I'm trying to integrate a custom IdP for access to OpenSearch dashboard and in the process of creating request signing. For this, I need to create private key based on the algorithms mentioned in request-signing with or without a pass phrase.
If I understand it correctly, for request signing I need private key in any of the algorithms mentioned in the link (eg: RSA_SHA256). But, so far I'm unable to figure out how to use openssl or any other CLI based tool to create private key based on the algorithms mentioned in the link above ? Any help on how to create private key is much appreciated.
Regards,
Santosh
Related
Pretty basic question. When I create a key using google KMS, is that key public or private?
I need to develop an asymmetric key pair using HSM for a project, someone asked me, and I'm not crystal clear on that. Any help?
When you create an asymmetric key using google KMS both the private and public key are created. To retrieve the public key you can use the GetPublicKey API call. https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/getPublicKey
You cannot retrieve the private key from Cloud KMS. You can only access it via API calls for AsymmetricSign or AsymmetricDecrypt.
Usually, this story goes like "client encrypts using public key - server decrypts using the very-safely-stored private key'.
Well, I have the opposite issue.
In a mobile app, I am using a web service library, whose API requires 2 secret keys from my personal account of that service. Anyone having access to these 2 secret keys can basically use them to call the same service's APIs as if it was from my app. So, I definitely do not want to embed those keys in the app as a decompilation might easily spoil them.
So I thought I'd store those keys server-side, and send them encrypted with a public key to the app. Then, the app would decrypt them using the private key stored in the app itself.
I know it's still not secure, but at least, a simple man-in-the-middle attack or a binary decompilation analysis will not scream "Service API keys here, come and get them!". The intention here is just to make it harder for someone to get a hold of those keys.
Do you think this would be a good idea? Do you have any other alternatives?
The secure way to handle you private keys is to keep them on the server and never release them to the client.
For each approved action create a server endpoint (e.g. an AWS Lambda). The server endpoint knows the private keys, but the app just knows where the endpoints are. This restricts the functionality to only what you approve, but the endpoints themselves can be discovered and could be used by other people without going via your app.
The endpoints can use some authentication such as JWT Bearer tokens (see https://www.jsonwebtoken.io/ ) to ensure they are only used by the application, but this requires server side knowledge of who is registered with the app.
Alternatively, if the private keys cannot be used for actions you do not want your application users taking, is it worth protecting them?
There are good reasons for aiming to make things hard but not secure, for example, the cost of creating all those endpoints I mentioned vs the risk of someone abusing the private keys. Unfortunately that means someone agreeing to a compromise and I can't advice you on the best compromise.
Hi Hyperledger Experts:
In some cases, some organizations in a channel have the requirement to encrypt their data on the fabric network. Please refer to https://hyperledger-fabric.readthedocs.io/en/latest/chaincode4ade.html#chaincode-encryption . And the AES encryption key and decryption key are needed.
So there is a need to store some organizations' encryption key and decryption key. The fabric documentation also mentioned "If you encrypt the data then you will need to provide a means to share the decryption keys". Please refer to https://hyperledger-fabric.readthedocs.io/en/latest/Fabric-FAQ.html
So the question is: what is the advisable way to store the AES encryption/decryption keys? Where to store them?
Apart from fabric network, do we need a separate centralized database to store them? Or can we directly store them on fabric network, and only let specified organizations to get them? Thanks very much!
I'm not an expert in data security but I believe your problem can be solved using Private Data present in hyperledger fabric framework itself.
It is confidential data that is stored in a private database on each authorized peer, logically separate from the channel ledger data. Access to this data is restricted to one or more organizations on a channel via a private data collection definition. Unauthorized organizations will have a hash of the private data on the channel ledger as evidence of the transaction data.
Refer to docs to understand how to use this to store your AES keys.
If I am storing something in Firebase and the key of that is something like -L1gMGVKaj-qU8O05eeT, is it safe to create public URLs like http://example.com/item/-L1gMGVKaj-qU8O05eeT?
Is it safe to distribute internal push keys to public, provided that proper database rules are in place?
There is no security issue in using push ids/keys in public URLs provided that your credentials (e.g. Server Keys or Service Accounts etc) are safe and not viewable.
However if you want that users should not be able to guess other push ids/keys then you should check this Answer
You can create your url using the keys generated by firebase on basis of timestamp. But it will not be user friendly. you can convert the key to unix timestamp and then use it for url. Look at this answer
I am currently using IBM Softlayer Object Storage. I'm wondering whether there is some encryption at rest (as a service) option? For example, does Softlayer manage encryption keys in some way (the way AWS does for instance with I AM), or does it provide an easy way to automatically encrypt what is uploaded through the Object Storage API?
What I know there is not such way to automatically encrypt the data uploaded, you need to encrypt your data prior to upload it.
Just in case you can look for documentation which could help you here: http://sldn.softlayer.com/reference/objectstorageapi
Regards
Not a good question for SO, but for education's sake there is a new public cloud IBM Object Storage that is based on Cleversafe, and all data is encrypted at rest by default.