I having searched the web,
I am unable to find any comprehensive
introduction into the crypto library of
Solidity.
I am most interested in doing asymmetrical decryption / verifying signatures.
But I am unable to find any way short of implementing RSA decryption
myself, to implement such a verification.
And the first rule of cryptography for a programmer is: Do not implement a cipher yourself.
Because of the limited execution environment, implementing some crypto libraries in Solidity would be too expensive. Also, there are not many use cases for deciphers outside of built-in ones.
Related
We are developing an application in react-native. Our security team has raised a vulnerability in iOS binary. The description of the vulnerability is given below.
The application has references to potentially risky symbols that
modify the default SSL certificate validation.
The behavior of iOS's TLS/SSL libraries' certificate validation is
intended to be secure by default (CFNetwork, Foundation, etc). These
libraries validate a number of security items such as certificate
expiration dates and known root certificates.
This application was found to reference symbols that can be used to
modify the default validation behavior for TLS/SSL certificates. When
the default validation is modified the potential exists to
inadvertently weaken the security of the TLS/SSL protocol and thereby
making the traffic more susceptible to interception or modification by
attackers. The binary contains references to methods that may result
in vulnerable SSL connections:
_kCFStreamSSLValidatesCertificateChain
We have not implemented SSL pinning in the app. We are not sure how to fix this issue and the security team has not been able to provide any additional information. They use some automated tool which identified the issue and provides only following recommendation which we could not find very helpful in remediating the vulnerability.
Review the application's and third party library's code for the use of
these symbols to ensure they are not being used to weaken the TLS/SSL
security. Some of the symbols detected may be deprecated or involve
non-public APIs so a review of the code is encouraged for compliance
with Apple's App Store policies.
Please note that the presence of these symbols does not indicate
insecure usage as they may be used to check for or explicitly set
default values. These symbols may also be found in code designed to
perform non-standard certificate validation, such as custom SSL
pinning implementations.
Any help provided by the community in identifying and fixing this issue would be really appreciated.
Does openssl have a "raw" (non-EVP) interface to do AES GCM encryption and decryption? I'm looking for something comparable to AES_cbc_encrypt() or DES_ede3_cbc_encrypt(), but for AES GCM. I found the openssl EVP interfaces for AES GCM but I can't find any information on any non-EVP interface.
I understand the EVP interface has many advantages for general purpose use, but I'm doing some tests where a non-EVP interface would be easier to use.
Once I was looking for it and I couldn't find any non-EVP implementation of it. According to the OpenSSL site 'the enc program does not support authenticated encryption modes like CCM and GCM'.
But it seems AES GCM only supported in TLS v1.2 (according to 'https://www.openssl.org/docs/manmaster/apps/ciphers.html').
I am using cryptography concepts in my application. Some Encryption and decryption techniques and salt values are hard coded and IV values are using those techniques. Before I publish the app I need to obfuscate to my code. I am using XCode 6.2 version with updated OS. Please share with me techniques about how to do it.
Neither "decryption techniques " nor iv need to be kept secret, only the encryption key. Good security requires using proven methods and cryptographic primitives not secret methods. Developer created cryptographic methods are usually insecure and lack peer review for flaws, the standard methods have been well researched and vetted for security flaws.
Shipping with the key embedded in the code is a problem, the key should be randomly generated (or in some similar process) at first-run and stored in the Keychain.
I am going to do a Finalyear-project on two-factor authentication,where the second factor as digital certificate with the username/password.I have an idea of doing it for the web applications,how to do this with Java with sample digital certs. and is there any way that i can make use of any Cryptographic algorithms? what are the drawbacks associated with digital certficates?Please give me some details.
The easy approach is to use x.509 certificates. Oracle's Java™ PKI Programmer's Guide looks like it provides an excellent overview of the Java APIs necessary to use x.509 certificates. Many Java developers use the Bouncycastle package for additional cryptographic APIs.
The nice part of using x.509 certificates is that nearly everything supports them. You can easily plug x.509 client certificates into most web browsers and most web servers can be easily configured to accept them. Setting up your own Certificate Authority is pretty easy with the TinyCA program. (The openssl command line tools aren't awful, but TinyCA makes it point-and-click easy to get everything right.)
The biggest downside to x.509 is probably the awkwardness involved in setting up your own CA -- so many programs have a list of CA Root Certificates that are baked into the program and supplying your own Root Certificate can be annoying -- somehow you have to transport that file to your clients in a manner that prevents tampering. (A task that would be easier if your CA root were already in the software.)
I am presently studying the topic of encrypting and signing SOAP messages via WSE 3.0 or WCF. Since I have not participated in distributed application development involving the public Internet, I find my knowledge on X.509 ceritificates lacking and how it works in the Windows certificate store mechanism. It is not about asymmetric cryptography; it is about the PKI ecosystem.
Therefore I would like to gather what are some articles or books that give comprehensive explanations on Windows' security mechanisms, how to properly use and manage the Certificate Store, CA trust chains, and how APIs like WSE or WCF may interact and make use of certificates. Recommendations?
Everyone using (or thinking of using) X.509 certificates should be forced to read this: Everything you Never Wanted to Know about PKI but were Forced to Find Out, as well as X.509 Style guide, both by Peter Gutmann.
I think the base starting point to understanding the Windows implementation of PKI has to come from TechNet
PKI segment
http://technet.microsoft.com/en-us/library/cc757327(WS.10).aspx
Certificates overview
http://technet.microsoft.com/en-us/library/cc784662(WS.10).aspx
Certificate services
http://technet.microsoft.com/en-us/library/cc783511(WS.10).aspx
Certificate templates
http://technet.microsoft.com/en-us/library/cc758496(WS.10).aspx
"Learning WCF" by Michele Bustamente has a good overview chapter on WCF security, including some basic discussion on X.509 certificates.
From the MSDN:
How to: Decrypt XML with x509
How to: Encrypt XML with x509