I am not sure if this is the correct place for this question as this might be more of a theory based question. But I was also interested in the C# implementation of the following. And how feasible it is
I am planning on using PGP for encryption and decryption of files. Is it possible to encrypt the file with two public keys (my public key and the receiver's public key) so that if i will be able to decrypt the file using either one of the private keys.
Is this scenario feasible?
Is so what is the direction I should take for a correct implementation of the same.
Any help would be highly appreciated
On high level (if you use any PGP API), yes, you can pass two or more public PGP keys to OpenPGP API (or software) and have the data encrypted. Then you would be able to use a PGP secret key that corresponds to any of used public PGP keys to decrypt the data.
On lower level - OpenPGP always generates a symmetric key for encryption of data, and then this key is encrypted using one or more public PGP keys, consequently there's no difference how many keys to use.
Now, what to use depends on what platform and development environment you are using (as this is a programming site we assume that you are going to encrypt data in code). For Linux and C there exists GnuPG library. For Java and C# there's some PGP support in BouncyCastle. Finally, OpenPGPBlackbox of our SecureBlackbox library provides full scope of OpenPGP functionality for a number of platforms and languages, including .NET, VCL, ActiveX and C++.
On a side note, the answer you've accepted is completely wrong so I strongly suggest de-accepting it.
Look at this wiki page:
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
What you will see that actual data is encrypted/decrypt with random key and this random key is encrypted/decrypted with according public/private key.
So, as result you don't have to encrypt a file (data) using two keys. You still encrypt the data with one random key. The only difference is that you encrypt this random key with multiple public keys (as example your's and receiver's).
As result, any of you will be able to decrypt random key using private key and decrypt data.
The question could also belong to crypto.stackexchange.com but it is ok here, too. I am not sure whether you have understood the principles of PGP. A public key is used to encrypt and the private key is used to decrypt. So if you encrypt it by using your public key the receiver uses his/her private key to decrypt and/or sign.
For more information I recommend you should read about the RSA or ElGamal algorithm. Hope it helps you:
http://en.wikipedia.org/wiki/RSA
http://en.wikipedia.org/wiki/ElGamal_encryption
http://en.wikipedia.org/wiki/ElGamal_signature_scheme
Both algorithms provide a good way where you could start. Or you maybe want to join some online courses provided by Stanford University:
https://www.coursera.org/course/crypto
https://www.coursera.org/course/crypto2
The only way I can see it working is to have a zip or tar archive containing two files: one encrypted with key 1, the other with key 2.
If the file is text, you could paste two, differently encrypted versions of the same original file into one document.
There is no way to encrypt a file so it is decryptable with two different keys that I know of.
Related
I'm looking for a tool or method to prove the authenticity of resources download from the web and stored locally. To be clear: I don't mean the SHA or MD5 checksums to verify a downloaded file. What I need is a way to download and store a web resource in such a way that I can later prove that said resource indeed originated from that web server.
In particular for the following scenario: A website published an article about a client. He would like to sue for defamation of character. I need a way to store the article without them having the possibility of simply removing it and denying they ever published it. So preferably this would be a tool that is backed by publications making it credible in court.
I have thought about storing the TLS certificate, keys and the encrypted data. That would rely on the root CA, but I think that would in itself not be a problem. I could do this using a custom program and a library like OpenSSL, but I think this is such a common problem, there probably is a relatively standard tool for it. Also, I am not entirely sure to what extent this would constitute reliable evidence. And can someone point to publications that would back this method?
Maybe I am using the wrong search terms, but everything I find is about aforementioned SHA or MD5 checksums. Any help is much appreciated.
If I understand correctly you need something like signature with timestamp. Yes?
You not only need checksum from document (article, text value, whatever) but also proof that this article really existed in time.
When using digital signature you can store such timestamp in 3rd party certified providers. You sign document and send checksum to 3rd party provider. Later you can ask provider to verify that this exact document is valid & was indeed created at given time.
https://en.wikipedia.org/wiki/Trusted_timestamping
As this can cost (fee for provider to store the timestamps) you can create checksums from many documents (like take all documents from one hour), store all of them in a single file, create checksum from that file and sign it with timestamp. This way you create one timestamp for documents batch, not for each document.
I have been running some performance test on one of my websites and I have been trying to encrypt my password for safety reasons. Every method I have tried is easily reversible if someone has access to my scripts. Does anyone know how to do this properly? LoadRunner documentation is quite poor. I have tried
Using parameters: (actual password can be seen in paramaters)
"Name=Username", "Value={Username}", ENDITEM,
"Name=Password", "Value={Password}", ENDITEM,
Using masked strings, can be also reversible.
"Name=Username", lr_unmask("5c5c433589e471556dd55bdac0336170f7c36ea3b32869fec2ee1ffa15"), ENDITEM,
Any help would be greatly appreciated, thanks
Use a public encryption algorithm. Supply the decryption key for the data as part of a run time parameter (see run time settings for parameters). Encrypt your parameter data with the key in question. This way you can store your data encrypted, using a key which is only known by you before execution.
WebHttp protocol doesn't have an encryption feature. For encryption you can use the TruWeb protocol (https://admhelp.microfocus.com/truweb/en/latest/help/Content/TruWeb/TW-masking.htm) or implement your own way to use an encryption algorithm.
EDIT: Alternatively you can store values in VTS -
https://admhelp.microfocus.com/lr/en/12.60-12.61/help/WebHelp/Content/VTS/c_getting-started.htm
I am working on an application in c# .Net where data needs to be encrypted and Since data privacy is my ultimate motive , I am doing it using AES Encryption and I use PasswordDervieBytes for determining the Secret Key. Now Since it uses SHA1 which is broken , I would like to know whether there is an in-built function which uses SHA256 for obtaining my secret key. I also know that RFC2898 can be used but then it also uses SHA1... So, Is there an In-built function which uses SHA256 algorithm ? Thank You in advance for your valuable answers !!
There is a SHA256Managed class that will hash the input. It will not encrypt it...
Basically im encrypting a message in PHP using openssl. I have already generated a valid key pair (both saved to PEM files).
In vb.net im trying to use the private key to decrypt the message saved in the mysql database, but i cant seem to find a way to incorporate the private key into the decryption examples. All the examples i have found all concentrate on generating a key pair.
Anyone have any ideas?
Thanks in advance
i developed a very simple vb.net application and i need a way for every user to verify that they have paid for it. i would like the simplest method possible. it will be an off-line registration. I am actually looking for a way that I can program this easily myself, and am not interested in third part solutions.
Just ask for the name, and calculate a hash (such as SHA1 or MD5) for that name (maybe lowercase and strip whitespace first), prefixed with some secret text that is hardcoded in your program. If you want different keys for different versions, then also prefix the version number before calculating the hash. That hash will be your registration key (or, if you think it is too long: take the first characters of the hash).
Have the user enter both the name and the registration key, and store those in the program's configuration. Then recalculate the hash in exactly the same way whenever you need to validate it, and compare it to the stored key.
You could store an encrypted string in the user's registry (e.g. his Full name). Decrypt that string at application start to check if the license is valid.
How secure do you want it to be?
If you're looking for rock-solid piracy protection (if it even exists) you'll have to combine it with some sort of online registration/activation system. Or use a 3rd party solution as opted by Mitch Wheat.