I am working on the RFID-RC522 module security.I have searched some theoratical solutions of RFID security like:
Mutual authentification
Basic access control
Password lock etc to secure my RFID data from unidentified reader.
How can I program a tag that can check a value coming from reader and match it with the value stored into tag, only if the data is matched than the tag will send the data to the
reader.
Note: I don't want to write anything from the reader site
Related
Friends,
I need some help on Word API Authentication.
Scenario:
Our articles has meta data which contains who can work on the articles (User1, User2), we need to know user_name (window's id) who logged into the machine so that we can authenticate the users against article metadata without asking them to log-in each time.
Workflow:
Article Creator Process is responsible for creating the document. This process will create word document and will be transferred to the user.
Article processor is adding custom xml part into document such as User Name, Document ID etc.
Authentication Rule is simple here. If article metadata contains your name then only you can work else not.
We need to match article meta data name with user who is opening the document. So here we need to know who log-ed into the machine.
How we can get this information for Online and Offline ?
We don't want our desktop users to enter the credentials again and again. For desktop which is (90% users will use desktop) is should be pretty straight forward, get user name and match it with article metadata.
Appreciate any help on this, any alternative solutions to handle this are most welcome.
There is no way to find out the current user's username. You can get the unique ID of the user in terms of a GUID-like entity, though, so I suppose you could store the user GUID into the custom XML part instead. The GUID corresponds to the Microsoft account or OrgID identity of the user.
See https://msdn.microsoft.com/en-us/library/office/jj164035.aspx for more info, particularly the "To load a test license from your Visual Studio project" section that describes the structure of the validation token.
Alternatively, if you can trust your users (i.e., it's just identification, not authentication), have them type in their name once, and then store it in the browser's localStorage.
Is there a way to customise or change the message that gets displayed in the document open Password dialog box while trying to open a password protected PDF file.
Default message - "filename.pdf is protected. please enter a Document Open Password."
The message shown is completely up to the PDF viewer or processor in question.
In general you cannot prescribe it but you may create your own viewer showing the text you prefer.
PS: As the OP still hoped for a different answer (and asked essentially a duplicate question here):
The PDF specification in regard to opening password protected PDF files only rules:
If a user attempts to open an encrypted document that has a user password, the conforming reader shall first try to authenticate the encrypted document using the padding string defined in 7.6.3.3, "Encryption Key Algorithm" (default user password):
If this authentication attempt is successful, the conforming reader may open, decrypt and display the document on the screen.
If this authentication attempt fails, the application should prompt for a password. Correctly supplying either password (owner or user password) should enable the user to open the document, decrypt it, and display it on the screen.
(ISO 32000-1 section 7.6.3.1)
It does not present any mechanism to supply a message for prompting for the password.
Please note that the specification even makes prompting for a password merely a recommendation ("should", not "shall"). Completely in accord with the specification, therefore, other ways to retrieve a password might be tried instead, or such password protected documents might be ignored completely!
That been said specific PDF viewers might allow to provide a prompting message in a proprietary manner; after all the early signing mechanisms in Adobe Reader even allowed the PDF to provide appearances for successfully and for unsuccessfully verified signatures which made frauds possible! I doubt, though, that current versions of serious viewers allow providing password prompt messages even in a proprietary way.
I am using Mifare Ultralight C to make a access control system.
The method I am using is based on the UID of the card.
I can read the UID by NFC Reader (SeeedStudio shield on Arduino UNO)
However, the UID is not reliable since there are writable UID card out there in the market. So I think that I should secure the connection by 3DES authentication and then block the reading from 0x00 which is from the first serial number byte.
Is it the correct way to implement access control?
You cannot block read access to the UID. The UID is an immanent part of the anticollision/tag enumeration phase of ISO 14443 so the tag will always reveal that information. Moreover, Ultralight C permits read/write protection only from page 3 to the end of the memory.
What you could do is the following:
Use the UID to identify the tag.
Derive a tag-specific key based on a master key and the tag's UID.
Ktag = fkey_derivation(UIDtag, Kmaster)
Use that key Ktag as 3DES key for the Ultralight C authentication.
Protect (read and write) the whole data memory of the tag.
Possibly store some additional authentication information on the tag (e.g. a signature over the UID). However, you should keep in mind that after authentication read operations are neither encrypted nor integrity protected. This means that an attacker could potentially retrieve the data stored on a tag by listening into the communication between a legit tag and a legit reader. Moreover, an attacker might be able to authenticate with a legit tag and then intercept any further read commands to return manipulated data. Basically this means that you should refrain from storing any non-integrity-protected permission information on such a tag.
And finally: MIFARE Ultralight C is certainly not meant to be used for access control!
I have made a VB.NET application. I have read I tutorials that how to use SMTP to send emails from VB.NET, and finally I got one working.
But I have an issue with it, I don't want to bother the user to input all his details like, SMTP server name and all those stuffs.
I just want that a user input their Usename and Password and all other necessary details gets available for the application. Same like thunderbird, as when I enter my Usename and Password in Mozilla thunderbird it automatically get all the other required data and configures my email account.
Now what I want to accomplish is that, a user should fill in their details i.e. Usename and Password & the email using their Usename and Password should be sent to the email specified in the program.
To explain more about the kind of my project is, when an error occurs I want the user to take a screenshot of it and email me it using this method. So that I can look into the bug.
There is no automatic way of doing this. Each email setup is different and there is no automated configuration specification.
Thunderbird has a built in database that it's developers built and maintain to offer this functionality. See: https://support.mozillamessaging.com/en-US/kb/isp-database
You could do the same using the #domain.tld to enable you to match the users email provider with your database.
Microsoft Exchange does offer an automatic configuration endpoint, but I don't think it would prove useful to you as it isn't guaranteed to include SMTP information.
I have a vb.net application that uses my gmail smtp server settings and my password to send me the users feedback through the email, (I don't want to show my email to the users)
The problem is I want to store these data securely in the vb.net application so that It's hard for any hackers/crackers through (reverse engineering or programs like cheat engine) to get my gmail account data.
Any ideas are welcome.
You cannot be 100% secure, you could store the email in a resource file and use an obsficator to make it much harder to get at the string but it is possible to break it (encrypted resource files and strings). However Even if you used a different email address and setup a forwarding rule the password for that account could still be comprimised. Anything you have access to in code a hacker could potentially break into as the key will be in clear text at some point.
You have a number of secure options:
Setup a webservice to receive your messages and email them onto you/log them to a database
Log your messages to a 3rd Party system (irc? news? some p2p network, IM system), and pick um the messages later.
Setup a Source Control/issue site for your system, google code/bitbucket/something else that has the ability to receive issues via an api.
I don't know if this makes any sense but what I'd do is let the program run an external PHP script that sends the mail.
Basically, if I'm understanding your question, you don't want the password in clear text in your .exe. Correct?
The solution is simply to ENCRYPT the string in your program, then decrypt it at runtime (pass your decrypted variable to your e-mail function).
Any two-way encryption will work. For example:
http://www.vbdotnetforums.com/security/1240-encrypt-password.html
As other people pointed out saving the password to your email in your application is unsafe because somebody might be able to crack your code and retrieve your password.
For logging errors, I suggest creating a very small PHP script and putting it on a PHP server. When an error occurs in your VB.NET application, the application can send data to this .php script. The script can save the data in a file or in a MySQL database.
All the things you need for sending data to PHP scripts can be found in "System. Net. WebRequest" namespace in VB.NET.
If you cannot use a PHP script, you may use a combination of IsolatedStorage ("System.IO.IsolatedStorage" namespace) and Cryptography ("System.Security.Cryptography" namespace) to save sensitive data. But, this is not completely secure to savvy attackers.