I have a ssh key on a PC called name_machine, I can send my public key to a server admin, but only once. If I want to use the same key on 2 or more pcs, should I only copy the private one between my pcs or I should also change their name to match name_machine present in the public key that I sent?
Related
We are using BlockCypher API to create transaction in a HD Wallet.
As a return object, you'll receive a TXSkeleton containing a
slightly-more complete TX alongside data you need to sign in the
tosign array. You'll need this object for the next steps of the
transaction creation process.
Locally Sign Your Transaction
With your TXSkeleton returned from the New Transaction Endpoint, you
now need to use your private key(s) to sign the data provided in the
tosign array.
$PRIVATEKEY here is a hex-encoded private key corresponding to the input from address CEztKBAYNoUEEaPYbkyFeXC5v8Jz9RoZH9
My problem is how do we obtain the private key of each address in HD Wallet? With HD Wallet addresses are generated using the Derive Address Endpoint. This returns a HDWallet object which contains and HDChain object which contains an HDAddress Object. The HDAddress object contains address, path and public.
An HD Address object contains an address and its BIP32 HD path
(location of the address in the HD tree). It also contains the
hex-encoded public key when returned from the Derive Address in Wallet
endpoint.
As you can see, the private key is not included in HDAddress object response. So how can we know the private key to use with tosign method if the private key is not included in HDAddress object response? And without access to private key, how can we sign the **tosign** array?
Thanks
I have a application with two users and one middle man, all of them holding the private and public key, To make the secured chat, two users and one middle man are all sending the public key and generate a secured channel. After establishing the channel, the middle man doesn't have the ability to see the encrypted message unless one of the user is sending his own key to the middle man.
i am not very familiar with cryptography, so for this app i know how to encrypt and decrypt the message.
encrypt(data) {
try {
var cipher = Crypto.createCipher('aes-256-cbc', this.password);
var encrypted = Buffer.concat([cipher.update(new Buffer(JSON.stringify(data), "utf8")), cipher.final()]);
FileSystem.writeFileSync(this.filePath, encrypted);
return { message: "Encrypted!" };
} catch (exception) {
throw new Error(exception.message);
}
}
but I don't know how to establish the encrypted channel from the stakeholders' key, and how can the one middle to see the message using his key and one of users' key?
is there a way to accomplish this using the cryptography?
I'm not sure I completely understand, but I think if you want to go with a system that doesn't use public key crypto I would suggest a system using 2 stages of encryption, actually a lot like PGP only both stages use symmetric keys-
1) There is a fixed session key generated by the first person in the chat, this can be a randomly generated number.
2) This session key is then encrypted by the keys belonging to every new member of the chat group and individually sent to them.
3) The new members decrypt with their own unique keys to get the plaintext session key back.
4) This session key is subsequently used to decrypt the messages sent to all participants. The same key can also be used to encrypt and send any new messages from any entitled participant(i.e. has the valid session key) on the chat group.
This is used in some systems but it relies on the unique keys being securely transmitted, in the first instance. If this condition can't be met, it's a problem that can be solved with public key crypto to build an end-to-end secure message system like PGP, whatsapp, etc.
I have only an OpenPGP key's public fingerprint. I do not know the key ID or almost anything else.
How can I get the corresponding public key? Are there any online service to do this?
How the Fingerprint and Long and Short Key IDs are Related
Each OpenPGP key has a fingerprint attached, calculated mainly from its public key packet which also contains the creation time. The calculation is defined in RFC 4880, OpenPGP, 12.2. Key IDs and Fingerprints.
There are short and long key IDs, which resemble the lower 32 respective 64 bits of the fingerprint. For example, looking at the IDs of my OpenPGP key:
fingerprint: 0D69 E11F 12BD BA07 7B37 26AB 4E1F 799A A4FF 2279
long id: 4E1F 799A A4FF 2279
short id: A4FF 2279
Fingerprints and key IDs are used, as sharing and comparing a whole key with usually 1024 to 8096 bits (adding some more for headers like the creation date) is very impractical.
Receiving Keys from Key Servers
There is a bunch of key servers used to distribute keys -- they communicate with each other, choose any of them. GnuPG's option --keyserver hkp://pool.sks-keyservers.net (often set in it's configuration file ~/.gnupg/gpg.conf for Linux/UNIX systems, another path on Windows) uses a pool that will chose a random one each time you use it.
You can use any of those short and long IDs respective the full fingerprint to fetch the key using the --recv-keys command in GnuPG, while the fingerprint is the most specific (and chances for collisions with short key IDs are highest).
If no colliding keys exist, following statements would fetch the same key:
gpg --recv-keys 0D69E11F12BDBA077B3726AB4E1F799AA4FF2279
gpg --recv-keys 4E1F799AA4FF2279
gpg --recv-keys A4FF2279
If you want to query the key servers from your browser, make sure to search for the fingerprint, long or short key ID prefixed by 0x to indicate a search for key IDs (the GnuPG command line interface will do this for you automatically).
Yes, there are servers for this. You can get key like this:
gpg --recv-keys <KEY_ID>
Update: see how KEY_ID interconnected with fingerprint:
Fingerprint: EC2392F2EDE74488680DA3CF5F2B4756ED873D23
Long Key ID: 5F2B4756ED873D23
Short Key ID: ED873D23
I have a VB.Net Application that authenticates using the current Windows User without asking for the password. It checks that this user is a member of "MYDOMAIN\ApplicationUsers" before it starts up.
How to check if this is the real domain and not a different one using the same name? Are there any certs or public keys to validate locally? I'd prefer to check this offline, without a third party machine or database etc.
In the System.DirectoryServices.ActiveDirectory Namespace are some Trust an Validate methods but they only seem to check inter domain trust and using a domain name only.
Your problem is that you are using strings and strings like mydomain/application users are not unique across domains. One possibility is to use the SID of the application users group in your expected domain instead of the name. Then you can check the SID of the group to make sure it matches the sid for the expected application users group at run time before checking membership. It would be much harder for a malicious user to spoof domain and group parts of the Sid then the domain and group name.
Ultimately if you are running code on a machine that is owned by the malicious user then this just raises the bar and they could still circumvent this check.
I made some example code which checks the group's SID as Mike suggested. You just need to put your group's SID in the constructor of the SecurityIdentifier class to make the check work against the currently logged on user.
Private Sub DoCheck()
Dim sid As New Security.Principal.SecurityIdentifier("S-0-0-00-0000000000-0000000000-0000000000-000"),
result As Boolean
result = IsUserInGroup(sid)
End Sub
Public Shared Function IsUserInGroup(sid As Security.Principal.SecurityIdentifier) As Boolean
Dim user As UserPrincipal
user = UserPrincipal.Current
For Each group As Principal In user.GetGroups()
If group.Sid.Equals(sid) Then Return True
Next
Return False
End Function
To make the code work you need to import System.DirectoryServices.AccountManagement:
Imports System.DirectoryServices.AccountManagement
This namespace is located in Microsoft's System.DirectoryServices.AccountManagement.dll which is available since .Net 4.0 I believe.
We are using an external service for our newsletter, which has required the followin DKIM setup in our domain gipote.dk:
_domainkey.gipote.dk. 43200 IN TXT "o=~"
default._domainkey.gipote.dk. 43200 IN TXT "k=rsa\; p=MIGf...ibnrkoqQIDAQAB"
(I truncated the public key for purpose of readability...)
However we are also sending out e-mail from our own server, which I would also like to sign.
Is it possible to have more than one public-key TXT record in our domain gipote.dk? If so, how should it be set up?
EDIT: I do not have access to the private key, that is used by the newsletter service. So I will not be able to just install that on my own server.
/ Carsten
I found out, that the answer is YES :-)
"default" can easily be replaced with another selector name.
Yes you can change the default to another selector.
BUT if you do the domain it is on will no longer verify the domain.
You need to Add a second key NOT CHANGE whats existing
using Google mail you end up with
default._domainkey "v=DKIM1; k=rsa; p=MIIBIj....."
google._domainkey "v=DKIM1; k=rsa; p=MIGfMA......"