that the signature is valid. I believe this should be easy using WinVerifyTrust as outlined in http://msdn.microsoft.com/en-us/library/aa382384(VS.85).aspx - I don't expect problems here.
Verify that the signature corresponds to our company, and not another company. This seems to be a more difficult question to answer:
One possibility is to check some of the strings in the signature. Could be obtained via code at MS KB article #323809, but this article doesn't make recommendations on what fields should be checked for this type of application (or any other, for that matter). Question #1072540 also illustrates how to get some certificate info, but again doesn't recommend what fields to actually check. My concern is that the strings might not be the best check: what if another person is able to obtain a certificate with the same name, for example? Or if there's a valid reason for us to change the strings in the future?
The person at question #2008519 has a very similar requirement. His need for a "TrustedByUs" function is identical to mine. However, he goes about doing the check by comparing public keys. While this would work in the short-term, it seems like it won't work for an automatic update feature. This is because code signing certificates are only valid for 2 - 3 years max. Therefore, in the future, when we buy a new certificate in 2 years, the old clients wouldn't be able to update any more due to the change in public key.
The person at question #2008519 has a
very similar requirement. His need for
a "TrustedByUs" function is identical
to mine. However, he goes about doing
the check by comparing public keys.
While this would work in the
short-term, it seems like it won't
work for an automatic update feature.
This is because code signing
certificates are only valid for 2 - 3
years max. Therefore, in the future,
when we buy a new certificate in 2
years, the old clients wouldn't be
able to update any more due to the
change in public key.
Since the concern is that the application trusts you rather than that a person trusts you, you could just use self-signing and embed any public keys needed in the applications themselves. This gives you much more control over the process. This is inappropriate when asking a user or application not under your control to give trust, but in this case the application is under your control, so it will work fine. This allows you to very easily avoid the concern of mistaking someone else's similar-looking certificate for your own.