I am trying to encrypt an NSString to both NSString and NSData in Objective-C and so I began a search.
I started off here, but that went way over my head, unfortunately.
I then found myself at this post and it came across to be very easy to follow, so I went along and tried to figure out the implementation. After looking over the implementation, I saw the second answer in the post and saw he had more adaptable implementations, which brought me to his gist. As per the gist readme, he "took down this Gist due to concerns about the security of the encryption/decryption". That leads me to believe that the security of the implementation from above has security flaws as well.
From that gist, however, he mentioned another alternative that I could use for encryption. After taking a look at the code, I noticed that it generates NSData with "a header, encryption salt, HMAC salt, IV, ciphertext, and HMAC". I know how to handle that to decode using the same library again, but how would I pass this off to a server guy, given that I don't quite know what I'm sending to him?
At the root of it all, I'm in over my head. Given what I said above and knowing that I don't have the time to take on a lot of learning for this, unless if it is absolutely necessary, how should I best handle going about this encoding/decoding process, given a private key with the end goal of shipping it off to a server that is not designed by me? (How's that for a run on sentence!)
Maybe you should ask the server guy? When ever you have encryption between too parties you have to have some kind of agreement on the format of that data, the raw primitives don't handle that alone, not to mention it's easy to mess things up security wise dealing with just the primitives and the desire to just send the aes ciphertext alone is going to cause mistakes.
RNCryptor, which you mention, is a high level encryption library it defines a simple format that others would have to conform too, it's simple thus helps going cross platform, but it has that extra that you need to do AES properly. There are other libraries like that too (NaCL, GPGME, and Keyczar), that are not as simple in format, but simple in usage, so you'd need to be able to use the library on both ends, but I'd highly recommend that you uses something like that, if you can, rather than rolling your own.
Keyczar specifically exists for java, python, c++, c# and go, so if you can use the c++ version on the iOS (or Mac, which ever you are targeting on the client) you might be good on the server as there are several choices.
Related
Hello i'm about to write an app that enables me to store remote files on iPhone's local disk to make the data permanent in a file and manipulate with it. But i have a question about this. I have no idea about encrypting data by the way.
So if any iPhone hacker crack the prone with jailbreak and access my local file? In this situation, i want to use Encryption. But i'm missing something. My json files contains long plain texts like 100,000 words. So if i apply the CryptoSwift library which is on Github now, using the AES and NSDATA my computer is stuck to encrypt it.
let plain = "mylongtextfromfile".dataUsingEncoding(NSUTF8StringEncoding)
let key: Array<UInt8> = [0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00]
let iv: Array<UInt8> = AES.randomIV(AES.blockSize)
let encrypted: NSData = try! plain!.encrypt(ChaCha20(key: key, iv: iv)!)
print(encrypted)
let decrypted: NSData = try! encrypted.decrypt(ChaCha20(key: key, iv: iv)!)
let string1 = NSString(data: decrypted, encoding: NSUTF8StringEncoding)
print(string1)
I also noticed that Apple does not want to use of another encryption libraries unlike its built-in APIs. The Itunnes connect policy requires an extended verification process of the app.
I want to ask you experts that what i must to do. I do not want to user to interact with any mobile service-back-end, API or server for downloading the words and query them once the users want to use the words each time.
What i need to use to keep the process fast. Actually is there any way to only encrypt file itself unless the data in. Or what is the mistakes i'm facing.
sincelery,
So if any iPhone hacker crack the prone with jailbreak and access my local file?
Yes. This is true, and there is nothing effective you can do about. You can create some layers of obfuscation. You can slow down attackers by a few hours. With sufficient resources and an ongoing team of security experts you may be able to slow down an attacker for longer. But if Apple with control of every piece of the ecosystem, and extensive and expert resources dedicated to it, can't stop attackers from jailbreaking the phone, you have no hope, especially, if as you say, you know nothing about encryption.
That is not to say that there is nothing at all you can do; it just won't be very effective, so don't spend tons of time on it. You must assume that if your data is of any significant value, attackers will extract it. You must design your system and business model to be resilient to that. Or you must employ an ongoing team to mitigate attacks, like Apple or Blizzard do.
So what can you do that will be simple and provide some kind of obfuscation, even if it's pretty ineffective? As you appear to be trying to do, encrypt it against a hard-coded key. It won't stop anyone who knows what they're doing, but it'll keep away some people, and that's about as good as you can do.
CryptoSwift is a nice library, written by a smart guy, but it's very low level, and assumes you know what you're doing. This is not the kind of tool you want to be using for this. You want something that does all the work for you. I have one, RNCryptor. It has the advantage of being very simple, cross-platform, and only using Apple crypto primitives. There is also libSodium which is even more portable and is a more powerful format, but doesn't use Apple's primitives.
The important thing to look for is something that offers an encryption format, not just crypto primitives. It is very challenging to build a secure format out of primitives. Don't attempt it without first studying how it's done.
If you do want to move forward with CryptoSwift, then you'll need to explain more precisely what is going wrong. When you say "my computer is stuck," what precisely is happening?
I am making a simple chat application for Mac OS X. I need to encrypt my strings before I send them to be decrypted on the other side. I've heard of CommonCrypto and some other encryption methods, but I can't find enough documentation to begin implementing.
Can anyone point me in a direction? All my code has is a const char * that needs to be encrypted and decrypted instantly.
You may want to take a look at this sample from Apple documentation
If you need something extremely simple to implement in C code, perhaps TEA (Tiny Encryption Algorithm) or XTEA would be sufficient for you? The code involved at each end really is very tiny, as the name implies, being just a handful of lines of code. There are various examples out there. I used it recently in an embedded web server application where I wanted a level of encryption that was lightweight enough to put in the embedded C code of a very small and resource limited device, and could also be put in the client-side script.
You can find the documentation for CommonCrypto here.
Hope this might help you.
In the current project I would like to create my own hash function but so far haven't gained much theoretical background on hashing principle.
I would be very thankful if anyone of you could suggest any useful resource about the theory of hashing, cryptography and practical implementations of hash functions.
Thank you!
P.S. As hashing blocks of informations in this case is a part of larger research project I would like to create a hash function on my own and this way learn the principle rather than use the existing libraries. The informations I am working on will stay in house so there is no need to worry about the possible attacks.
Don't. Existing encryption and hashing algorithms (as pointed out in the comments above, they have little to do with each other) have been designed by experts and extensively peer-reviewed. Anything you write from scratch will suck in comparison. Guaranteed. Really. The only thing you'll gain is a false sense of security -- your algorithm won't be peer-reviewed, so you'll think it's more secure than it actually is.
But if you do want to know more about the theory (and gain an appreciation for why you shouldn't do it yourself), read "Applied Cryptography" by Bruce Schneier. You won't find a better resource.
Brush up on your math first.
First of all, if you use the right terminology, you'll be better able to find helpful resources.
"Encryption" is performed with ciphers, not cryptographic hash functions. You'll never find a reliable reference that mentions a hash as an "encryption function". So, if you are trying to learn about hashes, leave "encryption" out.
Another term for "cryptographic hash" is "message digest," so keep that in mind as you search.
Many chapters of an excellent book, The Handbook of Applied Cryptography are available for free online. Especially check out Chapter 9, "Hash Functions and Data Integrity."
Instead of writing your own hashing function have you considered using a standard hashing function from a library and then salting the data you're hashing? That is common practice and ensures that anyone with software that decrypts data with standard encryption functions doesn't intercept your data and decipher it.
Like the others said, do not make a new kind of hash (the code will get complicated and you might as well reinvent SHA1 or MD5.) Study cryptography first. But if you are willing to, look at existing hashes (most are based on another). Or you can look at the hash model. The hash model looks like:
A mixing stage (mix up the contents and modify)
A combining stage (combine the data in the mixing stage with the initial state [the original hash])
Or maybe start with something simple and build up from it (to make a secure hash).
I want to send an out of band message (don't worry about how it gets there) to a program I've written on a distant machine. I want the program to have some confidence the message is legit by attaching a digital signature to the message. The message will be small less than 200 characters.
It seems a public key based signature is what I want to use. I could embed the public key in the program.
I understand that the program would be vulnerable to attack by anyone who modifies it BUT I'm not too worried about that. The consequences are not dire.
I've looked through the MSDN and around the web but the prospect of diving in is daunting. I'm writing in straight c++, no NET framework or other fancy stuff. I've had no experience including NET framework stuff and little luck during previous attempts.
Can anyone point me at some very basic resources to get me started?
I want to know
How to generate the public and private keys
How to sign the message
How to verify the signature
You could try looking at the Keyczar library. It provides a high level abstraction to cryptographic functions with the aim to make is easy for developers to do crypto correctly. As an added bonus it has c++ bindings.
There is also Cryptlib which has been around for a while, and NaCl. As with Keyczar these libraries aim to provide a high level abstraction for common crypto functions.
gpgme is a high-level cryptographic API for GnuPG, written in C, but with bindings for a number of languages. GnuPG has excellent docs and is easy to use, so you can play around 'manually' on the command line and get a feel for how the key operations work, then look up the functions you need for your code in the API.
I'm going to use gSOAP to interact with a WCF webservice in my Mac project. It does pretty much exactly what I need and it does it well (pretty much the exact opposite of WSMakeStubs;)). The only downside is that it's C/C++ only, meaning I either need to convert all my types into C types on the fly or write a complete wrappering solution to do it for me.
I'd rather not reinvent the wheel here, and I'm obviously not the only one who has wanted to do this, but so far I haven't been able to find anybody who has actually posted any code to this effect.
Does anybody know of any code available that would save me from having to write the whole thing myself?
(It doesn't quite answer your question, but) I've used the techniques used in Cocoa SOAP Client (open source) to connect to a server and send/receive SOAP requests. It works really well, unless you are connecting to a server with a self-signed SSL certificate.
(This basically translates XML structures into native Cocoa structures, and back the other way on sending).
We use gSOAP at work, and it does the job, but makes lots of generated code, and limits you to working in particular ways with the data.
I'm working on a wrapper generator (or possibly modifications to gSOAP itself to contribute back); I'm not done and won't be for a little while.
Note: I'm one of the folks you linked to.
I'd say the current answer is "No".
I ended up creating an Objective-C wrapper mostly by hand for my web service (including category methods for NSArray to translate an NSArray of X into a soap array of X and vica versa, etc) since it was a one-off and I did not expect it to change particularly often. I'm happy with it, but I do need to modify it by hand whenever a signature is changed or a method is added.