I am currently using the BSAFE v6.0 cryptographic library for decryption and verification of digital signatures. Security parameters are a RSA-4096 key and a SHA-256 hash.
Our customer is wanting to increase security parameters to a RSA-8192 key and a SHA-512 hash. The BSAFE v6.0 library will not handle this.
It has come to my attention that a newer version of the BSAFE library is available (released in 2020). Does anyone know if that version will handle a RSA-8192 key and a SHA-512 hash?
Thanks
Related
I want to use BIP44 HD wallet with Ed25519 curve. Does BIP 44 support the Ed25519 curve, Because I have read that BIP32 does not compatible with Ed25519 based cryptography.
BIP-0044 depends on BIP-0043, which depends on BIP-0032, which only supports secp256k cryptography in its original form. Since then SLIP-0010 defined a way to extend BIP32 with NIST-P256 and Ed25519 cryptography, so I suggest to delve yourself into SLIP-0010. Unfortunately Ed25519 does not support normal (public) derivation, only hardened derivation. So you cannot have read-only wallets or audited accounts for Ed25519-based crypto.
I am using gSOAP and it was compiled WITH_OPENSSL. I have found that there is only an API soap_ssl_server_context which takes as PEM file.
Is it possible to provide the private key to gSOAP layer without passing through the PEM files? i want to use HSM
Typically for key management, an HSM e.g. a Thales Payshield 9000, will provide a public key in DER binary format (which can be converted to PEM format using binary->base64 conversion).
However, it is not really intended to provide you with the Private key in DER or PEM format. The private key will be encrypted with the HSM LMK (Local Machine Key).
This means that only HSM can translate the encrypted value (often a pin verification key) to another encryption key. This really is the point of having an HSM e.g. PCI compliance for Visa or MasterCard. You are not meant to get the clear data in software.
If you need to decrypt the data yourself, perhaps just use a software solution like .net RSA or BouncyCastle.
Does anyone know how to transition authentications on NTP? I've done copious amounts of research, none being fruitful. For example, NTP currently using MD5, how do you move over to SHA1?
NTP if compiled along with OPENSSL libraries, then NTP uses OPENSSL libraries for cryptographic operations.
Then you can use different types of message digest algorithms supported by OPENSSL. This is a link which explains configuring ntp key file.
The key file where the keys will be present should be added to the /etc/ntp.conf file.
The keys to be used for generating the digest will be present under
/etc/ntp/keys . This path should be added to /etc/ntp.conf file to specify that this is the keys file.
The structure of the entry in the file will be
This is an example of the keys file
You can mention the keytype as "SHA1" to use SHA1 authentication.
Further details about the length of the digest and keys can be found here:
https://www.eecis.udel.edu/~mills/ntp/html/authentic.html
You can have multiple keys one next to the other.
SO:
first add the new key everywhere
delete the old key once it's added everywhere.
If you reply, I appreciate if you can write in such a way that a newbie to this field can understand.
A few questions:
1)
Does anyone know if itext version (specifically) 4.2.0 is able to add digital signature with a certificate from a Certificate Authority?
https://github.com/ymasory/iText-4.2.0
The reason I may be interested in version 4.2.0 is because it's MPL/LGPL.
2) What is X.509? From my reading
"In the X.509 system, a certification authority issues a certificate binding a public key to a particular distinguished name in the X.500 tradition, or to an alternative name such as an e-mail address or a DNS entry.[citation needed]"
http://en.wikipedia.org/wiki/X.509
Am I correct that if I buy a Certificate from a Certified Authority, I'll be issued a x.509 certificate? So what X.509 means is that it's simply a certificate issued by a CA and is not a certificate I made up myself?
3) If this is the case, will I be able to use X.509 with itext version 4.2.0?
4) What about X.509 with pdfbox?
Appearantly, pdfbox has a command line that will accept X.509:
https://pdfbox.apache.org/commandline/
Thanks for your time.
1) Does anyone know if itext version (specifically) 4.2.0 is able to add digital signature with a certificate from a Certificate Authority?
iText can be used for creating integrated PDF signatures. A certificate obviously does not suffice (the certificate is public after all), the signing process requires the accompanying private key. If you are the holder of a certificate from some CA, though, you will generally have access to that private key, too.
iText versions before some 5.X version (I don't know which exactly, though) only supported old integrated PDF signature profiles which partially already were deprecated (not recommended for interoperable signatures) in the current standard ISO 32000-1 from 2008. If you use iText 4.2.0 correctly, you can create proper basic integrated PDF signatures. If you are interested in non-basic stuff (field locking, non-basic PDF Advanced Electronic Signatures, document time stamps, Long Term Validation support, ...), though, you'll have to re-program much already present in the current iText versions.
https://github.com/ymasory/iText-4.2.0
As mentioned in a comment before, if you want to be sure you are talking about the actual iText 4.2.0, you should check out the matching tag from the iText svn repository, not some third-party repository.
The reason I may be interested in version 4.2.0 is because it's MPL/LGPL.
As Bruno mentioned in a comment before, 4.2.0 was never meant as an actual release; it merely was a tag on the last iText source code state before the great re-factoring resulting in 5.0.0. Furthermore it is ancient (from the last decade) and it has been announced that its code may present legal issues.
2) What is X.509? ...
Am I correct that if I buy a Certificate from a Certified Authority, I'll be issued a x.509 certificate? So what X.509 means is that it's simply a certificate issued by a CA and is not a certificate I made up myself?
To quote the article you linked to,
X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
When talking about X.509 certificates, one talks about public key certificates with a binary structure as specified in X.509. This format is supported in a very wide set of security related applications
Thus, a self-signed certificate (you made up yourself) should also be in X.509 format to be usable anywhere.
3) If this is the case, will I be able to use X.509 with itext version 4.2.0?
In limited ways, yes, see remarks on 4.2.0 above.
4) What about X.509 with pdfbox?
PDFBox versions 1.x have very limited signature creation and validation support. It greatly improves in the version 2.0.0 currently under development and rivals iText 4.2.0 but it is still work in progress and may improve even more.
Recently, I have to convert an java project related to rsa/des encryption into an iOS project. The provided rsa key strings are from x.509 and PKCS8, however, security.framework only support PKCS12. I've been searching for libraries a long time, but it seems that currently there are not any objective-c libraries that support PKCS8. (I don't want to use Chilkat for some reasons)
The origin version of the project was written in C# which uses an XML string to generate RSA public/private key pair. I guess that generate rsa key pair by myself might be a better solution. Thus, my question is, are there any methods to convert rsa xml data to standard pem key format? Or there are other existing libraries that supports PKCS8?
Hubert
If you can convert the keys at compile time, you can use OpenSSL to do so that it can convert between virtually any certificate / private key formats. Then you embed the certificates in the application bundle in PKCS12.