We are using jPOS to communicate with the bank for card payment processsing. We recently purchased HSM (Hardware Security Module) for secure key storage. Since this hardware is expensive we are using JCESecurityModule to mimic the actual HSM.
I have TMK wrapped under LMK and clear track 2 data. I would like to perform the following:
un-wrap the TMK under LMK to get the clear TMK value
Using the clear TMK value, I would like to encrypt the track 2 data
I am not able to figure out the code to perform the above steps. Could somebody help with sample codes or directions to achieve the above?
You need to export your TMK under HSM's LMK into a key known by jPOS.
Then you need to import your foreign key into a key encrypted under jPOS' LMKs.
The jPOS SM Console (call bin/q2 --cli and type help) can help.
Related
I have a project at hand which uses SQL Server to store fingerprints bitmap from a terminal hand held fingerprint reader.
My question: is there a way of comparing the fingerprint match in the database instead of bringing back all the fingerprints from the database for authentication?
Something like a query eg
SELECT *
FROM table
WHERE fingerprintcolumn = fingerprint_template
You can not do the comparison with simple compare/= operator. In the the reality, when you get the same fingerprint two times, both the images will be different from each other with little bit position change, angle change, and quality of the scan. So String comparison is not possible.
You have to get your automated fingerprint identification system implemented or need to get the 3rd party fingerprint comparison services like one from Cams Fingerprint Comparison API
I'm trying to get a list of addresses that have made transactions with a given bitcoin address for a project that examines how people use bitcoin for non-nefarious purposes. I've got a lot of addresses so a web based blockchain explorer like blockchain.info isn't practical.
I've downloaded the blockchain and used bitcoin-abe to dump it into a sqlite database. However I'm not finding addresses anywhere. Are the actual addresses called something different in the blockchain?
The spending conditions, i.e., who is able to spend a given output, are encoded as scripts in the output. What is commonly referred to as a Bitcoin address is little more than a default script format (either pay-to-pubkey or pay-to-pubkey-hash) which require a signature from a private key matching the pubkey in the script. For example P2PKH scripts look like this:
OP_DUP OP_HASH160 <PubkeyHash> OP_EQUALVERIFY OP_CHECKSIG
This checks that the pubkey on the stack matches the hash, and then checks that the signature and pubkey are valid for the transaction.
ABE stores the output scripts, but appears not to create an index for the addresses. So you probably want to convert the addresses that you're looking for into the script version (see the wiki for details on how to extract the pubkey hash or pubkey from the address). Once you have the pubkey hash or pubkey you construct a binary script similar to this (hexencoded):
76a914<pubkey-hash>88ac
You should then be able to search for these in the database ABE gives you.
You need to write a cron job using the BTC address of the user and check whether the transaction is made or not.
https://www.blockchain.com/explorer
Ex. https://github.com/bitpay/insight
I am working with a database that contains sensitive information (SSN, credit card details, etc.). I am looking for a method to secure the data.
I would like to encrypt the data when I bring it in from the outside source but also decrypt it when my users access the data via an application that uses the database as its back-end.
I know of the two methods below but I am curious to hear if there is another method I could use.
Examples:
ENCRYPTEDBYPASSPHRASE({PASSWORD}, {FIELD})/DECRYPTBYPASSPHRASE({PASSWORD},{FIELD})
-- This allows me to set a custom password but could be read through the stored procedures.
HASHBYTES('SHA_512', {PASSWORD}+CAST({SALT} AS NVARCHAR(36)))
-- This seems the most secure but I do not know how to decrypt the data from here.
Is ENCRYPTEDBYPASSPHRASE as secure as it gets in this case?
Encryption turns data into a series of unreadable characters, that aren't of a fixed length.
A hash is a string or number generated from a string of text. The resulting string or number is a fixed length.
The key difference between encryption and hashing is that encrypted strings can be reversed back into their original decrypted form if you have the right key and hashing is good to store passwords.
1) If you want to use hashing for security of your data then there are many types of algorithms but SHA and MD4/5 is wildely used algorithms.
For example, as demonstrated below, hashed output with MD5 algorithm produces a 16 bytes long value whereas SHA1 algorithm produces a 20 bytes long value:
SELECT HASHBYTES('MD5', 'Test String') AS Col1, HASHBYTES('MD5', 'Test String') AS Col2 GO
SELECT HASHBYTES('SHA1', 'Test String') AS Col1, HASHBYTES('SHA1', 'Test String') AS Col2 GO
2) and if you want to use Encryption then there are two primary types of encryption, symmetric key encryption and public key encryption.
Example:
To create a symmetric key, we first need to setup our database with a master key and a certificate, which act as protectors of our symmetric key store.
Create a Database Master Key:
CREATE MASTER KEY ENCRYPTION BY PASSWORD = ‘myStrongPassword’
Create a Certificate:
CREATE CERTIFICATE MyCertificateName WITH SUBJECT = 'A label for this certificate'
Create a Symmetric Key:
CREATE SYMMETRIC KEY MySymmetricKeyName WITH IDENTITY_VALUE = 'a fairly secure name', ALGORITHM = AES_256, KEY_SOURCE = 'a very secure strong password or phrase' ENCRYPTION BY CERTIFICATE MyCertificateName;
Encrypting and Decrypting Data:
Open the Key:
Before you can start encrypting or decrypting data, you must first initialize the key. This is done with the following piece of code.
OPEN SYMMETRIC KEY MySymmetricKeyName
DECRYPTION BY CERTIFICATE MyCertificateName
Encrypting data
You can encrypt data by using the EncryptByKey function, like so:
DECLARE #Result varbinary(256)
SET #Result = EncryptByKey(Key_GUID('MySymmetricKeyName'), #ValueToEncrypt)
Note that the result of the above encryption is of type varbinary(256), and if you would like to store the value in a column to use this type.
Decrypting Data:
You can decrypt data by using the DecryptByKey function, like so:
DECLARE #Result varchar(max)
SET #Result = DecryptByKey(#ValueToDecrypt)
You can not decrypt a hash (edit: Unless it has been compromised as a whole), that's the point of a hash. If you were to only compare a hashed value against your hash (such would be the case for logging into your app, for example - never store passwords in cleartext) this would be an easy app-side job.
I found this very handy article over on security:
https://security.stackexchange.com/questions/16939/is-it-generally-a-bad-idea-to-encrypt-database-fields
that should help you on your way.
In re: 2nd option: A hash is a one way operation. It generally doesn't get done with the intent to unhash it. (Consider a password. It gets hashed and a 256 byte string produced. Rather than decode the hash produced and comparing it to the naked user input, the user's input is hashed and the two hashes are compared.)
I think you're looking for a data access layer written with knowledge of your encryption method. That's something you'll have to create on your own. (That is use stored procedures, functions, and views to read data from it's encrypted at rest state, decrypt it, and return it to the caller. Deny access to the users to the underlying tables. Create a stored procedure GetAccountNumber, etc. [You'll note that in these cases the primary key has to be unencrypted so you can find it. Other data will necessarily need to be stored in plain text so you can properly index and search it. You don't want to find yourself in a situation where you have to cycle through every record in a table, decrypting each record, to find a matching address.])
There is transparent data encryption (TDE) available in Enterprise editions of Microsoft SQL Server. With TDE the data is encrypted at rest and anyone who can access the database will have access to the unencrypted data. This is also true for the data access layer method. At some point the secret gets exposed. Where that occurs is up to the design. TDE can be configured in many different ways.
If for PCI requirements I'd go the route of TDE. Don't have Enterprise? Pony up for the upgrade.
I am using Redis 2.8 key space Pub/Sub notification, I would like to know if it is possible to get notified of which field changed after HSET command?
At the moment I receive the notification for the key as a consequence of the
HSET command, but I would better know which field has been set - I understand I can read again the set to look at differences once I am notified, but I don't find it very efficient.
Standard Redis keyspace notifications do not include data about the data that was changes, and specifically do not include information about the touched Hash field.
While this isn't really what you want, it can still be used as a workaround.
Try to have unique hash key name, for example:
redis.hmset('task:{}'.format(unique_id), status='running')
And when you receive a message, it will look like this:
(b'__keyspace#0__:task:c81b8373-b5ea-4be0-b8f1-b490e7280898', 'hset')
Now, knowing unique task id, you can do:
redis.hget('task:{}'.format(unique_id), 'status')
> running
i want to generate a unique key in my web service (WCF) , to asign to a user, it should be minimum 32bit, what is the best way to di it,
It would be asigned as a registration number for that user , and would be valid for 23 days,
i thought of using time stamp and encoding it using RSA,]
Whats would be the best practice
Regards
Nakul Kundra
Not sure what you mean and why you want to encrypt a key, but you can use a GUID for a unique key.
As for it being valid for 23 days, this is logic you need to implement.
I would use a Guid
var userKey = Guid.NewGuid();
In your database you'd need to store the datetime that the key was created and then implement your logic to check that to determine if the key has expired. I don't see any need to encode it based on your question.
You could use my answer to another similar question on SO: Serial numbers generation without user data
The algorithm allows to install a hidden byte in a guid (128 bits). The hidden byte could contain for example a month (from a fixed date in time, with 4 bits you can code 32 months) and a day (4 bits).