I'm looking for a tool or method to prove the authenticity of resources download from the web and stored locally. To be clear: I don't mean the SHA or MD5 checksums to verify a downloaded file. What I need is a way to download and store a web resource in such a way that I can later prove that said resource indeed originated from that web server.
In particular for the following scenario: A website published an article about a client. He would like to sue for defamation of character. I need a way to store the article without them having the possibility of simply removing it and denying they ever published it. So preferably this would be a tool that is backed by publications making it credible in court.
I have thought about storing the TLS certificate, keys and the encrypted data. That would rely on the root CA, but I think that would in itself not be a problem. I could do this using a custom program and a library like OpenSSL, but I think this is such a common problem, there probably is a relatively standard tool for it. Also, I am not entirely sure to what extent this would constitute reliable evidence. And can someone point to publications that would back this method?
Maybe I am using the wrong search terms, but everything I find is about aforementioned SHA or MD5 checksums. Any help is much appreciated.
If I understand correctly you need something like signature with timestamp. Yes?
You not only need checksum from document (article, text value, whatever) but also proof that this article really existed in time.
When using digital signature you can store such timestamp in 3rd party certified providers. You sign document and send checksum to 3rd party provider. Later you can ask provider to verify that this exact document is valid & was indeed created at given time.
https://en.wikipedia.org/wiki/Trusted_timestamping
As this can cost (fee for provider to store the timestamps) you can create checksums from many documents (like take all documents from one hour), store all of them in a single file, create checksum from that file and sign it with timestamp. This way you create one timestamp for documents batch, not for each document.
Related
I working on a simple vb application. But I want to protect it to give the user the option to use it only for a specific time.
So I was thinking to make a text file with a key-code (Beside Random characters, it contains an expire date). When the application is started after this expire date, the application should close automatically.
The location where this textile is location can be the same location where the executable is running from.
Does somebody of you have a good idea how to implement it? Or is there a easier way how to implement this
If you want to give a "Trial period" to your application you might want rather hard-code that to prevent tampering. Then, when purchased make a modification to registry and different files (maybe downloads a few files that "register" the application so that it recognizes itself as "full". To go one step further maybe periodically have the application reach out to your server and verify the license.
This is a huge subject that a lot of smarter people than me can weigh in on. I will note that this is part of a constant battle between developers and hackers trying to get around licensure.
To make software unlocked for some period of time, you can create text file on websites like Pastebin and add them an expiry date. Then make your software check if file is still valid.
Note that users can "track down" requests your software sends, never store your private information linked with your software.
You can also use HWID protection which ensures your software will work only if it matches hardware information stored in encrypted string.
You can hash other user's information like username, wifi name and so on, but remember that changing any of this information (OS, hardware or system information) will create new unique HWID, which may not match the previous one - resulting in failed HWID authorization.
To make bypassing protection harder, you can obfuscate your software.
I've found something strange with my employee document, it turns out that all files including document are being encrypted with ".vvv" extension. What I've found so far that it's called TeslaCrypt, it convert all my files to .vvv, even I rename it back to the right extension, it says that file already modified, so I can't open the files anymore. Please help, we cannot work until that document can be oppened. I can't tag this to "TeslaCrpyt" so if anyone can help me tagged it, it would be great.
content on how to recover :
What happened to your files ?
All of your files were protected by a strong encryption with RSA-4096.
More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.
111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
How did this happen ?
---Specially for your PC was generated personal RSA-4096 KEY, both public and private.
---ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BTC NOW, and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. http://vr6g2curb2kcidou.encpayment23.com/E03029AB7D9A9D38
2. http://vr6g2curb2kcidou.expay34.com/E03029AB7D9A9D38
3. http://psbc532jm8c.hsh73cu37n1.net/E03029AB7D9A9D38
4. https://vr6g2curb2kcidou.onion.to/E03029AB7D9A9D38
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: vr6g2curb2kcidou.onion/E03029AB7D9A9D38
4. Follow the instructions on the site.
IMPORTANT INFORMATION:
Your personal pages:
http://vr6g2curb2kcidou.encpayment23.com/E03029AB7D9A9D38
http://vr6g2curb2kcidou.expay34.com/E03029AB7D9A9D38
http://psbc532jm8c.hsh73cu37n1.net/E03029AB7D9A9D38
https://vr6g2curb2kcidou.onion.to/E03029AB7D9A9D38
Your personal page (using TOR-Browser): vr6g2curb2kcidou.onion/E03029AB7D9A9D38
Your personal identification number (if you open the site (or TOR-Browser's) directly): E03029AB7D9A9D38
111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
I've published a decryption tool on GitHub: https://github.com/googulator/teslacrack
This tool cryptographically breaks the encryption scheme of TeslaCrypt, and so doesn't require a saved master key. However, it's quite computationally intensive, so preferably use a fast computer, and even then, expect to wait up to a week for it to recover your key (although most keys can be found in just a few hours). Also, it's more of a PoC than a user-friendly turnkey decryptor, so you will need to do many things by hand.
I got hit by TeslaCrypt and all of the solutions (Cisco's Decrypt Tool, Shadow Explorer) did not work for me. Unrelated, I was sniffing around some articles on Ubuntu and found BloodDolly's Tesla Decrypter tool that actually work and my files are being restored as I write this. So just wanted to share since it didn't come up in any of my earlier searches.
It's a handful a steps,...I had no problems whatsoever with the process. Apparently this won't work for the most recent strain,...I had .vvv and had to factor primes with Yafu,...but the documentation and the software is pretty thorough and easy to follow. Took me 15-20 minutes from start to finish.
http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/
Anyway, hope this helps some folks.
I have a number of Java applications which connect to other applications and services via connections secured with SSL. During development, I can specify the keystore/truststore to use and the password by using the JVM args:
-Djavax.net.ssl.trustStore=certificate.jks
-Djavax.net.ssl.trustStorePassword=mypassword
-Djavax.net.ssl.keyStore=certificate.jks
-Djavax.net.ssl.keyStorePassword=mypassword
-Djavax.net.ssl.keyStoreType=jks
This works perfectly. However, there is a requirement when going to production to hide the password, using JVM args means anyone who looks at the process list will be able to see the password in clear text.
Is there a simple way to get around this? I considered importing the certificates into the JRE's lib/security/cacerts file, but my understanding is that this will still require a password. One option would be to store the password, encrypted, in a file and then get the applications to read and decrypt on the fly, but this will involve changing and re-releasing all the applications (there are quite a few of them) so I would rather avoid this if at all possible. Does the javax.net.ssl library have any native built-in support for encrypted passwords (even if it's something as simple as just base64encoding, or anything that makes the passwords not-clear-text)?
Any suggestions much appreciated.
Firstly, you could consider hiding the ps output from other users, see these questions:
I don't want other users see my processes in ps aux. I have root. It's Debian. How to use grsec?
Hide processes from other users based on groups (under Linux)?
How to make a process invisible to other users?
Secondly, importing your certificates (assuming with private keys) into lib/security/cacerts would be pointless: it's the default truststore, but not the default keystore (for which there is no default value).
Thirdly, you can never really "encrypt" the password that's going to be used by your application (in a non-interactive mode). It has to be used, so if it was encrypted, its encryption key would need to be made available in clear at some point. Hence, it's a bit pointless.
Base 64 encoding, as you suggest, is just an encoding. Again, it's quite pointless since anyone can decode it (e.g. based64 -d).
Some tools, like Jetty, can store the password in an obfuscated mode, but that's not much more resistant than base 64 encoding. It's useful if someone is looking over your shoulder, but that's it.
You could adapt your application to read the passwords from a file (in plain text or obfuscated). You would certainly need to make sure this file isn't readable by unauthorised parties.
What really matters is to make sure that the keystore file itself is protected from users who are not meant to read it. Its password is meant to protect the container in cases where it would be readable by others or when you want to protect access in interactive mode. Since you can't really avoid to use the password in clear on a machine in unattended mode, there's little point having a difficult password, rather it's more important to protect the file itself. (It's not clear whether your applications are interactive or not, but I guess few users should be expected to type -Djavax.net.ssl....=... interactively.)
If you can't adapt your code to read from a file, change your keystore and keys passwords to a password you don't mind disclosing like "ABCD", and make sure you protect read access from this keystore file: that's what really matters in the end. Reading the password itself from a secondary file is merely postponing the problem by one step, since the password file and the keystore file are likely to be stored next to one another (and copied together by an unauthorised party).
In my program, I have a simple login prompt so that only certain users may enter a program, as well as make the program function differently depending on the user. What I would like to do is have the information for the user login information (username, password, etc.) securely stored without going through an online database. I know that using a text file to store this information is a very bad idea, and I'm sure there is an easier way to do this than to make an array of this login information internally inside my program. Could you all give me some suggestions of a way to do this?
Hashes are what you need. Paste a hash-making function into your code, MD5 functions are available online for all major platforms. Then store your pairs of hashes in your config file. Devise a clever way to combine a password with your admittance options into another hash so that the file is edit-proof. This way, you can distribute the account configuration and if you don't make a trivial cryptographic mistake, it will work just as you want.
Example of the config file line (hashes truncated to 6 chars for clarity):
1a2b3c print;search;evaluate 4d5e6f
Here, 1a2b3c is obtained as MD5(username.Text+verysecret), the verbs are the account's rights and 4d5e6f is obtained as MD5(line[1]+verysecret+password.Text) where line[1] is the split result of the config line where the verbs are stored and the rest is the user's password.
Note how the password gets automatically salted by the verbs and how the verbs are protected against editing because that would invalidate the password hash. The verysecret constant is something hidden in your executable code that will prevent anybody from computing the hashes and unlocking the program.
Hashing is not an asymmetric cipher or key pair; a motivated attacker can crack your program to bypass protection altogether anyway, so going to further lengths is useless.
If you are cheap to find an asymmetric scheme, but cunning enough, you can change a few initialization constants in that MD5 function. This will make the cracking of your code harder, especially against the making of a counterfeit account file.
EDIT: When authenticating, don't just if(hashfromconfig == computedhash)... Script kiddies know how to hook into the string comparison function. Write if(MD5(hashfromconfig) == MD5(computedhash))... instead... Then the string comparison will work just as before, only it will not see your precious key hash that goes into a wannabe-counterfeit file. Ideally, have several versions of the MD5 function scattered across your code and named differently. Use if(foo(hashfromconfig) == bar(computedhash))... for a nice effect.
"without going through an online database." - do you mean on the client side?
"securely stored" and "client side" are pretty much mutually exclusive terms in this scenario.
There is absolutely no way to securely store data without touching online (server-side) source of some kind. If you are touching server-side source, it might as well be a DB.
i developed a very simple vb.net application and i need a way for every user to verify that they have paid for it. i would like the simplest method possible. it will be an off-line registration. I am actually looking for a way that I can program this easily myself, and am not interested in third part solutions.
Just ask for the name, and calculate a hash (such as SHA1 or MD5) for that name (maybe lowercase and strip whitespace first), prefixed with some secret text that is hardcoded in your program. If you want different keys for different versions, then also prefix the version number before calculating the hash. That hash will be your registration key (or, if you think it is too long: take the first characters of the hash).
Have the user enter both the name and the registration key, and store those in the program's configuration. Then recalculate the hash in exactly the same way whenever you need to validate it, and compare it to the stored key.
You could store an encrypted string in the user's registry (e.g. his Full name). Decrypt that string at application start to check if the license is valid.
How secure do you want it to be?
If you're looking for rock-solid piracy protection (if it even exists) you'll have to combine it with some sort of online registration/activation system. Or use a 3rd party solution as opted by Mitch Wheat.