DSA or RSA has a private key and pubic key; the private must be kept safe and the public key uploaded to a host you want to access.
But what if the public key is lost, or revealed to everyone, like in a blog post? Is that a security issue ?
No, it's not an issue in the slightest: it's meant to be public anyway.
According to what you use you key for, you may even NEED it to be available to everyone (think gpg keys for signing email).
As long as your private key is safe, you've nothing to worry about.
there is no problem in everyone knowing the public key. you can share it anywhere you like - even in a blog. it is only important to keep the private key secret.
Related
Some background:
We have many applications, each with their own auth provider and public / private keypairs and their own key rotation.
When a new application is spun up or rotates its keys the public key is persisted elsewhere in a key store for other applications to pick up.
I have a Symfony 5.4 service that I want to authenticate users from these applications, the JWT provided by them includes the KID in the header, so the flow would be:
Receive request with JWT
Get KID from header
Lookup KID in our key store and load the public key
Verify that the JWT signature matches.
From them on the flow is as you would expect, Load JWSUser etc and the firewall works the way it should do.
I could just grab the key store and generate a large config file for it, but that is less than ideal at runtime and looking through the code it tries every alternative key until one verifies successfully, and that does not scale.
As far as I can see I have two options:
Extend Lexik\Bundle\JWTAuthenticationBundle\Services\JWSProvider\LcobucciJWSProvider with my own and override the verify method to go and find the right public key first.
Create my own JWSProvider that implements JWSProviderInterface and reproduce most of the logic except for how it gets public keys for verification.
Obviously of those two, #1 looks most simple, however the LcobucciJWSProvider is marked #final in the docblock even though the final keyword is not in use in the class itself, so it probably shouldn't be extended.
Am I right in thinking those are my two options?
I was initially hoping I could just implement my own keyloader but it looks like they don't ever receive information about the requested key, just if the public or private key is wanted.
I'm trying to launch google compute instances from java code using jclouds. It's mostly working, however I'd like to use the project-wide SSH key I've defined instead of having jclouds generate a new user/key credential.
According to the README here - https://github.com/apache/jclouds/tree/master/providers/google-compute-engine:
For an instance to be ssable one of the following must happen: 1 - the project's metadata has an adequately built "sshKeys" entry and a corresponding private key is provided in GoogleComputeEngineTemplateOptions when createNodesInGroup is called. 2 - an instance of GoogleComputeEngineTemplateOptions with an adequate public and private key is provided.
I'm trying to do 1) above. I've correctly configured the project's metadata (I can use it to connect to manually-created instances that don't have jclouds-generated credentials), but I can't work out how to provide that key to GoogleComputeEngineTemplateOptions?
Neither
GoogleComputeEngineTemplateOptions.Builder.installPrivateKey(String key) or GoogleComputeEngineTemplateOptions.Builder.overrideLoginPrivateKey(String key) seem to work.
The documentation is pretty sparse - anyone know how to do it?
jclouds will create a key by default if you don't provide one. You could use the following to provide your auth private key and tell jclouds not to generate a new one:
TemplateOptions opts = computeService.templateOptions()
.as(GoogleComputeEngineTemplateOptions.class)
.overrideLoginPrivateKey(privateKey)
.autoCreateKeyPair(false);
I'm using ASDocs to make something like a "help" for my code and the problem is PRIVATE methods are omitted on ASDocs.
The thing is, on my project, I don't see any problems in change what is PRIVATE to PROTECTED. If I do that, the docummentation will be generated with everything I need.
So, the big question is: There's a problem have a project using only PROTECTED and PUBLIC methods and properties?
The problem that ASDoc omit private members makes sense. ASDoc used primarily to create documentation for API. Private members are not accessible from outside the class and cannot be inherited. So question are you really need ASDoc for private members?
And answer for your question about using only protected members: it breaks encapsulation, so it will be not good decision.
I know that in RSA algorithm a Public key is used to ecrypt data which can be decrypted using only the private key.
When a digital certificate is signed the hash of the certificate is signed using the private key of the RootCA and during validation the public key is used to verify the hash. In this case signing means encrypting. Also, sha1RSA algorithm is one of the algos used for signing a certificate.
Thus private key used for Encryption and public key used for Decrytion of the Hash ?
Is this possible using RSA or I understood wrong?
This is quite logical. Private key is known only by owner and public key is known by everyone.
When doing asynchronous encryption, it's important that everyone can produce encrypted message (by using public key), but only recipient (private key holder) will be able to read the message.
When doing digital signatures, it's important that everyone can verify signature (by using public key), but only creator (private key holder) will be able to produce it.
The environment of my application: web-based, Spring MVC+Security, Hibernate, MySQL(InnoDB)
I am working on a small database application operated from a web interface. There are specific and known users that handle the stored data. Now I need to keep track of every create/update/delete action a user executes on the database and produce simple, "list-like" reports from this. As of now, I am thinking of a "log" table (columns: userId + timestamp + description etc.). I guess an aspect could be fired upon any C(R)UD operation inserting a log row in this table. But I am not sure this is how it should be done.
I am also aware of the usual MySQL logs as well as log4j. As for the logfiles, I might need more information than what is available to MySQL. Log4j might be a solution, but I do not see how it is able to write to MySQL tables. Also, I would like to have some associations preserved in my log table (e.g. the user id) to let the db do the basic filtering etc. Directions on this one appreciated.
What would you recommend? Is there even any built-in support in Hibernate/Spring or is log4j the right way to go?
Thanks!
Log4j is modular, you can write your own backend that writes the log into a database if you wish to do so; in fact, it even comes with a JDBC appender right out of box, although make note of the big red warning there.
For Hibernate, you probably can build something on the interceptors and events that keep track of all modifications and log them to a special audit table.
Have you looked into using a MappedSuperclass for C(R)UD operation logging?
#MappedSuperclass
public class BaseEntity {
#Basic
#Temporal(TemporalType.TIMESTAMP)
public Date getLastUpdate() { ... }
public String getLastUpdater() { ... }
...
}
#Entity class Order extends BaseEntity {
#Id public Integer getId() { ... }
...
}
In case you go for logging solution and looking for doing it yourself, try searching for JDBCAppender, it's not perfect but should work.
In case you want off the shelf product for centralized logging - consider trying logFaces - it can write directly into your own database (Disclosure: I am the author of this product.)