Currently I am investigating https://github.com/orlp/ed25519 , and it has example for signing but how to use it for encrypting/decrypting data? Thanks
Assuming you want to send a message to Alice who has the public key A.
Generate a new ephemeral key pair e, E
Compute the shared DH secret between e and A using the ed25519_key_exchange function.
Use some kind of of KDF of that secret. In the simplest case a hash.
Use the value derived in step 3 as key in a symmetric algorithm
NaCl's crypto_box works almost like this. The main differences are that it uses Montgomery form public keys and uses HSalsa20 as hash in step 3.
Some people don't feel comfortable with using the same keypair for signing and encryption. Use at your own risk. If you don't need this key reuse, I'd recommend LibSodium as an alternative.
You don't. ED25519 is a public-key signature system, not an encryption system. Trying to use it for a purpose it was not designed for is likely to introduce security vulnerabilities.
Related
I try to manage in a C library multiple RSA keys and certificates in a PKCS#12 structure. Managing a single key with the primitives PKCS12_create and PKCS12_parse works fine, but I can't find anything about managing multiple keys. I tried to use the safes and bags primitives but I only succeed to corrupt my PKCS12.
Does OpenSSL's PKCS#12 allow multiple keys and certificates in PKCS#12 structure? If so, then how do I manage multiple keys and certificates using the PKCS#12 API?
Thanks all
PKCS#12 is a complicated data structure. All of the operations that PKCS12_parse use are public API, it just tries to simplify the simple case. The entire 245 lines of p12_kiss.c (one presumes Keep It Simple, Stupid) are PKCS12_parse and its (non-public) helper routines.
p12_crt.c is another 291 lines of "man, this file format is complicated", which is just PKCS12_create.
Managing multiple files is easier code, but if you want to take the complexity into your code you can simplify your file operations.
Don't forget to call PKCS12_SAFEBAG_create_pkcs8_encrypt on the private key bags. Your keys aren't encrypted unless you call it, and (IIRC) Apple's PFX reader won't load keys out of unencrypted bags (probably not an intentional decision, they just likely never experienced it).
I finally succeed to add/parse multiple RSA keys and they certs into/from a PKCS12 structure/file.
My parse function is based on the OpenSSL parse_pk12 function in p12_kiss.c file. This function seems to return the last bag only. I adapt it to check each bags friendly name and return the one who match.
The add function begin with unpacking the safes (STACK_OF(PKCS7)) from the existing PKCS12, and then working on this safes in order to add a new stack of bags to it. I then create a new PKCS12 with the PKCS12_add_safes function and delete the previous one.
Thanks all
What is the best one way permutation function I could use to digest an e-mail so I can use it as a primary key without storing personal data?
I'm getting my first F2P game ready: a simple yet (hopefully) addictive 2D casual puzzler based on aiming mechanics. It's made with Unity and will be released on Android very soon.
In order for the player to keep the same data across different devices, I have an SQL table with the device e-mail as the primary key, then another string as the savegame data.
But I don't want to store the user e-mail for privacy reasons.
So I thought of digesting it with some function that would use the original e-mail to generate a new string that:
is unique (will never collide with another string generated from a different e-mail address)
is not decypherable (there should be no way to obtain the original e-mail from the digested string - or at least it should be hard enough)
This way I could still use the Android device e-mail to retrieve the savegame data, without storing personal data from the player.
As far as I've researched, the solution seems to be called a one way permutation function. The problem is that I can't seem to find an appropriate function on the internet; instead, all answers seem to be plagued with solutions for password hashing, which is very interesting (salting, MD5, SHAXXX...) but don't meet my first requirement of no collision.
Thank you in advance for any answer on this topic.
What you need is a cryptographic hash function such as SHA-256. Such functions are designed to be collision resistant, Git uses an older version SHA-1. Most languages/systems have support of this, just Google "Android SHA-256" along with your language of choice.
One option is to append a creation timestamp.
Update: Since SHA-256 does not provide sufficient collision resistance consider s GUID, from RFC 4122: "A UUID is 128 bits long, and can guarantee uniqueness across space and time.". Of course you need to find a good implementation.
I am not able to generate RSA key pair inside VSS through macros. I am in need of script to gerate key inside and compute Public CA and do RSA computation inside. Please help in this regard.
As far as I know, it is not possible to generate a RSA keypair inside VSS (v4.0).
You might want to try generating a keypair using the embedded openssl and then store it into the key slot (beware that there are probably some constraints on some key slots (modulus length,exponent length) -- check your documentation).
Beware that the RSACOMP operation does only a raw RSA computation (modular exponentiation) and you will have to handle the padding stuff yourself (and correctly).
A much simpler alternative is to generate the keypair outside (HSM?) and inject it securely to the terminal (I do not understand your use case -- but some certificate for this keypair could be injected as well)
Good luck!
I'm developing simple software that does aes256-cbc encryption of a file. I'm using GNU/Linux and libgcrypt-1.5.0. The IV is randomly generated with the OpenSSL rand function and the IV is stored before the ciphertext in the output file. I'm using the PKCS#7 padding method.
Now I am in doubt about how to proceed:
It is better to use sha256 repeated 50,000 times of the inputed password to encrypt the file, or it is better to use the password given by the user?
If I want to check the correctness of the inputed password, I have to store it into the encrypted file (obviously encrypted). Is it correct to do this?
Use PBKDF2 to derive a key as indiv suggested.
Use PBKDF2 with a different salt to derive an authentication key and append a MAC to your encrypted data (after encryption is more secure than before encryption). Verify the MAC in order to check whether the password is correct or not, and that the data has not been tampered with. If you are unsure when choosing a MAC, use HMAC with SHA-512 (assuming you are using AES-256 as per your question).
Instead of using PBKDF2 twice with different paddings, you can use a single invocation of PBKDF2 to generate both the encryption and the authentication keys at the same time, by generating a key of the combined size of your encryption key and authentication key in one go.
Note that depending on the padding for deciding whether the key was good can result in CBC padding oracle attacks. For file encryption such attacks might not be applicable, depending on the exact circumstances, but it seems prudent practice to use a proper MAC for data authentication anyway, since you also want to prevent bit flipping attacks and other malicious modifications to your data.
Neither choice is correct. You need to use an algorithm made for deriving a key from a password, like PBKDF2. See the function gcry_kdf_derive.
1.It is better to use sha256 repeated 50,000 times of the inputed password to encrypt the file, or it is better to use the password given by the user?
You never use the "raw" password directly as a key. The key needs to be strectched in something hardened against brute forcing attacks. Look at the String-to-Key (S2K) stuff, or a Password Based Key Derivation Function (PBKDF) with a memory-hard hash like scrypt.
2.If I want to check the correctness of the inputed password, I have to store it into the encrypted file (obviously encrypted). Is it correct to do this?
No. You use an authenticated encryption mode like GCM. Authenticated encryption modes are specially built for the task and provide both confidentiality and authenticity.
Under the password, the encrypted file will verify or it won't. Don't concern yourself with the reason why. Otherwise, you're setting up an oracle which may undo everything from Step 1 (which may or may not be applicable here).
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I'm implementing a small application in C, which I would like to sell as shareware for a reasonable price later on. It will start of with a 30-day trial, which I am already quite certain of how to implement it.
The problem I have, though, is that I am not quite sure how to implement the product key verification. What I have in mind is that the customer can sign up on my webpage (after trying the product for a while), pay for the product, and get a product key in the form of aaaaa-bbbbb-ccccc-ddddd-eeeee via e-mail (or maybe available via his profile on my website). No problem so far. He/She then drops the key in the appropriate key fields in my app and boom the app is registered.
From what I could gather so far, people either recommend AES or RSA for this. To be honest, I in another direction in college (not cryptography) and the one cryptography class I took was some time ago. But from what I remember, AES is a symmetric encryption algorithm, which would mean that I would only have one key for encryption and decryption, right? How could I then generate thousands of product keys and still validate them in my app (which by the way won't require internet access....so no checking back with a server)?
So I guess RSA would be the way to go? But doesn't RSA produce pretty long keys (at least longer than the required 25 characters from above)?
In another thread I read that some products won't even use encryption for the product key generation/verification, but instead just employ some checks like "add the 2. and the 17. character and that should total to x".
What's the fastest, easiest and most secure way to go here? :-) Code samples would be sugar!
Regards,
Sebastian
P.S.: Oh...and please don't tell me how my key can and will be cracked at some point.....I know about that, which is primarily why I don't want to spend a lot of time with this issue, but at the same time not make it too easy for the occasional cracker.
Symmetric algorithms are limited, in that any novice cracker with a disassembler can find your key (or the algorithm used to generate one) and make a "keygen".
For this reason, asymmetric cryptology is the way to go. The basic premise is something like this:
When the user purchases a license from you, you collect certain identifying details about the user and/or their environment (typically, this is just a full name; sometimes a company, too).
You make a 128-bit MD5 hash of this information.
Using a 128-bit Elliptic Curve crypto, encrypt this hash using the private key on the server.
The 128-bit cipher text can be represented to the user as a 25-character string consisting of letters and digits (plus separating dashes for readability). Notice that 26 letters + 10 digits = 36 discrete values, and that 36^25 > 2^128.
The user types this product key into your registration dialog. The client software converts it back to a 128-bit number (16 bytes), decrypts that using the public key of your EC crypto, and compares the result to an MD5 hash of the user's personal information, which must match what was used for registration.
This is just the basic idea, of course. For more details and source code, see Product Keys Based on Elliptic Curve Cryptography.
Life is simpler if you simply purchase a solution.
http://www.kagi.com/kagisolutions/index.php
Kagi allows you to collect payments and they help you manage the keys.
A guy has blogged about how he handled the question of registration numbers. One of his blog entries is Generating Unique Registration Numbers.
Yes, RSA and AES are two very different things:
RSA is public key cryptography, involving a public key and a private key, and is fairly slow. The primary use is to set up a secure exchange of a symmetric encryption session key.
AES is symmetric encryption, which is fast and secure.
Since your app does not communicate over public channels and the use of cryptography is limited to product activation/registration you'll want to go with a symmetric cipher. The benefits of public key ciphers is in key management, which you will be handling on your web site or through email.
Note that you do not have to distribute the same key for every customer. You could generate a hash of some of the registration info and XOR it with something else (a fixed session key, perhaps). Send that to the customer, and the program could generate the same hash and XOR will the key you sent to produce the original fixed key.
Dealing with cryptography is not something to be done lightly. As you mention, you expect this to be cracked. If you're doing your own this will almost certainly happen. You can still use your own implementation to "keep honest people honest," but realize that's as far as you'll get. If you need something stronger then you should purchase a solution after doing thorough research on the solutions.
You can check out this Code Project article. It describes an implementation of a a software key based on the MAC address of the machine where the software is executed. The method is not ideal, as the auteur himself admits, and it is a little bit different from what you are looking for, but maybe it can help you.