Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I am researching Key Management Solutions in order to become PCI compliant. I have spoken to a number of vendors in the arena, and while I like their products, the cost is beyond my budget. Is anyone aware of any open source or low cost solutions for Key Management? I use a Windows/.NET environment, so I would prefer solutions that target that environment, however I would be interested in hearing about anything that is out there.
Thanks
Take a look at KeyManager, which is the key management component of the OpenStack suite. The application can be used as a stand-alone key management solution outside of OpenStack.
Being a component of OpenStack, KeyManager is being actively developed with new features planned on six month cycles.
We had a similar experience as you. We needed a key management solution for PCI compliance and all the commercial products we saw were too expensive. Some key managers cost more than our product for small customers!
We ended up making a software based key manager. We made requirements and offshore developers coded it. At one time they were looking for other customers to use it. I don't know if they still are or not.
Let me explain the options we explored. First thing to remember is that PCI compliance and security are different things, you can be PCI compliant and not very secure.
Option 0 - Assign a key per DB column, and store keys in a DLL file. Your application links in the DLL file to access the keys to encrypt and decrypt the data. No one knows the keys. For periodic key replacement you make a new DLL with new keys, take down time to decrypt all data using old keys and reencrypt data using new keys. Then restart your application using the new DLL with new keys. (Note if you ever consider restoring a DB backup, you need to keep the old keys.)
The first time I heard about Option 0 I was surprised it was PCI compliant. We do not use Option 0.
Ways to improve on Option 0.
If you have an HSM in your environment, use the HSM to encrypt the keys in the DLL file. When your application starts it will decrypt the keys using the HSM. If you want more security, decrypt the keys every time they are needed.
Once your keys are encrypted, it is safe to store them in a DB table. If you assign each key (old and new) a small integer key-id, you can store the key-id with the encrypted data. That lets you do incremental key replacement and avoid down time.
Having your keys in the clear in memory in lots of processes, increases your exposure to a memory scan attack finding the keys. You can create a new process that is the only process that decrypts the keys. Your applications talks to this new process to encrypt and decrypt data. This new process should be on a box with a small "surface area" to protect it. Since sensitive data is going over the network now, this communications should be encrypted. SSL is a good option.
I realize this is an old thread, but there are couple of options:
A completely free and open-source key-management solution is at http://sourceforge.net/projects/strongkey. I will admit, the software is a little dated and is fairly complex to setup because it assumes you have a PKI to issue digital certificates to application clients for communicating with the key-management server, and for securing keys on the client device.
The original StrongKey software was simplified drastically three years ago and integrated into an appliance with a cryptographic hardware module (TPM and HSM) to provide stronger key-management. Unfortunately, even though the software on the appliance is all FOSS, the integrated solution itself is not free - its price is listed on its website (http://www.strongauth.com/products/key-appliance.html).
However, there are many advantages with option #2 as it allows you to leverage Public Clouds while being fully PCI-compliant (search for "Regulatory Compliant Cloud Computing (RC3)" and click on the link at IBM - I can only post two links in my answer) with more announcements about how to leverage this appliance being announced at RSA 2013 in San Francisco.
I hope that helps.
KLMS over KMIP is good and easy to use solution for key management.
This is an open source solution written in Java. See the below link for reference. http://www.ibm.com/developerworks/library/se-kmip4j/
The package named stubInterface will contains all the api required to use KLMS over KMIP.
KLMS: Key Lifecycle Management Systems
KMIP: Key Management Interoperability Protocol
I will add to this list as I found it in a search and others may benefit from an expanded list.
I have recently found KeyWhiz which appears to be in alpha.
SNipeit is the best one I have seen that is open source, very robust, and very easy to use, even for non-techies.
https://snipeitapp.com/demo/
Check it out there.
Related
I recently read about decompilation of iOS apps and I'm now really concerned about it. As stated in the following posts (#1 and #2) it is possible to decompile an iOS which is distributed to the App Store. This can be done with jailbreak and I think with copying the app from memory to hdd. With some tools it is possible to
read out strings (strings tools)
dump the header files
reverse engineer to assembly code
It seems NOT to be possible to reverse engineer to Cocoa code.
As security is a feature of the software I create, I want to prevent bad users from reconstructing my security functions (encryption with key or log in to websites). So I came up with the following questions:
Can someone reconstruct my saving and encryption or login methods with assembly? I mean can he understand what exactly is going on (what is saved to which path at which time, which key is used etc., with what credentials is a login to which website performed)? I have no assembly understanding it looks like the matrix for me...
How can I securly use NSStrings which cannot be read out with strings or read in assembly? I know one can do obfuscation of strings - but this is still not secure, isn't it?
This is a problem that people have been chasing for years, and any sufficiently-motivated person with skills will be able to find ways to find out whatever information you don't want them to find out, if that information is ever stored on a device.
Without jailbreaking, it's possible to disassemble apps by using the purchased or downloaded binary. This is static inspection and is facilitated with standard disassembly tools. Although you need to have a tool which is good enough to add symbols from the linker and understand method calls sufficiently to be able to tease out what's going on. If you want to get a feel for how this works, check out hopper, it's a really good disassembly/reverse-engineering tool.
Specifically to your secure log in question, you have a bigger problem if you have a motivated attacker: system-based man-in-the-middle attacks. In this case, the attacker can shim out the networking code used by your system and see anything which is sent via standard networking. Therefore, you can't depend on being able to send any form of unencrypted data into a "secure" pipe at the OS or library level and expect it not to be seen. At a minimum you'll need to encrypt before getting the data into the pipe (i.e. you can't depend on sending any plain text to standard SSL libraries). You can compile your own set of SSL libraries and link them directly in to your App, which means you don't get any system performance and security enhancements over time, but you can manually upgrade your SSL libraries as necessary. You could also create your own encryption, but that's fraught with potential issues, since motivated hackers might find it easier to attack your wire protocol at that point (publicly-tested protocols like SSL are usually more secure than what you can throw together yourself, unless you are a particularly gifted developer with years of security/encryption experience).
However, all of this assumes that your attacker is sufficiently motivated. If you remove the low-hanging fruit, you may be able to prevent a casual hacker from making a simple attempt at figuring out your system. Some things to avoid:
storing plain-text encryption keys for either side of the encryption
storing keys in specifically named resources (a file named serverkey.text or a key stored in a plist with a name which contains key are both classics)
avoid simple passwords wherever possible
But, most important is creating systems where the keys (if any) stored in the application themselves are useless without information the user has to enter themselves (directly, or indirectly through systems such as OAUTH). The server should not trust the client for any important operation without having had some interaction with a user who can be trusted.
Apple's Keychain provides a good place to store authentication tokens, such as the ones retrieved during an OAUTH sequence. The API is a bit hard to work with, but the system is solid.
In the end, the problem is that no matter what you do, you're just upping the ante on the amount of work that it takes to defeat your measures. The attacker gets to control all of the important parts of the equation, so they will eventually defeat anything on the device. You are going to need to decide how much effort to put into securing the client, vs securing the server and monitoring for abuse. Since the attacker holds all of the cards on the device, your better approach is going to be methods that can be implemented on the server to enhance your goals.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
Can a blockchain data structure be implemented without the need of a currency?
My idea is to store cryptographic public keys in a distributed and incorruptible data structure. The need is to get the cryptographic public key associated with an identifier and to be sure that the key is really associated with this identifier. Though there is no guarantee without a certification authority or WoT the idea is to be sure that the key obtained was the first published in the data structure with the identifier and was not overwritten by a malicious node.
So if we have an identifier I can get a cryptographic public key and be sure that it was the first key published with this identifier.
I first though of a DHT but a data can be easily overwritten by the node storing the key.
So I thought of a blockchain data structure for its property of being secure against corruption.
Does a DHT can be used for that purpose? And how? Can a blockchain be used for that purpose and without the currency involved? Another data structure?
The Linux Foundation's Hyperledger Project implements a blockchain that does not require a currency/incentive. There are others that have emerged recently including JP Morgan's Juno and Intel's IntelLedger.
The block chain is simply a directed graph of records where the links are hashed, so if you have a particular head of that data structure all reachable entries from that head are included in that hash. So you can establish a sequence of time.
The crucial part is that the network needs to reach consensus about the current head of the chain and how to decide what the next entry shall be.
So at any given point you can trust the entire past history as long as you can establish that a particular block ought to be the current head.
What the blockchain brings to the table is an incentivized proof-of-X scheme that drives the consensus forward in to the future while making forging even a single new block expensive and forging an entire history prohibitively expensive.
Adding a proof-of-X scheme is fairly easy. But incentivizing people to invest considerable resources into that scheme so that a takeover becomes too expensive to perform is not as easy.
One spontaneous idea (not vetted at all!) would be needing refresh of the identifier-key mapping. If they are not refreshed after some interval of X blocks they expire. That way you have to invest in your proof-of-X scheme to keep your own mappings alive, creating value for yourself while also creating the threat that anyone who could control the network could simply let entries expire by refusing to append any transactions to the chain that would renew the mapping.
I think you might want to take further discussion of such theory to the cryptography or bitcoin stack exchanges.
Folks, I have question this morning that hopefully one of you techies can answer – during past few months, I have been heavily involved in preparing several SQL certifications study guides as it’s my desire to secure Microsoft Certified Solutions Associate (MCSA) or associate level. While I have previous experiences within this skill set and wanted to sharpen it by obtaining further experiences and hopefully securing this certification, it has been quite challenging setting up a home lab that allows me to create environment similar to what the big dogs use nowadays – windows server/several sql instances/virtualization and all that – due to lack of proper hardware or cost. In any case, my question today is to seek your advices and guidance on other possible options, particularly if this task can be accomplished using Amazons AWS – I understand they offer some level of space that can be used as playground or if one want to extend the capacity, subscription is an option. So, if I was to subscribe the paid version of it, is it possible to install all software needed to practice and experiment all needed technologies to complete and or master contents on the training kit. Again, I’m already using my small home network and have all proper software, but just feel that it’s not enough as some areas require higher computing power to properly test or rung specific areas..
Short: Yes
You can create a micro instance for free and install whatever you want on it. If your not familiar with using the CLI, it can be a bit daunting but there are plenty of guides online.
They also offer an RDS service where, they will allow you to set up a database instance and will maintain it for you but it's not free.
Edit
Link to there MS Server Page
http://aws.amazon.com/windows/
Azure is the windows cloud service, I think the comment was have you considered looking at azure instead of AWS
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I have researched on each element or system that I am willing to implement into a generic software licensing system for my soon-to-be apps (irrelevant, as this should work, or be usable on all of my applications).
I have created a DLL with my licensing class in it.
It is as follows:
(1)
I have applied the InternalsVisibleTo() attribute main class (with child classes), which makes all of the internal classes, and their methods, which are declared Friend, visible to external assemblies with the sepcified PublicKey.
I have made the reference to the app name, and it's PublicKey. (Both the licensing, and the external assembly, are signed with the same key (.snk file)
(2)
All (where possible) members, properties etc. are delcared Friend or Private or just Dim...ed .
(3)
My licensing class has a String variable; declared:
Private Shared _Key As String = "H58N2-00V93"
This variable is the special password, if you will, of my DLL, and is required to access the methods in my DLL.
There is also a Public String variable (let's call it "AccessKey"), which should be initialized with the main class, like so:
Dim licDLL As New LicensingAssemblyName.LicensingMainClass With {.AccessKey="H58N2-00V93"}
(4)
Then, I have a Function (let's call it "CheckKey"), which checks whether the Public, initialized variable ("AccessKey" is equal to the pre-defined, Friend key ("_Key"), whereupon an exception will be thrown, if they are not equal - preventing method from continued/used.
(5)
At each first line of every Sub, Function etc., I have inserted a call to this function.
These are just the 'security' measures I've taken to prevent external assemblies from using my DLL in another app, to perhaps exploit the system or generate keys.
Now for the licensing measures.
(1)
I have a key generator (very basic), which generates codes upon a given format (Like: "#-$" for a number, a dash, followed by a letter.)
I have included an encryption class in this program, which uses Rijndaenal, and applies salt.
I have set the key generator to encrypt each separate key upon generation, then append it to a new line of a file, which we'll call "my_licenses.txt".
I use the same password for each one (obviously). It is quite long, and includes many different characters (if that makes ANY difference). I considered this to be a secure way since I didn't think ANYONE could decrypt a string without the password, until I was told by another programmer, who advised against using plain text encryption as a method to secure these keys. Please help me with this.
(2)
In my licensing DLL, I have a declaration:
Friend Shared Function IsKeyValid(ByVal KeyDB As String, ByVal Key As String) As Boolean
This function decrypts each key in the file (the specified database, using the same pass code used when encrypting them in the key generation program).
Then I do a For Each, Next loop to, determining whether the specified "Key" value equals any in the key 'database', "my_licenses.txt". But here's the catch.
I have an Function which returns a unique code for the computer it's running on (using hardware IDs etc.). This Function helps me protect against the use of the same key on multiple computers (unless I implement a system for allowing this, limited times) and is required as the last 5 characters of the "Key".
After checking, this Function returns a value of the result (True or False).
Finally (phew), each assembly (the licensing one, and any external ones which utilize it) are obfuscated -and likewise signed (all assemblies, with the same key (.snk) file)- by CodePlex's Confuser (A free, and highly recommended obfuscator for .NET).
I hope this hasn't been too long/not detailed enough/difficult to understand. (If so, tell me what you don't understand).
This is my first post/question of any kind, so be nice. Also thank you for reading.
I hope you can help.
And just to confirm, my question is this: Would this system be secure enough to protect against the average hacker?
P.S. I am only a beginner, so answers for a beginner would be especially appreciated ;)
*UPDATE: I have actually reduced the length of this question, and improved its understandability (believe it or not). So this is the best I can do.
That's an insane wall of text so you kind of lost me. And, to be honest I stopped reading seriously when I saw you had a hardcoded key inside the binary that you plan to distribute... But there are two questions you ought to ask yourself:
Is your application likely to be so successful that there is sufficient demand for it so that people with the appropriate skillset will be inclined to reverse it and release a keygen and/or pirated version?
And wouldn't your time be better spent adding cool features to the application instead of licensing code which does nothing to improve the application itself?
Don't get me wrong. I'm all for people getting paid for their work and I don't object to people licensing their software; as a matter of fact, one of the projects I worked on was a custom licensing engine which was tracking a little over 100,000 licenses last I checked. But make sure that if you decide to implement licensing that the effort you put into it doesn't exceed the effort you put into the actual software you're licensing.
With all that said, here's what I would do:
Generate a lot of licensing keys (using whatever format you want)
Hash those keys using something like SHA-256 or SHA-512.
Create an array (using whatever syntax is appropriate to your language of choice) that contains the key hashes.
Include the array inside your application.
With that setup, to verify a license, all you need to do is:
Hash the input using the same algorithm as before.
Iterate the array, comparing it with the result of the hash. If they match, the key is licensed. If they don't, continue.
If you get to the end of the table the key is not licensed.
Do not immediately exit the application if the key isn't licensed. Instead set a flag that prevents the use of important commands (e.g. "Save") or set a timer for 60 seconds plus a random number of to exit the application.
Compile and then digitally sign your application with Authenticode. Have the application itself validate the signature to try and discourage casual tampering.
If you are so inclined, you could even encrypt the hashes, although that is unlikely to help against the sort of attack that someone would mount against this scheme.
To be clear: this is not bulletproof (then again, no licensing mechanism is) and it's possible for someone sufficiently skilled to break it in a number of ways. But it's almost certainly going to be more than good enough for your project.
Security doesn't have an absolute value, it has to be measured against the payoff. If your app is holding some nuclear codes I'd say go pay a specialized consultant for this. If you're storing grandma's secret recipes - you're good to go.
I read the whole post and it's still not clear what's the purpose of the hard-coded key or how do you manage the individual encryption keys for each license: encryption is not just about how strong an algorithm you use or how long your password is; it's also about how do you hide your passwords, how do you transmit them, what do you do in edge cases (interrupted connection, failed decryption etc) and many other things.
From the looks of it I'd say you're in the "good to go" category only because your app doesn't sound like a high-profile target to crack and you mostly want to deter the casual cracking attempt from a frustrated developer who doesn't like your licensing scheme (: and the obfuscation alone would deter most when it comes to reverse-engineering your code. I'm not familiar with your code to tell if there's any other, easier ways to bypass licensing, such as the popular method of copying the licensing file itself if it's not tied to the machine or user profile...
There are many workarounds online, but only hashing system described here or something based on public key cryptography can be secure enough to serve licensing.
I personally prefer and use commercial product: http://www.treekslicensinglibrary.com - Treek's Licensing Library. It's cheap, easy to setup and really secure as it uses previously meant public key cryptography to work with license.
Edit: To compare with hashes of serial numbers - this solution does not require to predefine accepted serial numbers. 1000 hashes in apps = 1000 licenses, for more you need to update your app. Public key cryptography based license systems do not have this disadvantage.
You can use a .NET Obfuscate application to secure it. All .NET application may decompile with .NET Reflector, so search in your browser the application to obfuscate .net application. This will work as i know, everyone that want to decompile your application will prevent by the obfuscate
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 8 years ago.
Improve this question
I have a home network which I access remotely quite a bit. But I'm worried about security. While I do have strong passwords, I'm worried that someone will acquire my password and use it to gain access.
I heard about "one time passwords" and even got to use them at my university. We'd just press a button on a device (or run an application on a phone) and get a generated password that would work for the next minute or so.
How can I set something like that up?
Are there systems that are easy to use and set up?
Has anyone played around with an SDK of one of these systems?
Where can I get a starter kit from?
EDIT: I'm running a mixed Linux and Windows network, and I'm vaguely hoping to use this for authenticating on both operating systems. (No, there's no domain controller, but I can set one up using Samba, I suppose.)
S/Key is fine for a low-cost OTP implementation.
If you're really worried about it, though, then worry also about your sessions being hijacked after they're initiated. In which case you might consider an SSH tunnel to encrypt your traffic. SSH also lends itself better to tunneling other applications through it once you set up your access. Finally, it you don't have an easy way to carry around an SSH client with you (or don't trust other people's SSH clients), there are a few web-based SSH clients that you could offer from your own server -- so it's under your control but available from any browser.
On Linux it's called S/Key: here
Not a button gizmo but you seed it and print off a list of one-time passwords to carry around with you. To make it work with a mixed env you'd need to get it working on your Windows box then get the Linux box to auth from that or (easier) get it working on Linux then link it to Samba so Windows can auth off it.
Google is your friend.
One approach could be as follows:-
U'll need to make a program which will generate a password which will only be accepted by ur home system for a specific time-frame.
For ex. When you run the program the output will valid be for a specific time duration and
will be accepted by your home security system as the system will also generate the same output while matching the hash, the trick is to get the same hash at both the places.
I guess this will need more brainstorming!!!!
As an addendum to renegadeMind's post one way to do this would be to have a program on both ends that generates a sequence of random numbers. A property of Pseudo-random number generators (PRNGs) is that if you start them with the same seed, they will continue to generate the same sequence of random numbers. So depending on your experience (or availability of technology) you could set your network up to generate a new password every x minutes. Then you could carry around a piece of software that would run on a phone or other embedded hardware that calculates what step in the sequence the PRNG is up to and then list the current password for you.
Having said that the security of your system would be limited to the seed you choose and the time you choose that each key is valid for.
In addition to this there is probably a software solution that will do this for you. IMHO it's better to take the existing implementation then reinventing the wheel.
Edit: Wikipedia has a good article here. The part on specific OTP technologies will probably be the most relevant.
Good luck though!
wiki article on PRNG
The first thing you need to decide is what authentication protocol will be your standard. I recommend Radius, especially for two-factor authentication in the enterprise. Radius is supported by all the major VPN & networking providers as well as all the major 2FA providers.
Then, consider the services you want to protect. For linux, this usually means PAM. Luckily, adding 2FA to linux via pam is pretty painless: http://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to/. For windows services, you will want to route them through ISA or the VPN.
You can configure all your radius requests to go through AD using the MS radius plugin IAS/NPS. http://www.networkworld.com/news/2010/050710-two-factor-authentication-through-windows-server.html?source=nww_rss
Finally, when choosing your 2FA solution, just make sure they support radius.
As for SDKs, that is a per-vendor situation. Here's a link to ours: http://www.wikidsystems.com/downloads/network-clients
hth, nick