i use a decryption method to decrypt the encrypted_value from the google chrome's cookie's database for certain records.
This worked very well until version 104, now with version 105 decrypting it using BCryptOpenAlgorithmProvider, BCryptSetProperty and on BCryptGenerateSymmetricKey it returns value -1073741811 while it should return 0, i am unsure which changes they made to the cookies value and can't find information about it.
Does anyone have any hints on what's changed?
Nevermind, i found the reason, i am using the os_crypt value from the local state file to do the decryption, which is a json file, and i see that the
os_crypt key now has 2 subkeys "app_bound_fixed_data" and "encrypted_key"
So i need to change my json read method and look for the subkey if it exists.
I'm trying add Custom Authentication. I use 2 instances of Sync-Gateway behind an Nginx.
So how can we manage Session with 2 instances of Sync-Gateway?
The custom authentication is achieved by calling the "//_session" endpoint. This then returns a cookie that logs me in for the first Sync-Gateway. If I now want to synchronize the second Sync-Gateway too, I make a call to "//_session" which overrides the first cookie.
Is there any way to create a global Session?
Please see this answer, from bbrks, here: https://forums.couchbase.com/t/custom-authentication-with-2-sync-gateway/29762 :
If you’re using 2 separate CB buckets/SG databases, they’re completely
independent systems and user-information is not shared between them.
hi guys how can i get information like how many number of class files which will be executed from particular test class from sonarqube database,my sonarqube database is resided in MySQL db i am not finding any answers can guys help to this problem
The short answer is: it is not recommended to access SonarQube DB to get information, so forget about directly manipulating SQ's database.
A longer answer might be: have a look at SonarQube's webservice API, especially these ones :
http://nemo.sonarqube.org/api_documentation/api/tests/list
http://nemo.sonarqube.org/api_documentation/api/tests/covered_files
The first one should allow you to retrieve all test id then you can pass the ID you're looking for to the second webservice then check the size of the files array... but I don't think that this will be easy as it isn't straightforward to get the testFileId you need to feed the first webservice (you can't pass a file's key as far as I know.)
I need to install a xades library in a web-application, this webapp will produce xades documents using remote-sign certificates.
The private key of this certificates are placed on a remote HSM device, so if i have to sign (i mean produce a RSA of a digest) i need to pass the hash to the remote device, this will produce the rsa and will give it to the webapp that with xades4j will create the xades structure
Can you tell me if xades4j already can do this, and if not how can i implement a sort of signatureProvider for xades4j that delegate the production of the RSA to a remote device?
Thanks
Old-but-gold question: I'm stucking at the same point too, but... I found a different (maybe cleaner) way to get the result, so that's my suggestion:
Implement a Provider (https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#Provider)` with it's own "SHA256WithRSA" algorithm implementation, that delegates the signature production to something out of the application
Pass this Provider to the sign() method
I don't know if this can work, but it seems like a nicer try...
Correct me if any of my assumptions are off.
When you hash something like with sha1, you can't reverse the hashed data to get the original string.
Because of this, if I have an email, which I will need to use later, stored in the database, I can't use sha1 on it.
However, I still want to protect in case of a breach, so what do I do?
I'm using django which stores a secret_key in settings.py.
I tried using AES encryption, but noticed that as the string encoded is longer, the encrypted string returned is longer, which makes sense. However, the encryption string is very much longer than the original string. Is there a type of encryption where the string returned is the same size of the original string? Cuz I'm using django user model and the email is limited to 75, so if a user used a 32-75char email, the encrypted string is 128 in length which is > 75, so it can't be stored in the column.
The three key concepts of information security are confidentiality, integrity, and availability. In your case, a cryptographic hash like SHA1 provides integrity: you can always check against the hash value to see if the email has been tampered with. In your case, you want confidentiality, which a hash function will not provide: you want emails to be unreadable in the database in case the database is compromised. While a symmetric encryption algorithm is part of the answer, the bigger question is about key management. Once you have a key to encrypt and decrypt emails, how will you store it? How many people will have access to the key? Will it be kept on the same computer as the database? (That's dangerous.) Will it be kept on the same network? How often will you change the keys? What happens if you lose the key? In all likelihood, your infrastructure will be just as vulnerable to a data breach with unencrypted emails as you would be an encrypted ones. Security is hard, and it's better to focus your efforts on auditing your database setup -- which is something many people have done, has well-known and production-tested solutions -- rather than creating a complicated cryptographic system.
Probably there is no way of such a protection by encryption suiting your needs. Your solution might be to keep your database and the whole system safe (keep an eye on the security mail lists of used software, install security updates, use safe passwords, ...).
Encryption is a process where data is made unreadable by using a secret pass phrase (or a public key) which is needed also to decrypt the data again (or the responding private key). So probably you will have to store then your secret pass phrase or the private key on your system and the data isn't protected more than before.
But you are right hashing is not applicable if the original data has to be restored. Usually hashing is used to obscure passwords.
Encrypt it using any cryptographically secure method.
Hashing algorithms are one way encryption methods. This means that you can encrypt data but not return it. That is its purpose.
You need a two way encryption process, which allows you to do both ways. See this SO question for more details.
Try the blowfish algorithm.
BlowfishCipher sample from this website.
package com.ack.security.jce;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.swing.JOptionPane;
/**
* This program demonstrates how to encrypt/decrypt input
* using the Blowfish Cipher with the Java Cryptograhpy.
*
*/
public class BlowfishCipher {
public static void main(String[] args) throws Exception {
// create a key generator based upon the Blowfish cipher
KeyGenerator keygenerator = KeyGenerator.getInstance("Blowfish");
// create a key
SecretKey secretkey = keygenerator.generateKey();
// create a cipher based upon Blowfish
Cipher cipher = Cipher.getInstance("Blowfish");
// initialise cipher to with secret key
cipher.init(Cipher.ENCRYPT_MODE, secretkey);
// get the text to encrypt
String inputText = JOptionPane.showInputDialog("Input your message: ");
// encrypt message
byte[] encrypted = cipher.doFinal(inputText.getBytes());
// re-initialise the cipher to be in decrypt mode
cipher.init(Cipher.DECRYPT_MODE, secretkey);
// decrypt message
byte[] decrypted = cipher.doFinal(encrypted);
// and display the results
JOptionPane.showMessageDialog(JOptionPane.getRootFrame(),
"encrypted text: " + new String(encrypted) + "\n" +
"decrypted text: " + new String(decrypted));
// end example
System.exit(0);
}
}
You'll want to encrypt the data. It's WAY simpler than it sounds. Read on! :)
I recommend you use what is called a symmetric algorithm, in which the same secret key is used to encrypt and decrypt the data. The most popular is the latest version of the DES algorith, which is called 3DES, or Triple DES.
If you're using .NET, then use the System.Security.Cryptography library and the TripleDESCryptoServiceProvider class. There are tons of samples out there. When you search for sample code, be sure to use the term 'TripleDESCryptoServiceProvider' and whatever language/system you're programming in (C#, vb, asp.net).
If you're using something other than .NET, then look for that language/framework's built-in or add-on Triple-DES library. Here are some examples:
PHP: http://php.net/manual/en/ref.mcrypt.php
JAVA: http://www.java2s.com/Code/Java/Security/TripleDES.htm