In this path: %APPDATA%\Roaming\Microsoft\Crypto\RSA
Keys are stored there but I can't make use of them. When I open them in a HEX EDITOR, I can only see parts of it, the remaining parts seems to be encrypted via CryptoAPI. How do I decrypt it?
Note: This key in particular was not created by an application I developed. I did some research and it seems CryptoAPI uses DPAPI to protect them. Any ideas?
Thanks!
You can look at the code at this site. They provide code to decrypt these certificates (which are used for EFS, among others). You do need the user password for Windows.
Related
Keep in mind that I'm very new and lost when it comes to coding.
I'm trying to generate a temporary for a smart lock that uses the Tuya App using Postman.
I am currently stuck on the password as it requires it to be encrypted.
password requirements from tuya
It says that i need to decrypt the "ticket_key" (which i manage get through the "Get a temporary key for password encryption" request) using the "accessKey". Can anyone help me locate this accessKey and explain how i am supposed to encrypt and decrypt (do i need to create a program for it or is there one already available).
Thanks in advance!
I tried using ChatGPT to write me a program that encrypts and decrypts but didnt manage to get anything usable out of it.
This has puzzled me for a while now. I don't have a broad understanding on encryption, but I understand the principle.
For the sake of an example, let's assume I have a program whose sole purpose is to post a random user's input to my private facebook profile. Now to do this, the program must have my login information to facebook (if this is not the case, assume another third-party application). This information, or credentials, must be stored somewhere, since the program's post method would be done without administration.
I know it is a bad policy to store the login credentials in the code as plain strings, as the compiled code can be decompiled and my credentials would be readable. The recommended solution is to store them in a separate file, encrypted.
As far as I understand, the encryption / decryption needs a key that also needs to be stored somewhere. Can't this key and the encryption algorithm be read from the decompiled code and used to decrypt the credentials?
Is the benefit of storing the credentials encrypted based on the extra step on decompile-decrypt, or have I drastically misunderstood something?
There are 2 ways one could check supplied credentials when you have encrypted version:
Decrypt the encrypted version; this would obviously require storing the tools necessary to decryption, which is unsafe
Encrypt what you are trying to check, and see if it matches your encrypted version. This does not require the ability to decrypt anything.
I have read about aspnet_regiis for encrypting web.config sections in an ASP.net project, but I am confused how this works since the decryption key must live in plaintext on the actual server somewhere.
I would ideally like to use AES for encryption, but this requires adding the aes key to the web.config in plaintext itself, which seems useless to me. (from https://stackoverflow.com/a/8777147)
Perhaps I am missing something.. can someone explain how this encryption process is actually secure?
aspnet_regiis encryption is easy to decrypt if you are able to login to a session on the machine and have access to the key.
This protects against a scenario where someone can view the file but cannot login to the machine and a scenario where the decryption key is correctly ACL'ed to a known set of users.
Under the hood it uses DPAPI and machine context specific information. I believe you can also encrypt using a user profile in which case no other user can decrypt it.
Here are some useful links:
http://weblogs.asp.net/owscott/archive/2005/07/29/421063.aspx
http://weblogs.asp.net/scottgu/archive/2006/01/09/434893.aspx
You must create a key first and than use this key in your web.config
An detailed explanation can be found here: msdn microsoft
the one under web farm scenario's is the most practical.
I think it's useful to encrypt them if you have a lot of passwords etc. in the web.config.
I have 2 fields that I need to encrypt in a SQL Server database, a password and an ID number. I'm thinking on Rijndael and I've already got the scripts to encrypt/decrypt and will use machinekey for the public key.
The ID number will have to be able to be decrypted from 2 different apps, a web app and a console app that live in the same server.
What approach should I take for the machinekey? Should I create one using a tool like this one:
http://aspnetresources.com/tools/machineKey
Or should I just autogenerate them in the 2 apps web.config files as:
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="SHA1" decryption="AES"/>
What's more secure? Or is there a more secure way? I read something about DPAPI which uses the actual machine's key?
First of all don't encrypt password field. Encrypting password is bad, someone gaining access to the key can decrypt all of your passwords so use Hashing. The algorithm you use for hashing i recommend should be bcrypt.
Secondly for encryption of ID use AES 256 bit algorithm and for storing encryption keys use microsoft solution that uses cryptoutility component which uses DPAPI (see:https://msdn.microsoft.com/en-us/magazine/cc163884.aspx). Donot store keys in the code anyone having the access to code can find that key and also you won't have any auditing capabilities related to who accessed the key and changed. Also storing in-process dll is bad that presents several security risks.
I'm wondering how to encrypt my password column in SQL Server 2008. I've read this article, but I still have no idea how... is there an easier to understand tutorial? Thanks!
The usual practice is to store a hash of the password. Like:
HASHBYTES('SHA1', convert(varbinary(32), #password))
With a hash, you can verify if the password matches, but you don't know the password itself. So even if a hacker gains complete access to your database, he still does not know the passwords.
There are many tutorials on the web.
You should instead consider storing hashes of passwords instead of using encryption. In case you are unaware of the differences, a hash (also called a one way hash) takes an input and produces gobbledygook (called a hash) such that for the same input the same gobbledygook is produced. Authentication works by hashing what the user entered on the client and comparing it to the gobbledygook in the db. If they match, the passwords are the same. Without getting into specifics, hashes can never be reverted back to plain text which is their protection. Encryption however involves creating a cypher such that if you have the decryption key you can revert the cypher back to plain text.
If you are using SQL Server and ASP.NET, you should look into Forms Authentication with the SqlMembershipProvider.
Explained: Forms Authentication in ASP.NET 2.0
SqlMembershipProvider Class
An Overview of Forms Authentication
Microsoft have made this super-easy with the snappily named
FormsAuthentication.HashPasswordForStoringInConfigFile.
http://www.adventuresindevelopment.com/2009/05/23/a-simple-way-to-hash-passwords-in-aspnet/