I have got two application where one application receives the xml request and encrypt the field password and send the xml request to another application.
Another application receives the xml request and decrypt the field password using the same key.Is it possible to achieve it in Mule 4 without using java component. My request looks like below:
<test>
<username>camel</username>
<password>abcdef</password>
</test>
I think we could do this using this module (https://docs.mulesoft.com/mule-runtime/4.3/dw-crypto).I could see the examples for encrypting not for decrypting. It would be great if someone can help me with this request
The functions provided by the dw-crypto module are for creating digital secure hashes, not for encryption/decryption. Secure hashes are expected to be very difficult to reverse, and of course they are not useful to decrypt at all.
What you need is the Mule 4 Cryptography Module. There are examples of encrypting/decrypting in the documentation.
Related
I understand that WebauthN is designed to perform authentication, but I'd like to use my Yubikey to create symmetric encryption keys to encrypt content on my web browser without relying on a backend server.
Here's my approach:
During the assertion challange ( navigator.credentials.get({ publicKey }) ) the Yubikey signs a challenge string that the client sends to the authenticator.
I extract the signed challenge, hash it with SHA256 and use it as my new symmetric encryption key for AES256 encryption.
As long as the same challenge string is sent to the Yubikey, the encryption key will always be the same.
In order to be able to decrypt the content on the web browser. I would have to be in possession of the Yubikey and the challenge string for 2 factor authentication.
Is there anything wrong with this approach?
Why don't you use the Web Crypto API?
This API is designed for cypher operations on client side and is suitable for your use case (client side encryption). It is supported by all recent browsers.
Note that the main concern you may have is that this API does not supports hardware devices (smartcards, security tokens...).
However, your Yubikey is certainly capable of generating a secured static password you can use as a master key you will derive to encrypt/decrypt your data.
Perhaps you could leverage the hmac-secret extension (https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html#sctn-hmac-secret-extension)?
No. This is a bad idea for these reasons:
RS256/ES256 are not deterministic signatures. So you will get a new, random signature every time.
Even if you could, there are things like XSS, and this would be broken swiftly.
Use crypto API as mentioned above.
HMAC-Secret is reserved for Platforms at the moment. You can not access it via WebAuthn API.
In the future, there is a large blobs functionality, and largeBlobsKey... But this is a very long future...
You could (mis)use the user.id parameter of the public key request payload, i.e., the user object in the example here: Web Authentication API (example) like this:
Use Web Crypto API to generate a symmetric key
then use that key as user.id in navigator.credentials.create({ user: {id: YOUR_KEY } }) to store the key in the authenticator
store the returned key id/rawId somewhere in your application
To retrieve the key you can use navigator.credentials.get({ publicKey }) by supplying the rawId
We have a project with a PWA where we want to implement client sided encryption. We wanted to use Webauthn as a second-factor in combination with passwords. In the background we use a randomly generated key to encrypt/decrypt the database, which is stored symmetrically encrypted with the password on the server. However I am struggling to find a good way to add encryption to this key with webauthn. My tries so far:
Using raw JS samples from https://webauthn.guide , however I cannot find a part which is always the same and could be used for symmetric encryption/decryption, even the public key changes when logging in with the same USB token multiple times (???)
Using fido2-lib from npm: I couldn't get the sample to work, since the sample is not well documented and pretty long
Using server-sided authentication like spring webauthn, however I do not want the server to know anything about the client.
Any suggestions how I could implement an encryption with webauthn?
The protocol as it stands does not provide generic public key crypto services as far as I am aware. The best you can do is prove that a user is in possession of the private key related to the public key you hold.
You can learn from the following github repo ,it has many Webauthn out of the box examples (see the tech it supports inside)
Here are some samples I found at github https://github.com/OwnID/samples
In addition,I read about FIDO ,Webauthn and passkeys at passkeys.com
Everything about this cool tech is there
Years after this question, the hmac-secret extension has arrived.
This extension binds a secret to a Webauthn credential. This secret can be used to decrypt or encrypt data on client side.
Another approach could be the use of the largeBlob to store a secret generated during the creation ceremony.
Note that the availability of those extensions depends on the authenticator that is used and may fail.
I have used MachineKey.Encode to encrypt a ID that is getting passed as a query string to a page but as expected this is making the URL huge.
Is there a option such as HTTP handlers that could customize the url but still load the required page?
Also I am yet to find out if MachineKey.Encode is using the MachineKey that I have defined in my web.config file to encrypt the data, can anybody confirm this for me with web information that backs this up.
Thanks.
Also I am yet to find out if MachineKey.Encode is using the MachineKey that I have defined in my web.config file to encrypt the data, can anybody confirm this for me with web information that backs this up.
It does indeed use the configured keys. MachineKey calls MachineKeySection.EncryptOrDecryptData to perform the encryption, which uses encryption objects configured from the machine key section. If you want to see for yourself, the interesting calls are EncryptOrDecryptData=>EnsureConfig=>ConfigureEncryptionObject=>SetKeyOnSymAlgorithm
I created a wcf service that serves up an image as a byte[]. I have it functioning fine, but I’m not that experienced with authentication and encryption in services. The client is going to be displaying the image in their site. They requested username and password authentication and some form of encryption, but they seem flexible if there is an easier option that works good. They will only be sending a few parameters in the call,
I’ve been modeling my attempt after this, but from what I’m seeing in wcf, it has to be over an SSL layer if you do it this way because there is no encryption for the plain text soap headers containing the username and pass. I would prefer not to go the SSL route unless it's necessary.
I read that I could use negotiateServiceCredential="false" for a one-way communication, but I'm not sure a one-shot security mode is what I'm looking for. I can't seem to find a tutorial or scenario example similar enough.
if anyone might be interested... I'm using this guy's solution to model off of link, and it seems to be working good.
Basically, after reading some other posts on here, I got turned on to this book. Where I learned some more about how these services are generally setup. I decided on going with username & password authentication by creating my own validator class for the message security. This tag was a little tricky for me to figure out (in the web.config) but there is a lot out there to learn more about it:
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="YourService.MyValidator, YourService" />
If you use username for message security WCF requires you to secure the transport with a certificate, in this case an SSL. This is because the credentials are passed in plain text. The plus is that SSL hardware accelerators allow for fast message transmission, and I'm attempting to transport large files to the client.
The solution I linked to is a good walkthrough for any newbs like myself. A really helpful part was learning how to make temporary certificates to use for testing purposes using MakeCert. Just run this in a cmd:
makecert -r -pe -n "CN= compaq-jzp37md0 " -b 01/01/2000
-e 01/01/2050 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr
localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
Where “compaq-jzp37md0” is the server name so you need to replace with your PC name
I wonder which class is the class that I use to encrypt data (first time string data) and the best method of encryption (among those supported by caché). Must generate a strong encryption for data in my project.
Any help is welcome.
If someone can show me some example, I'll be even more grateful.
Please state what exactly do you want to encrypt. To encrypt the whole database, there is a setting in System Management Portal, this encryption is certified in US. To encrypt data transfers, you may use SSH (see %Net.SSH.*), HTTPS (see %Net.HttpRequest with Https property), and Web Services with WS-Security (see documentation). To encrypt just any string internally, see $system.Encryption.Help().
We use ensemble web services to serve up Base64 encrypted XML payloads to web portals and mobile apps in the healthcare field. The code we've implemented looks something like the below snippet, in addition to some other security features related to the web service.
Set sc = ..xmlData.XMLExportToString(.xml)
Set xmlReturn = ##class(%System.Encryption).Base64Encode(xml)
Quit xmlReturn