JWT Secret Key as a Byte array vs String - cryptography

A lot of websites give information on how to create and sign a JWT using a byte array.
For example in C#; most places take a plain string and then convert it to UTF-8 Byte Array. Then use this byte array as the key for JWT signing.
What is the advantage of a byte array vs the string key?
Is a byte array better memory aligned so it creates a better encryption? Or is there just no difference in security?

Related

Decoding a coded variable

I use this function in order to encode an input:
Public Function encodeStrings(ByVal MyPass As String, ByVal MyUName As String) As String
Dim ENPass As String = Nothing
Dim password As String = (MyPass + MyUName)
Dim mhash As HashAlgorithm = New SHA1CryptoServiceProvider
Dim bytValue() As Byte = System.Text.Encoding.UTF8.GetBytes(password)
Dim bytHash() As Byte = mhash.ComputeHash(bytValue)
mhash.Clear()
ENPass = Convert.ToBase64String(bytHash)
Return ENPass
End Function
Now I need to decode this variable and get back the original string.
Does anyone know how to do that? I'm using VB.NET in my project.
No, there is no way to decode it. The SHA1CryptoServiceProvider implements a hashing algorithm. According to the MSDN:
Computes the SHA1 hash value for the input data...
SHA-1 is, by definition a hashing algorithm. According to the Wikipedia article:
In cryptography, SHA-1 is a cryptographic hash function designed by the United States National Security Agency and published by the United States NIST as a U.S. Federal Information Processing Standard. SHA-1 produces a 160-bit (20-byte) hash value. A SHA-1 hash value is typically expressed as a hexadecimal number, 40 digits long.
That is why it inherits from the HashAlgorithm base-class rather than the SymmetricAlgorithm base-class. Since it uses a hashing algorithm, that means that it is one-way encoded. The original string will always result in the same encrypted value, but there is no way to decrypt it to get back to the original value, since many different strings could result in that same encrypted value (although, with cryptographic hashing algorithms, such as SHA1, that is unfeasible).
If you think about it, that's the only thing that makes sense. If the SHA-1 algorithm always results in a hash code which is 20 bytes long, then that means you could encode a 1 gigabyte string and it would still only be 20 bytes long as an SHA-1 encrypted hash value. Surely you don't think that those 20 bytes contain all of the data that was originally stored in that 1 GB string. If that were the case, zipping files would be far more effective :)
Typically, when a cryptographic hashing algorithm is being used, it would be for something like storing a password. In that case, the issue is not how to decrypt the password, but rather, to encrypt the newly entered password and then compare the two encrypted values to see if they are the same. If the two encrypted values are the same, then you know that the user entered the right password. If the two encrypted values are not the same, then you know that it is incorrect (but you still don't know what the right password would be).
If you need a 2-way encryption algorithm, you need to use one which inherits from SymmetricAlgorithm, such as the AesCryptoServiceProvider class.

Use of byte arrays and hex values in Cryptography

When we are using cryptography always we are seeing byte arrays are being used instead of String values. But when we are looking at the techniques of most of the cryptography algorithms they uses hex values to do any operations. Eg. AES: MixColumns, SubBytes all these techniques(I suppose it uses) uses hex values to do those operations.
Can you explain how these byte arrays are used in these operations as hex values.
I have an assignment to develop a encryption algorithm , therefore any related sample codes would be much appropriate.
Every four digits of binary makes a hexadecimal digit, so, you can convert back and forth quite easily (see: http://en.wikipedia.org/wiki/Hexadecimal#Binary_conversion).
I don't think I full understand what you're asking, though.
The most important thing to understand about hexadecimal is that it is a system for representing numeric values, just like binary or decimal. It is nothing more than notation. As you may know, many computer languages allow you to specify numeric literals in a few different ways:
int a = 42;
int a = 0x2A;
These store the same value into the variable 'a', and a compiler should generate identical code for them. The difference between these two lines will be lost very early in the compilation process, because the compiler cares about the value you specified, and not so much about the representation you used to encode it in your source file.
Main takeaway: there is no such thing as "hex values" - there are just hex representations of values.
That all said, you also talk about string values. Obviously 42 != "42" != "2A" != 0x2A. If you have a string, you'll need to parse it to a numeric value before you do any computation with it.
Bytes, byte arrays and/or memory areas are normally displayed within an IDE (integrated development environment) and debugger as hexadecimals. This is because it is the most efficient and clear representation of a byte. It is pretty easy to convert them into bits (in his mind) for the experienced programmer. You can clearly see how XOR and shift works as well, for instance. Those (and addition) are the most common operations when doing symmetric encryption/hashing.
So it's unlikely that the program performs this kind of conversion, it's probably the environment you are in. That, and source code (which is converted to bytes at compile time) probably uses a lot of literals in hexadecimal notation as well.
Cryptography in general except hash functions is a method to convert data from one format to another mostly referred as cipher text using a secret key. The secret key can be applied to the cipher text to get the original data also referred as plain text. In this process data is processed in byte level though it can be bit level as well. The point here the text or strings which we referring to are in limited range of a byte. Example ASCII is defined in certain range in byte value of 0 - 255. In practical when a crypto operation is performed, the character is converted to equivalent byte and the using the key the process is performed. Now the outcome byte or bytes will most probably be out of range of human readable defined text like ASCII encoded etc. For this reason any data to which a crypto function is need to be applied is converted to byte array first. For example the text to be enciphered is "Hello how are you doing?" . The following steps shall be followed:
1. byte[] data = "Hello how are you doing?".getBytes()
2. Process encipher on data using key which is also byte[]
3. The output blob is referred as cipherTextBytes[]
4. Encryption is complete
5. Using Key[], a process is performed over cipherTextBytes[] which returns data bytes
6 A simple new String(data[]) will return string value of Hellow how are you doing.
This is a simple info which might help you to understand reference code and manuals better. In no way I am trying to explain you the core of cryptography here.

How Do I Convert a Byte Stream to a Text String?

I'm working on a licensing system for my application. I'd like to put all licensing information (licensee name, expiration date, and enabled features) into an object, encrypt that object with a private key, then represent the encrypted data as a single text string which I can send via email to my customers.
I've managed to get the encrypted data into a byte stream, but I don't know how to convert that byte stream into a text value -- something that contains no control characters or whitespace. Can anyone offer advice on how to do that? I've been researching the Encoding class, but I can't find a text-only encoding.
I'm using Net 2.0 -- mostly VB, but I can do C# also.
Use a Base64Encoder to convert it to a text string that can be decoded with a Base64Decoder. It is great for representing arbitary binary data in a text friendly manner, only upper and lower case A-Z and 0-9 digits.
BinHex is an example of one way to do that. It may not be exactly what you want -- for example, you might want to encode your data such that it's impossible to inadvertently spell words in your string, and you may or may not care about maximizing the density of information. But it's an example that may help you come up with your own encoding.
I've found Base32 useful for license keys before. There are some C# implementations linked from this answer. My own license code is based on this implementation, which avoids ambiguous characters to make it easier to retype the keys.

Encrypt and Decrypt password using objective-c

How to encrypt a nsstring and store it in a file, and how to decrypt the same.
Please suggest me wat api's i shld use...
This is the function i used for encryptiong.
DES_cfb64_encrypt( ( unsigned char * ) pchInputData, ( unsigned char * ) pchOutCipher,
size, &schedule, &ParityKey, &no, DES_ENCRYPT );
I had to convert this to base64 so that i can store it in a file.
pstrResult = Base64encoding(size,( unsigned char * )pchOutCipher);
You can use gpgme
If you only need to support 10.5 or higher you can use the CommonCryptor API. The first comment to this post shows an example category for encrypting/decrypting NSData's:
http://iphonedevelopment.blogspot.com/2009/02/strong-encryption-for-cocoa-cocoa-touch.html
While not an API call, you could implement a simple XOR cipher. This is quick and simple to implement and depending on the characteristics of your string (i.e. if it is of fixed length) can be very secure. If you have a variable length string XOR encryption may not be secure enough depending on your needs. Have a look at the Wikipedia article.
If you are storing a password first decide whether or not you need to re-use the password or whether you just need to check that the user has entered the correct password.
If you just need to verify that the user has entered the correct password, then store the password using a hash, and compare the hash of the user input with the hash you have stored. If both hashes are equal, then the user has [probably] typed it correctly. See more information about hashes at Wikipedia.
If you need to re-use the password (i.e. for authenticating with other services, such as connecting to an Internet service), use Apple's Keychain service. If you are targeting the iPhone, then check out this related document.

Want to make a software on VB.NET which decode Base64-encoded text strings and vice-versa

I want to make a Software which decodes Base64-encoded text strings and vice versa.
Any help provided on the topic with coding in Visual Basic will help me a lot.
Thank you.
Note:-c# language can also be implemented
You need to call Convert.ToBase64String and Convert.FromBase64String.
These methods convert byte arrays to and from Base64.
If you want to encode a string in Base64, you'll need to convert it to a byte array by calling Encoding.Unicode.GetBytes(str) and Encoding.Unicode.GetString(bytes). (In the System.Text namespace)
Note that Base64 should never be used for encryption, except to convert a byte array that was already encrypted into a string.
If you want to encrypt data, use the RijndaelManaged class.
You can use Convert.FromBase64String. http://msdn.microsoft.com/en-us/library/system.convert.frombase64string.aspx http://msdn.microsoft.com/en-us/library/dhx0d524.aspx.
If you really want to know how to do it yourself - here are instructions for Java which you can reverse for decode. http://www.wikihow.com/Encode-a-String-to-Base64-With-Java