I have JWE encrypted request and response from a mobile application and co-incidently i do have access to private keys stored in mobile app itself. Since i have no devlopement background of nodejs. Can someone tell me detailed steps to decrypt the encrypted traffic. Thanks in advance.
Related
I have to implement end-to-end encryption with firebase push notifications on React and React Native Apps.
What I have in mind
Encrypt messages from the backend and sent them to firebase
On the front end, we will decrypt the message with the shared private key that we got on login from the backend or a predefined key on the app itself
My Question is.
Since push notifications run in the background.
How do we get a private key for decryption when a notification cames
How do we decrypt the message using library (crypto-js) on push notification
I know this is not a way to do this. Please suggest a better option.
This is for HIPPA compliance
I want to use some API data to build a front app in angularjs 1. For that I have to decrypt the data first using AES128 and use it then send encrypt data to API. I can use crypto.js for that task but then the key will be visible to anyone.
Is their any secure way of doing this?
Thanks
For that you need to use angular-crypto.js for more information please refer this
github repository...encryption and decryption
Here what we can us
You have to modify API so that it will generate pair of keya: public key and private key. This public key will be given to angular code where it will be able to encrypt using this public key. Encrypted data will be send to API where it will use private key to decrypt it. This is the most secure way to do it where it encrypted data will not be able to be decrypted without secret private key.
There're some more ways to enhance security such as using hash functions and digital signatures
Assume the following:
I have a WPF Application which reads a text from a file an sends the
text to my server REST API via a HTTPS and the server sends a
response which depends on the text which was send in request
The WPF Application should be the only one which gets a useful response
to this request - so the WPF Application has to show somehow to
the server, that the request is send from the application itself.
The user of the WPF Application should not be asked to enter any login credentials
What are the best practices here?
My thoughts:
the WPF Application could send a hard-coded password along with the
request which is checked on the server side - but that sounds not
like a good solution to me because the security depends on the fact that
nobody is able to sniff the HTTPS Request.
Is it possible to sniff the HTTPS Request to get the password easily?
Thanks in advance
If your server already supports HTTPS the client knows the server is trusted based on the cert it is using, so that side is handled. (client trusts server)
To ensure trust the server needs to do the same. (server trusts client) The client should hold a cert it can pass to the server so the server can verify the clients identity.
Like always this brings up the problem of how to hide the key in the client, of which there are various schemes but since the client needs to get the key eventually you cannot prevent a dedicated hacker from finding that info, only make it harder for them. (obfuscation etc)
Depending on your application the best is a simple white-list of clients allowed to connect. Some apps can do this but many cannot since they don't have the users IP's etc, but it's something else to keep in mind if it fits your use-case.
You can send a password to the server like you suggest. As long as the message is encrypted (HTTPS) your probably fine. Nothing is 100% secure. It can be intercepted via a man-in-the-middle style attack, but these are fairly rare, or at least very targeted, so it would depend on what your software does etc.
I need to send all data with some token (rendomly generated), so that server side script can recognize it secure.
As well as, I need to encrypt username-password also for security purpose.
My client want strong security, and I never done it before. So please any one suggest me!!!
I want to login with a file that contains digital certificate of someone, first registers with certificate contents that is base64 format, and when registering it will encrypt the content of certificate and save into database and when login with this file, i want to login with that data matched by decrypted way, pls help how to do this? And also when i encrypt each time file content saved with different characters, is it possible to save 3323 characters in database? pls help.....
// controller
$main_file = $request->file;
//$con = $main_file->getClientOriginalName();
$con = file_get_contents($main_file->getRealPath());
$files = Crypt::encrypt($con);
dd($files);
$file = Input::file('file')->getClientOriginalName();
$contents = File::get($main_file);
dd($contents);
Now to authenticate with this saved encrypted data, what is the possible way to save the encrypted 3322 characters in database, i am really in a stuck. can anyone help me...the main task is to login with file contents..thanks...
Sounds like you're trying to implement some kind of shared private key authentication. It's not clear why you want to do that (more on that later), but it sounds like a bad idea right from the start because you are immediately confronted with a difficult problem: how do you get the private key from the client to the server in a secure way?
A better way to do it would be a private/public key system, similar to the sort of thing SSH does when you set up passwordless login. Basically (very basically - I'm not an expert) the idea is that the client generates a private/public key pair and then sends the public key to the server. On authentication, the private key is used to encrypt a message. This encrypted message is sent to the server, where the public key is used to decrypt it. If the correct message was received, then the client is authenticated.
Rather than having some sort of shared certificate, I'd recommend following this model. That way you don't have to share sensitive information (the client's private key) with the server.
Ultimately, you need to think about why you want to do this.
You think this will be more convenient for clients? Well, for SSH, it certainly is more convenient to log in this way, because SSH has a mechanism for automatically encrypting and passing messages in a secure way. For HTTP? Not so much. The user is going to need to generate a file then use an upload form just to log in. Passwords are much quicker and easier.
You think it will be more secure? The way you've described it (a shared private key) will probably be less secure because you somehow have to get the private key from the client to the server without it being compromised - remember, if the private key is compromised, anyone can impersonate the client. The way SSH does it is more secure because the private key never leaves the client.
Ultimately, I think you can probably get what you're looking for with a) strictly enforced password complexity rules and b) HTTPS.
If security on your site is so important that you cannot rely on HTTPS and complex passwords, then you should probably be looking at a more comprehensive solution that will encrypt all traffic between the client and the server, such as a VPN (virtual private network).