Keep in mind that I'm very new and lost when it comes to coding.
I'm trying to generate a temporary for a smart lock that uses the Tuya App using Postman.
I am currently stuck on the password as it requires it to be encrypted.
password requirements from tuya
It says that i need to decrypt the "ticket_key" (which i manage get through the "Get a temporary key for password encryption" request) using the "accessKey". Can anyone help me locate this accessKey and explain how i am supposed to encrypt and decrypt (do i need to create a program for it or is there one already available).
Thanks in advance!
I tried using ChatGPT to write me a program that encrypts and decrypts but didnt manage to get anything usable out of it.
Related
I am writing a python script that sends a get request to a router. The problem is that the user and password are exposed to all in the script. I have seen multiple methods for dealing with this problem(using environment variables, reading credentials from a file) but these methods have not satisfied my needs. I would like that only a local admin user could have access to the file or variables that hold the user/pass values.
So I solved this problem by encrypting my credentials with a permanent fernet key using the cryptography library. The permanent key is in a file in the same directory as the main code as well as the encrypted credentials.
Thanks for the suggestions.
I want to encrypt the password sent from client side. I found crypto-js which provides AES implementation. My question is that if i use a "passphrase" for encryption, will anybody who can view the source of the page can also see my "passphrase" too ? If i have the wrong concept please help me clear it.
No, you cannot just read the password if it is not stored in JavaScript.
However, in almost any case where the JavaScript code can be read, the JavaScript code can also be changed. And if you cannot trust the code, then all bets are off - the password may be send to or retrieved from anywhere.
Take for instance an internet cafe. You connect to "coffeeplace.com" but you're actually logging on to a hoax service. In that case any unprotected connection can be altered. If the hoax service has obtained a rogue CA certificate then this is even true for HTTPS connections.
If you want to protect a password you should send it over a HTTPS connection. If you want application level security on top of the HTTPS transport security then you could encrypt the password using a public key; the server can then later decrypt it with a private key.
Application level security is useful if you want to store the password (hash) securily on your servers for instance. You could then later process the encrypted password using a service in the back-end.
To answer your actual question: Yes, everyone will see the passphrase.
But really, do some research on:
password hashing: Do you really need to know the plain text of user's passwords?
why using javascript for crypto is a really bad idea in almost all use cases.
Information security in it's whole
or please leave information security to people who know their turf. You are quite probable to introduce new problems, because crypto is hard, even with all the best intentions.
This has puzzled me for a while now. I don't have a broad understanding on encryption, but I understand the principle.
For the sake of an example, let's assume I have a program whose sole purpose is to post a random user's input to my private facebook profile. Now to do this, the program must have my login information to facebook (if this is not the case, assume another third-party application). This information, or credentials, must be stored somewhere, since the program's post method would be done without administration.
I know it is a bad policy to store the login credentials in the code as plain strings, as the compiled code can be decompiled and my credentials would be readable. The recommended solution is to store them in a separate file, encrypted.
As far as I understand, the encryption / decryption needs a key that also needs to be stored somewhere. Can't this key and the encryption algorithm be read from the decompiled code and used to decrypt the credentials?
Is the benefit of storing the credentials encrypted based on the extra step on decompile-decrypt, or have I drastically misunderstood something?
There are 2 ways one could check supplied credentials when you have encrypted version:
Decrypt the encrypted version; this would obviously require storing the tools necessary to decryption, which is unsafe
Encrypt what you are trying to check, and see if it matches your encrypted version. This does not require the ability to decrypt anything.
In this path: %APPDATA%\Roaming\Microsoft\Crypto\RSA
Keys are stored there but I can't make use of them. When I open them in a HEX EDITOR, I can only see parts of it, the remaining parts seems to be encrypted via CryptoAPI. How do I decrypt it?
Note: This key in particular was not created by an application I developed. I did some research and it seems CryptoAPI uses DPAPI to protect them. Any ideas?
Thanks!
You can look at the code at this site. They provide code to decrypt these certificates (which are used for EFS, among others). You do need the user password for Windows.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I am using jQuery Ajax to login a user. Right now, I use JS to grab the values from the username and password textboxes and send them to a aspx page which checks the credentials. It then returns JSON letting the user know if they are logged in or not. Everything works well, but I noticed while using Firebug that the password was being sent in plain text.
What is the best way to encrypt the password? (BTW, I am not on a HTTPS server)
Bcrypt could be your friend. And there is also an implementation in Javascript named jsBCrypt. I highly recommend reading this insightful article: Storing passwords in uncrackable form.
But: Be careful! If you do not use SSL or a server provided nonce, you may be vulnerable to man in the middle attacks. If someone reads the (unencrypted) traffic between your client and the server, he gets the encrypted password. And it is enough for him to use it to authenticate against the server whenever he wants without knowing the real password..
you want to use https. Note that even if you do, you will still see the unencrypted values in the browser, because when firebug grabs the data (either way) it has not been encrypted/decrypted yet.
I really think biting the bullet and setting up https is the way to go. It is well-vetted technology. If you want to roll your own, its not going to be secure, and you are going to have to do a lot of work on both the client and server.
Why not using sha1 ( http://www.webtoolkit.info/javascript-sha1.html ) and hashing password before sending it?
You should store passwords hashed in database too. So it will be a good practice, if you store it in plain text.
It is possible to do this via Ajax by using multiple tools. I have personally done this for the logon of a database app. Unfortunately, I don't know of a single solution to accomplish this. And ultimately, the best solution is to use a SSL certificate. But I have seen times when you need to stand up an app securely before having the SSL in place.
Bcrypt is definitely the more secure way to store a password in a users database, but this applies to the backend, not so much the Ajax part. If you were to use Bcrypt in the client/browser, the encrypted string is still being passed over the internet insecurely.
The solution I recently built uses RSA encryption and AES encryption between the browser (in JavaScript) and the server (in my case, an ASP.NET site).
The flow works like this:
Client asks server for RSA public key.
Server sends back RSA public key and keeps RSA private key.
Client creates an AES key and encrypts it with the RSA public key.
Encrypted AES key is sent back to server and kept in memory.
Now Ajax messages can be transmitted both ways securely.
Each side now securely knows the AES key for encrypting and decrypting.
I wish there was a one-stop solution to do all of this, but I'm unaware of one at this time.
The libraries I used are:
https://code.google.com/p/crypto-js/
http://www.bouncycastle.org/csharp/
http://bcrypt.codeplex.com/