I am building a DApp where I want to add a message to all the blocks that shows that the blocks are created by the same company i.e my website and no one can replicate that message. So, I think the best way is to add a message to every block that is encrypted using the block's private key and anyone else can decrypt the message using the block's public key. Is this possible? If yes, then how? I am using web3.js and solidity.
P.S- I know the concept of digital signature it is pretty much the same...but in my case I don't want to verify the user who has signed the block but I just want to verify if the block is from my website or not.
Related
I am using this great encrypt/decrypt package.
It encrypts data before prePersist and decrypts is automatically postPersist.
At one part of my project I need the plain (encrypted) value from the database, is that in any way possible?
I identified this (processFields) as the right function to change I believe, but what do I have to do?
I changed Line 277 to $entity->$setter($getInformation); but 1. that means NONE of the values are decrypted, and 2. it does not seem to have any effect though.
How do you retrieve the data to be decrypted? IF you use standard DQL, when hidratate the object you have the plain data. Otherwise you need to do by yourself thru the exposed service, something like, example in a controller:
$pain = $this->get('ambta_doctrine_encrypt.encryptor')-> decrypt($encrypted);
Hope this help
I know that in previous versions of signalR I have ability to manage connectionId values using IConnectionIdFactory or IConnectionIdGenerator. Now for this purpose HubPipelineModule exists but I have no idea how to use.Can anybody share link or provide simple example? Thanks.
You can't choose a connection id (that interface has been long removed from SignalR) but you can associate a UserId with one or more connections using an IUserIdProvider (by default it'll use the current' user name).
This sample shows how you register and author one of these:
https://github.com/DamianEdwards/SignalR-2.x-demo/blob/master/SignalR2x/Web/Startup.cs#L17
https://github.com/DamianEdwards/SignalR-2.x-demo/blob/master/SignalR2x/Web/Startup.cs#L28
We have several web applications that create a shopping cart, save it to a database, then redirect to a centralized web application to process and accept payment for the shopping cart. Right now, we are using GUIDs for the shopping cart IDs and passing those GUIDs in the querystring to the payment application. We are using GUIDs so that a user cannot easily guess the shopping cart ID of another user and simply plug that ID into the URL.
Now, using GUIDs in the database is bad for indexing and using GUIDs in the URL does not truly prevent a user from accessing another cart. However, using passing integers around would make it too easy.
What is the best and most secure way to pass the IDs from the individual applications to the centralized payment application?
I know that some people may say, "Who cares if someone else wants to pay for someone else's shopping cart?" However, we have the same concern when passing IDs to the page that displays the receipt and that page includes the customer's name.
You could pass the ID as an integer along with a "token" which would be a (cryptographically strong) hash of the cart ID and a random secret string. The payment processor would know the secret so it could perform the hash itself and compare to see if it is valid.
For example you can use the following (untested) code to create the token:
public static string GenerateHash(long CartID)
{
string SourceText = CartID.ToString();
//Salt the source text (secret)
SourceText += "5E95C91F7F947BD92ACA2CF81C3ADBD9B563839D85EA69F9DEA5A2DC330D0F50";
//Create an encoding object to ensure the encoding standard for the source text
UnicodeEncoding Ue = new UnicodeEncoding();
//Retrieve a byte array based on the source text
byte[] ByteSourceText = Ue.GetBytes(SourceText);
//Instantiate an MD5 Provider object
System.Security.Cryptography.SHA1CryptoServiceProvider SHA1 = new System.Security.Cryptography.SHA1CryptoServiceProvider();
//Compute the hash value from the source
byte[] ByteHash = SHA1.ComputeHash(ByteSourceText);
//And convert it to String format for return, also modify for URL use
return Convert.ToBase64String(ByteHash).Replace("=", "").Replace("+", "-").Replace("/", "_");
}
Pass the result of this function, along with your cart ID, since a hash is a one-way function that cannot be reversed. On the payment processor you would call the same function on the passed in cart ID and compare it to the token.
This will prevent tampering with the query string yet allow you to use integers.
Had you thought of POSTing to the central system and passing the values that way? Then they wouldn't be visible in your query string.
If you have to pass the GUID in the querystring, you could encrypt it to make it a little more secure. It will add a little overhead, also, to your processing.
You could also tie the user's cart to a cookie, then the GUID wouldn't be visible in the querystring and would be a little harder to detect (although using fiddler or some other tool like that would show what's being passed up and down).
I'd stick the identifier in a cookie, some other header or, if you have to POST, as a hidden value (like Lazarus suggested). I'd avoid having it on the querystring.
I would use methods similar to the Anti Forgery Token in ASP.NET MVC.
http://davidhayden.com/blog/dave/archive/2009/04/29/AntiForgeryTokenInMVCFramework.aspx
EG. In addition to your GUID, save a random id in a cookie and in the db tied to a user. Each time the user makes a http request check that the cookie matches with the database. It would be hard to get both the GUID and cookie correct.
I want to export a RSA 1024 private-public exchange key pair from Machine-1 to Machine-2. I am using cryptoAPI in XP.
In Machine-1, I generated the key pair. I wrapped a session key which actually encrypts some real data. The key container name is "PAIR1".
In Machine-2, I wanted to unwrap the session key with the private key(which I generated in Machine-1). For this purpose, I wanted to export the key pair from Machine-1 to Machine-2.
I am aware of security flaws of exporting the persistent keys.
What I have tried?
I exported the keypair as a PKCS#12 -pfx file from Machine_1. When i imported it to Machine-2, the key container name has changed from "PAIR1" to nothing. My application requires the same container name to pick the right private key in the exchange key pair. Is it possible to change the key container name?
Will this work?
Wrap the exchange key pair with Machine-2's public key and import it to Machine-2. In this case, do think, the key container name will remain the same or will it change? I feel that this might be the right approach.
Edited:
The reason I asked this query is because I wrapped a session key with an exchange key pair (public key) and put the wrapped key along with the encrypted data in a medium at the server.
This medium will go-around different clients and will come back to the server. At this point, I will be decrypting my data with the unwrapped session key. This unwrapping needs the exchange private key.
I am doing this for a demo purpose and I cannot expect our marketing guys to perform key exchange etc. We wanted to show the client the security aspects and reduce the hassle of setting up things with our marketing guys.
Finally I exported the key pair and imported the same where ever I wanted though Ramsus approach is the right way of doing it.
The right way to do this, is to generate the keypair on machine-2, export the public key only, transport this to machine-1 and use it to wrap the session key.
How did you export and import the PKCS#12-file? Windows will usually add the key container name as a proprietary extension inside the PKCS#12-file, so it should have been transported together with the rest of the key pair.
To protect a web application from query string manipulation, I was considering adding a query string parameter to every url which stores a SHA1 hash of all the other query string parameters & values, then validating against the hash on every request.
Does this method provide strong protection against user manipulation of query string values? Are there any other downsides/side-effects to doing this?
I am not particularly concerned about the 'ugly' urls for this private web application. Url's will still be 'bookmarkable' as the hash will always be the same for the same query string arguments.
This is an ASP.NET application.
I'm not sure this provides any sort of security. If a man-in-the-middle attacker wants to change the parameters, all they must do is change the query string and recompute the SHA-1 hash and send that request along to the server.
For example, the URL sent by the browser might be:
http://www.example.com/addUser.html?parameterA=foo&hash=SHA1("parameterA=foo")
If an attacker intercepts this, they can edit it in this way:
http://www.example.com/adduser.html?parameterA=bar&hash=SHA1("parameterA=bar")
Really, this boils down to the fact you can trust the hash only as much as the parameters themselves.
One way you could fix this would be if the user has a password that only they and the server knows, then it would be impossible for the attacker to recompute the hash if they change the parameters. For example:
http://www.example.com/addUser.html?parameterA=foo&hash=SHA1("parameterA=foo"+"theuserpassword")
But don't put the password as one of the parameters in the URL :)
It is important to note that this isn't the state of the art for verifying the integrity of messages passed between two parties. What is used today is a form of the Hash-based Message Authentication Code (HMAC) algorithm, which is pretty well described in HMAC, and definitively in RFC2104 and FIPS Pub 198-1.
My solution to prevent query string manipulation with no hash:
In the global.asax file
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
// I take the url referer host. (manipulating the query string this value is null or your local address)
string strRefererHost = Request.UrlReferrer == null ? string.Empty : Request.UrlReferrer.Host;
// This is the host name of your application
string strUrlHost = Request.Url.Host;
// I read the query string parameters
string strQSPars = Request.Url.Query ?? string.Empty;
// If the referer is not the application host (... someone manipulated the qs)...
// and there is a query string parameter (be sure of this otherwise nobody can access the default page of your site
// because this page has always a local referer...)
if (strRefererHost != strUrlHost && strQSPars != string.Empty)
Response.Redirect("~/WrongReferer.aspx"); // your error page
}
You might consider using this little open source library:
http://www.codeproject.com/KB/aspnet/Univar.aspx
It uses a unique key for each client computer and comes with many other goodies.
I think is a good idea to add a parameter with a hash of all the other parameters. It prevents radically the querystring manipulation, but you have to think about the problem that means use those URLs in other pages of your application, send those URLs to the public or use them in any printed way. You need to have a very good way to order and to have them at hand speccially if those pages are not dynamically created, or if you just need to add those URLs by hand.
I don't see any other problem about it. Some one may tell you that the hash can be calculated, but you can play with the order of the parameters obtaining different hashes and making very difficult to guess.
One major problem with this is that javascript would have to do client-side SHA calculations just to link to pages, this of course depends on how much you use JS but it shouldn't be unresonable to think that a get argument might include pageNo=1, and to have a 'jump to page' input box, this would be made difficult if you add a hash. You could store in a session (server side) anything that you really don't want manipulated.