I am trying to implement direct Integraion of Google pay into our website and in docs, it is mentioned that merchants have to anually rotate the keys in case of direct integration and old private key should be supported upto 8 days after removing of public key. My question is can I always use old private key during decryption even after rotation of public key? I can update the new public key anually but I would like to use the same old private key. Will it work forever during decryption or is there any time period which it gets invalidated?
Related
I want to sell some of my collectable items that I have been collecting over the years. But I don't want to just sell it, I want to add a QR code to the item (back of the painting, on the deck of cards etc.) and have that link to a website that can verify the item is the real thing.
I was thinking of using pgp-keys (public/private) to verify the item.
Is there already a way to do this or would I have to write something to decrypt the private key for validation? What language would be able to do this, can I do it in python?
This depends on what you are actually seeking to do.
You could embed a message that you sign with your private key, which can then be verified to be authentic with your public key.
If you want the message to be encrypted, you will need to pass a private key to the buyer and encrypt the message with the corresponding public key.
Generally, you don't need the private key unless you are doing encryption or signing. There are libraries for PGP in essentially all programming languages, python has python-gnupg for this.
Any hardware crypto wallet supports signing a transaction without the private key leaving the hardware, so theoretically it should be possible to sign a CSR as well. Is this true? If so, how can I do that?
PS I am also wondering if this is a good way to store the private key of a root CA offline, and maybe also splitting the private key into a couple of hardware wallets, say any 2 of 3 keys can recover the private key.
Suppose, given an agent belonging to a company, having its own pair of public / private keys, that you want to certify with confidence that it was really that agent belonging to that company to have written through a particular transaction the data on the blockchain. In Ethereum, you could publish your address on the company website while, in Sawtooth, how could I do? Is it possible to use public key or is this not good for security reasons? Is this a suitable use case for Sawtooth?
The public key is for public good and there is no reason not to widely publish it and make it available.
The usual problem with public-private keypairs is people leak the private key or do not secure the private key properly and have it lost or stolen.
My question is: Does the public key in a asymmetric key have to be used to encrypt data or can it go either way (be used to decrypt)?
In RSA the public and private key technically fulfill the same role, one can decrypt what the other encrypted. The only difference is that one is made available to all parties.
Public keys can only be used to encrypt data, and private keys can only be used to decrypt data.
If you could decrypt data using a public key, that defeats the purpose of encryption.
Imagine you put your public key on your Facebook profile so that people can encrypt emails to you if they wish. If public keys could decrypt, then anyone that viewed your profile would have the key to all your emails (that were encrypted using that key pair).
In a Mac application, I have a requirement to store the private key sent from the server for logged in user in a secure way and retrieve it back whenever needed programmatically. I know that keychain is the best place to store the private key. Is there any sample code available to achieve this?
I am able to add the private key to the keychain using "SecKeychainItemImport" method of "Security.framework" but having issues retrieving back the private key from the keychain. I have tried using "SecKeychainItemCopyAttributesAndData" and "SecKeychainItemCopyContent" methods for getting private key back from the keychain. But no luck so far.
I have also read in blogs mentioning private key storage inside ".ssh" hidden folder. But I feel that storing the private key inside the keychain provides one more level of security so that someone else can not have an easy access to the private key.
One purpose of the Keychain is to keep private keys protected by not exposing their data to the application. To prevent accidentally exposing a private key, these items are flagged CSSM_KEYATTR_EXTRACTABLE | CSSM_KEYATTR_SENSITIVE by default; i.e., it is only possible to get their data using SecKeychainItemExport, and only in a passphrase-protected format.
There are APIs in the Security framework that encrypt/decrypt/sign/verify etc. data using a supplied key item without ever putting the raw key data in the application's address space. (These operations are normally done by a separate, privileged process.)
If for some reason you do need access to the private key's raw bits, you need to prepare for this at the time you import the private key to the keychain. You need to set keyAttributes to CSSM_KEYATTR_EXTRACTABLE (i.e., without the sensitive bit) in the keyParams parameter of SecKeychainItemImport.
Yes, the Keychain is what you'd use here. You want to read the documentation first, then look at Apple's sample code.
http://developer.apple.com/library/mac/#documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html
http://developer.apple.com/library/ios/#samplecode/GenericKeychain/Introduction/Intro.html