I am writing a SSL Client using openSSL library. I am able to connect to https://www.httpbin.org using my C program. However, i want to manually set my own AES key for further symmetric cryptography and notify the server about key. I know that key for symmetric encryption is set during handshake process. I am using SSL_connect() to connect to server.
How can i manually set key for symmetric cryptography?
This is not possible. The key used for encryption depends on data created by both server and client. This means it is not possible to for the client to have full control over the key value. See also Computing the Master Secret in RFC 5246 (TLS 1.2).
Related
From a database certificate backup with private key, I'm looking to convert the two files into one .pfx file, to store it in a secure key vault. Currently using SQL server 2019
I look at the certs currently in use within the master database
`SELECT C.name,
C.certificate_id,
C.pvt_key_encryption_type,
C.pvt_key_encryption_type_desc,
C.subject,
C.expiry_date,
C.start_date,
C.thumbprint
FROM sys.certificates AS C;`
CertName1 appears on this list, encrypted by the master database
Take a backup of the certificate with private key
`BACKUP CERTIFICATE CertName1
TO FILE ='C:\temp\CertName1.crt'
WITH PRIVATE KEY(
FILE = 'C:\temp\CertName1.key',
ENCRYPTION BY PASSWORD = 'MadeUpPassword101!'
);`
This creates two files CertName1.crt, CertName1.key
Using certutil within Windows, I try to combine the files into one .pfx
`certutil -mergepfx CertName1.crt CertName1.pfx`
I get an error saying ASN1 bad tag value met. Doing some research, this error means the key doesn't match the certificate.
Will I need to use the master key instead, which pretty much makes this useless as will need the private key to restore the encrypted database? Or is this something that can't be done with SQL certificates?
I am new to the AES encryption and reading about it.
We used to send data in .csv format with MD5 encryption but last week I got a requirement to send the data in AES encrypted format to client rather than MD5.
I have read some internet I did the following step
-- Create database key
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'Password123'
-- Create self-signed certificate
CREATE CERTIFICATE Certificate1
WITH SUBJECT = 'Protect Data';
GO
-- Create symmetric key
CREATE SYMMETRIC KEY SymmetricKey1
WITH ALGORITHM = AES_256
ENCRYPTION BY CERTIFICATE Certificate1;
GO
Then to encrypt the data I have used
OPEN SYMMETRIC KEY SymmetricKey1
DECRYPTION BY CERTIFICATE Certificate1;
Select EncryptByKey (Key_GUID('SymmetricKey1'),columnName)
From TableName
CLOSE SYMMETRIC KEY SymmetricKey1;
I tried to encrypt and decrypt and It works fine and I have sent the data but client has a different server want to decrypt the file and they are asking me to send the KEY
I suppose the key is 'SymmetricKey1'
But Client is not able to decrypt it.
Now my question is if the certificate and symmetric key is in 1 SQL server(suppose india) and client want to decrypt the file in some other server what exactly I need to provide him.DO I need to create the same certificate and key on the client server or something else.
I may sound little stupid but sorry I could not find much in internet
I'm writing a server in Go that uses MongoDB and I was doing some research on how to enable SSL for the connection to the database. I found several examples that explain how to add the CA file. Like so:
mongo.NewClientWithOptions(connectionString, mongo.ClientOpt.SSLCaFile(caFilePath))
I'm using a hosted database on Atlas and they state that all connections use SSL by default. This answer on a different question shows how to connect to Atlas with Go but the code example doesn't use a CA file. I also couldn't find an option to download the CA file from Atlas that I could use.
This confuses me a bit and leads to the following questions. When is it necessary to provide a CA file like shown above to use SSL? If it's always required for SSL to provide a CA file, where do I get the CA file from to connect to a managed cluster on Atlas?
You always need a CA certificate to validate the server when initiating a TLS connection. Sometimes this is already installed on your platform and used automatically. You have to provide a CA file during connection when such a root certificate is not available. The CA file is used to validate the certificate presented by the server. A trusted third party provides this CA, and also (possibly through a chain of trusted parties) provides a certificate to the server, so you can validate the server is who claims it is by validating its certificate using the CA.
All platforms come with an initial set of root certificates that can validate well-known third-party generated certificates. The mongodb server you're connecting to is probably using such a certificate, and thus, your OS certificates can be used to validate it. If you had your own PKI with your own CA not validated by a third party, then you'd need a separate CA file signed by your own CA. Then you'd need to pass that CA file to validate the server, because your root certificate will not contain your custom CA.
The CA file specifies which self-signed root certificates you trust, and can include intermediate certificate authorities as well.
When the application connects to the server, the server sends its certificate as part of the handshake. The server's certificate was digitally signed.
In order to check that the server certificate was not tampered with, the issuer's certificate is consulted, which contains a public key that can be used to validate the digital signature.
If the issuer was an intermediate CA, then its certificate was also signed by another CA, so that CA's certificate will be consulted to validate the signature on the intermediate certificate.
This continues until the chain reaches a certificate that was signed by itself. This is the root certificate. Since it signs itself, you have to explicitly indicate that you trust it in order to trust the entire chain, including the server being connected to.
The bottom line here is you need to provide a CA file when:
You care about verifying the identity of the server you are connecting to (i.e. preventing man in the middle attacks), and
The root certificate will not already be trusted implicitly by inclusion in a local trust store
I'm trying to use an application external to SQL Server to decrypt data (that I've) encrypted in Azure SQL Database. I can decrypt it natively in SQL Server using DecryptByKey - but I want to do this on the client computer. I know the key_source parameter used to generate the key and I can decode the initialisation vector and cipher data from the field data thanks to this SO post.
The key is being created by:
create symmetric key #tempkey
with algorithm = AES_256,
key_source='*****'
encryption by password = '*****'
I'm not able to find a reference to the key-derivation algorithm used by SQL server to convert the key_source into
the actual key. Sqlity says that the details are not published, however this blog article is getting old now - and I'm hoping that's changed.
Inspecting the key information in sys.key_encryptions:
key_id|thumbprint|crypt_type|crypt_type_desc|crypt_property
259|NULL|ESP2|ENCRYPTION BY PASSWORD V2|NULL
sys.symmetric_keys doesn't appear to yield anything of use
There is a similar SO question here; but the answer refers to using a stored procedure to complete the decryption - which is not what I want to do.
Can anyone point me in the right direction of the key derivation algorithm implementation so that given the known key_source, I can generate the symmetric encryption key value and decrypt the cipher data?
My work-around is to do both encryption and decryption outside of SQL Server, but I'd like to avoid that if I can.
I have backed up an encrypted DB (symmetric key/certificate) and
restored it on a different server.
Unfortuantely we're having problems with the decryption... hoping
someone can help.
In the restored db, I can see the Symmetric Key and the Certificate in
SSMS, but when I try to Open the key using the cert ( open symmetric
key KeyA decryption by certificate CertB )I get the
following very descriptive error:
Msg 15466, Level 16, State 1, Line 1
An error occurred during decryption.
Any ideas?
Thanks in advance.
http://blogs.msdn.com/lcris/archive/2007/11/16/sql-server-2005-restoring-the-backup-of-a-database-that-uses-encryption.aspx answers this:
"When you restore a database that uses encryption features, there is only one thing you need to take care off - if the database master key (DbMK) needs a service master key (SMK) encryption, you need to regenerate this encryption. Note that this encryption is made by default when you create the DbMK, but it may be intentionally dropped, if you want tighter control of access to the encrypted data. Anyway, if you did have such SMK encryption for the DbMK, the steps to regenerate it are the following:
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'password'
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY
CLOSE MASTER KEY
That's it - the database encryption features should now work as when the backup was taken. Also note that it doesn't matter if you restore the database on the server where the backup was taken or elsewhere. The only thing that matters for this procedure is that you know one of the passwords protecting the DbMK "
The master key was decrypted by the service master key on the source server and we were decrypting the master key with password on the destination. I altered the master key to be decrypted by the service master key and it's working now.
The problem you are probably experiencing is that the Database Master Key for the servers is different. To my understanding the other keys are based off of this and it could cause problems when trying to decrypt the data. Check out the encryption hierarchy for a description of the steps that go into data encryption.
I hope this answer helps and isn't too off-track. :)
http://social.msdn.microsoft.com/forums/en-US/sqlsecurity/thread/34c9c35c-2d08-4873-abfd-aae40240dfe7/?prof=required
That link worked for me, follow the 2 links to backup/restore
You can do the restore from the destination server using a UNC, you do not have to copy the file.