In-built key Generation Algorithm using SHA256 - sha256

I am working on an application in c# .Net where data needs to be encrypted and Since data privacy is my ultimate motive , I am doing it using AES Encryption and I use PasswordDervieBytes for determining the Secret Key. Now Since it uses SHA1 which is broken , I would like to know whether there is an in-built function which uses SHA256 for obtaining my secret key. I also know that RFC2898 can be used but then it also uses SHA1... So, Is there an In-built function which uses SHA256 algorithm ? Thank You in advance for your valuable answers !!

There is a SHA256Managed class that will hash the input. It will not encrypt it...

Related

Irreversible encrypted password in HPE LoadRunner

I have been running some performance test on one of my websites and I have been trying to encrypt my password for safety reasons. Every method I have tried is easily reversible if someone has access to my scripts. Does anyone know how to do this properly? LoadRunner documentation is quite poor. I have tried
Using parameters: (actual password can be seen in paramaters)
"Name=Username", "Value={Username}", ENDITEM,
"Name=Password", "Value={Password}", ENDITEM,
Using masked strings, can be also reversible.
"Name=Username", lr_unmask("5c5c433589e471556dd55bdac0336170f7c36ea3b32869fec2ee1ffa15"), ENDITEM,
Any help would be greatly appreciated, thanks
Use a public encryption algorithm. Supply the decryption key for the data as part of a run time parameter (see run time settings for parameters). Encrypt your parameter data with the key in question. This way you can store your data encrypted, using a key which is only known by you before execution.
WebHttp protocol doesn't have an encryption feature. For encryption you can use the TruWeb protocol (https://admhelp.microfocus.com/truweb/en/latest/help/Content/TruWeb/TW-masking.htm) or implement your own way to use an encryption algorithm.
EDIT: Alternatively you can store values in VTS -
https://admhelp.microfocus.com/lr/en/12.60-12.61/help/WebHelp/Content/VTS/c_getting-started.htm

Generating HMAC SHA3-512 in netcore2.1

I've already found some ways how to generate SHA3 in netcore 2.1. (e.g. SHA3.Net). Is there a way how to generate HMAC using SHA3-512 hash function. AFAIK it should be only some combination of SHA3(secret + content), but I can't find any working solution for HMAC based on SHA3-512. It's requested by 3rd party API I need to use, so there's no other option.
Result must be the same as result provided by this online tool (hash type sha3-512): https://wtools.io/generate-hmac-hash
Does anybody know how to generate HMAC properly for SHA3-512 under .netcore 2.1?
Thanks

Using two public keys to encrypt a file

I am not sure if this is the correct place for this question as this might be more of a theory based question. But I was also interested in the C# implementation of the following. And how feasible it is
I am planning on using PGP for encryption and decryption of files. Is it possible to encrypt the file with two public keys (my public key and the receiver's public key) so that if i will be able to decrypt the file using either one of the private keys.
Is this scenario feasible?
Is so what is the direction I should take for a correct implementation of the same.
Any help would be highly appreciated
On high level (if you use any PGP API), yes, you can pass two or more public PGP keys to OpenPGP API (or software) and have the data encrypted. Then you would be able to use a PGP secret key that corresponds to any of used public PGP keys to decrypt the data.
On lower level - OpenPGP always generates a symmetric key for encryption of data, and then this key is encrypted using one or more public PGP keys, consequently there's no difference how many keys to use.
Now, what to use depends on what platform and development environment you are using (as this is a programming site we assume that you are going to encrypt data in code). For Linux and C there exists GnuPG library. For Java and C# there's some PGP support in BouncyCastle. Finally, OpenPGPBlackbox of our SecureBlackbox library provides full scope of OpenPGP functionality for a number of platforms and languages, including .NET, VCL, ActiveX and C++.
On a side note, the answer you've accepted is completely wrong so I strongly suggest de-accepting it.
Look at this wiki page:
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
What you will see that actual data is encrypted/decrypt with random key and this random key is encrypted/decrypted with according public/private key.
So, as result you don't have to encrypt a file (data) using two keys. You still encrypt the data with one random key. The only difference is that you encrypt this random key with multiple public keys (as example your's and receiver's).
As result, any of you will be able to decrypt random key using private key and decrypt data.
The question could also belong to crypto.stackexchange.com but it is ok here, too. I am not sure whether you have understood the principles of PGP. A public key is used to encrypt and the private key is used to decrypt. So if you encrypt it by using your public key the receiver uses his/her private key to decrypt and/or sign.
For more information I recommend you should read about the RSA or ElGamal algorithm. Hope it helps you:
http://en.wikipedia.org/wiki/RSA
http://en.wikipedia.org/wiki/ElGamal_encryption
http://en.wikipedia.org/wiki/ElGamal_signature_scheme
Both algorithms provide a good way where you could start. Or you maybe want to join some online courses provided by Stanford University:
https://www.coursera.org/course/crypto
https://www.coursera.org/course/crypto2
The only way I can see it working is to have a zip or tar archive containing two files: one encrypted with key 1, the other with key 2.
If the file is text, you could paste two, differently encrypted versions of the same original file into one document.
There is no way to encrypt a file so it is decryptable with two different keys that I know of.

Password Encryption 3 approaches

On one side I have:
http://forums.enterprisedb.com/posts/list/2481.page
Here we declare field as BYTEA and we can decrypt it and encryption is on db level.
On the other side:
https://www.owasp.org/index.php/Hashing_Java
Here as varchar and we only compare hashes to authorize.
Finally Spring gives http://static.springsource.org/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/crypto/password/StandardPasswordEncoder.html + char secret value applied is the same for every password?
Which is the best approach? (I lean towards Spring since as I understand it encapsulates similar logic as OWASP in few lines of code?)
PostgreSQL encoding:
Your application probably will depend on PostgreSQL and maybe you have to rewrite this part if you want to use it with another DBMS.
If the PostgreSQL is on another machine you should consider using some form of secure communication between the application and the DBMS because the passwords are transferred between them as plain text.
OWASP vs Spring:
They are very similar.
Both use salt.
Spring use a secret (Owasp not).
Of course you could modify Owasp to use a secret if you need that or you can use the StandardPasswordEncoder without secret.
Spring's encode() returns only one string which contains the salt too (as usual in unix/linux) while Owasp requires an additional database attribute for the salt value.
Spring is simpler and maybe it's better maintained than the Owasp web article from 2008.
Owasp mixes functionalities: it encodes/checks the passwords and contains a lot of JDBC code too.
Spring just encodes/checks the passwords and your responsibility is the password storage. But maybe your framework does that for you or you could write it for yourself.
I'd use StandardPasswordEncoder. It's more simple and does the same as Owasp.

HashBytes conversion

select HASHBYTES('sha','what is it')
Result --0x2327A09C2FDAD132E436B5CC12E9D5D283B5BA69
is it possible to convert back hashbytes to string '0x2327A09C2FDAD132E436B5CC12E9D5D283B5BA69' as a input
want to get out put as 'what is it'?
Absolutely not. A hash is, by definition, one way.
What you're looking for is encryption, which you can do using the EncryptByCert and DecryptByCert functions, explained in detail here.
No. That's the whole point of a hash.
You use them for something like a password, such that every time someone tries to log in you compute the hash of the password they tried to log in with (plus a salt) and compare that with your stored value. This way even if someone (like a disgruntled employee) finds a backup tape for the database where your passwords are stored and an encryption key, they still wouldn't be able to log into your system and act on live data.
A hash function is defined as "one way" meaning that you convert text into a digest (the result you see above). If you are using this for password encryption the accepted usage would be to run a users input (from their password form) through the hash function and verify that it matches the stored digest.
If you wish to have decryption of a provided text input you will want to look into other cryptographic solutions such as Symmetric-key or Asymmetric-key algorithms.
Of course if you are doing any of this you are going to want to sanitize your input.
Hashing as the previous posters mentioned, is definitely a one way operation. It takes a (potentially large) input, and processes the input quickly in such a way that the output is a small but very unique (based upon input) output. Both by design and by nature of having a small sized output, a hash cannot be undone as the original input has been lost in the conversion. Common hashing algorithms include the Message Digest family (usually MD5) and the SHA family you mentioned in your question.
Again as the previous poster mentioned, if you're looking for a 2-way operation, encryption is what you are looking for. Further more, if you want the same user to both encrypt and decrypt a string, stick with symmetric encryption. Some common algorithms used in practice today are AES, DES, and Blowfish.
If you have a minimal perfect hash then at the very least you should be able to brute force the original input. But presumably this is not what you're asking about, if that is right then see all of the other answers :)