Intersystems Caché - Class for Data Encryption - encryption

I wonder which class is the class that I use to encrypt data (first time string data) and the best method of encryption (among those supported by caché). Must generate a strong encryption for data in my project.
Any help is welcome.
If someone can show me some example, I'll be even more grateful.

Please state what exactly do you want to encrypt. To encrypt the whole database, there is a setting in System Management Portal, this encryption is certified in US. To encrypt data transfers, you may use SSH (see %Net.SSH.*), HTTPS (see %Net.HttpRequest with Https property), and Web Services with WS-Security (see documentation). To encrypt just any string internally, see $system.Encryption.Help().

We use ensemble web services to serve up Base64 encrypted XML payloads to web portals and mobile apps in the healthcare field. The code we've implemented looks something like the below snippet, in addition to some other security features related to the web service.
Set sc = ..xmlData.XMLExportToString(.xml)
Set xmlReturn = ##class(%System.Encryption).Base64Encode(xml)
Quit xmlReturn

Related

How to encrypt a json string as JWE (Json Web Encryption) by using public key stored in HSM?

I want to encrypt a json data as JWE using a public key stored in HSM. I use .Net framework or .Net core libraries for Net.Pkcs11Interop.HighLevelAPI for communication with HSM.
I searched lots of sample java or .net core sample code but they all encrypted by local stored .cer/.pem keys. I only want to do this by using HSM and want to handle JWE encrypted format not a normal encrypted string result.
By default, the pkcs11Interop code wraps a PKCS11 provider. The default provider is simply a wrapper around either a minimal P11 implementation, or SoftHSM or something (I don't know). Instead, you would tell it to use the P11 provider supplied by the vendor of the HSM. Changing the P11 provider changes how the hardware is accessed, but otherwise does not change the behavior of Interop.
But other than that change, there will be no difference in the outer code (the code that is using Interop), except maybe at the user auth (C_Login in PKCS11-speak), as different vendors may have slightly different capabilities there (dual control, MFA, etc).
I would look for the HSMs provider and add that to your search terms. Possibly there is an integration guide available, assuming there is something truly weird about the vendor's Provider implementation. Most HSMs are using P11 the standards-based way (most of the Vendors are on the P11 standards committee), so assume that if an integration guide is provided, it will be very short, and very probably work with another vendor's implementation with little or no change :)
Disclosure: I work for an HSM vendor, it does work with Interop, and no, we don't have an Integration Guide dedicated to support of Interop.

Webauthn for encryption

We have a project with a PWA where we want to implement client sided encryption. We wanted to use Webauthn as a second-factor in combination with passwords. In the background we use a randomly generated key to encrypt/decrypt the database, which is stored symmetrically encrypted with the password on the server. However I am struggling to find a good way to add encryption to this key with webauthn. My tries so far:
Using raw JS samples from https://webauthn.guide , however I cannot find a part which is always the same and could be used for symmetric encryption/decryption, even the public key changes when logging in with the same USB token multiple times (???)
Using fido2-lib from npm: I couldn't get the sample to work, since the sample is not well documented and pretty long
Using server-sided authentication like spring webauthn, however I do not want the server to know anything about the client.
Any suggestions how I could implement an encryption with webauthn?
The protocol as it stands does not provide generic public key crypto services as far as I am aware. The best you can do is prove that a user is in possession of the private key related to the public key you hold.
You can learn from the following github repo ,it has many Webauthn out of the box examples (see the tech it supports inside)
Here are some samples I found at github https://github.com/OwnID/samples
In addition,I read about FIDO ,Webauthn and passkeys at passkeys.com
Everything about this cool tech is there
Years after this question, the hmac-secret extension has arrived.
This extension binds a secret to a Webauthn credential. This secret can be used to decrypt or encrypt data on client side.
Another approach could be the use of the largeBlob to store a secret generated during the creation ceremony.
Note that the availability of those extensions depends on the authenticator that is used and may fail.

unprotect data with password using .net core DataProtection?

My case is that I want to make the data protected even from people who have access to the back-end (the keys store), so they couldn't read it without the user's (represented by the client app, in my case the browser) assistance.
One option is to have the decryption keys stored on the client and passed with each request which sounds pretty messy to me and i'm not sure I want my keys to wander around the net like this. What I imagine though is that the client will keep some token (it might be a password the user knows) and the decryption can't happen without it.
I thought about using the purpose string for this, I have the feeling it is not a good idea since its main purpose is isolation. On the other hand it is part of the additional authenticated data used for subkey derivation. (based on this article https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/subkeyderivation?view=aspnetcore-2.1#additional-authenticated-data-and-subkey-derivation).
I came across some examples that create their own symmetric encryption with a lower level classes. (like this post Encrypt and decrypt a string in C#?). Since I'm not an expert in this area I would like to use as much build in classes as possible.
What is the recommended way to achieve what I need with the classes from the Data Protection API? (I'm using .net core 1.1 on Ubuntu)

How can I use RSA to Encrypt/Decrypt ASP.Net Forms Authentication Ticket

Istead of using FormsAuthentication.Encrypt / FormsAuthentication.Decrypt, is it possible to use an existing RSA container in the machine key store to do the encryption/decryption of the ticket.
The reason is that the ASP.Net application I'm developing is meant to be used in multiple load balanced servers. Hence I need to copy the machine key onto all web.config files in all the machines. Since we are already using Asymmetric Encryption (RSA) for another purpose, we have automated installing a common RSA key container in all the servers via a bat file and key container xml. Since this mechanism is in place I want to use the same RSA key container to encrypt/decrypt the forms auth ticket too.
Is this possible? If so how do I override the existing behaviour to achieve this.
If its possible then do you see any disadvantages of using RSA instead of the standard encryption?
Yes, but it would require some work.
You will need to override/replace the standard authentication module that ships with .NET and replicate all the existing functionality with the exception of calls to the RSA Encrypt/Decrypt methods you want to use instead.
See http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.encrypt.aspx
You will also need to edit all the standard builtin login pages if you are using those.
As a template, inspect the source for the FormsAuthenticationTicket and you will see how the string is constructed that contains parameters such as UserID, Expiry Date etc, and then pass that string into the Encrypt method, which in turn is then used as the cookie value.
Your new auth module will then have to reverse that encryption and validate the user as before.
It's a fair amount of work for relatively little gain, depends on how badly you want to use RSA over the standard encryption methods used (they already offer some powerful encruyption methods right out the box see http://www.sourcetree.net/sourcetree/Development/Aspnet%20Examples/GenerateMachineKeyForWebConfig.aspx)

asp.net Generating RSA public key pair without a key store

I have to do some secure communication between a windows service and an asp.net website. In the asp.net website I am generating a key pair, sending my public key to my windows service and then receiving the encrypted message from my service and decrypting with asp.net.
The first problem is this.. The user profile is not created in asp.net so I must use RSAParams.Flags = CspProviderFlags.UseMachineKeyStore;.
This doesnt work in my hosting provider because I do not have access to my machine store.
I think my solution would be to generate the key pair in memory and never use the keystore, is this possible?
Checkout http://www.codeproject.com/KB/security/EZRSA.aspx Exerpt from the article:
"Help! What do we do?? A bit of Googling around, and a quick email to our (excellent) Web hosting providers Liquid Six, revealed that the reason for this lies deep inside the Windows crypt API, on which RSACryptoServiceProvider is based. Essentially, to allow scripts to load up their own private keys would compromise the security of the Windows key store, so all sensible Web hosting providers turn it off lest a rogue script steals / overwrites the hosting provider's own private keys. This strikes me as a major snafu in the Windows crypt API but there you go. I guess we're stuck with it.
Some more Googling turned up two essential resources: Chew Keong TAN's most excellent BigInteger class and some LGPL 'C' code to do the requisite calculations and PKCS#1 encapsulation from XySSL (originally written by Christopher Devine). These resources were particularly useful to me because (a) the ability to manipulate numbers with hundreds of digits is a specialist area, and (b) I hate ASN.1 (on which the PKCS#1 format is built). The calculations themselves are deceptively simple.
A day or two of stitching and patching later and EZRSA was born. EZRSA does pretty much everything that RSACryptoServiceProvider can do but entirely in managed code and without using the Windows crypt API. As a result, it will run anywhere, no matter what trust level your Web hosting provider imposes on you (which is what we needed)."
Hope it helps!

Resources