Generating consumer key/secrets for HMAC-SHA1 - encryption

I am looking for a programmatic way to generate consumer key/secrets for HMAC-SHA1 to be used by clients invoking our API over OAuth. Any pointers to existing implementations would be highly helpful.

Secrets are best when generated from random data. That way there is no external data which could help an attacker deduce or guess part or the entire key. Of course, it depends on how much protection your secret key needs. Java includes some random number generators in java.util.Random (since JDK1.0). If you don't have backward compatibility issues, Java 6 has java.security.SecureRandom which meets FIPS 140-2 requirements. The Java libraries are not truly random, but it is probably good enough for most applications. If you need better random data, you should go for a hardware-based random generator.

Related

File encryption using ECIES

I am currently trying to build a project (self-learning) which essentially is a website for sharing files (between two users). I want to encrypt a file (pdf) using ECIES (primary objective) and then send it to another user. My questions are:
How to encrypt a file at client-side?
How to send an encrypted file to a server (which language/library/technology)
As my questions suggest, I am a beginner in web development.
As you're probably already aware, you won't get much use on a website like that as it's really difficult to prove you're not performing a MITM attack. That said from a cryptography point of view the tech you should use/investigate is:
ephemeral:ephemeral elliptic curve Diffie-Hellman, using a strong curve with fast, constant time scalar multiplication such as curve25519/x25519, deriving a shared secret which can be used (by hashing the x co-ordinate with a strong hash function such as SHA-256, SHA-3 or Blake2b).
using the key agreed in step one, encrypt with a strong authenticated symmetric cipher such as ChaCha20-Poly1305.
There are tonnes and tonnes of options, perhaps if you wanted to try being decentralised, the website could help route users to each others public keys on IPFS.

Encryption at rest for RocksDB

I am exploring options to implement encryption at rest for RocksDB data which I am using in one application (that is, I don't have to store the key in the data, I can calculate it in runtime). Ideally, it should be DES.
Are there easy plugins or libraries specifically for RocksDB, or I will have to improvise?
There is nothing that I know of. In terms of implementation you have a few options:
Handle the encryption in your app. Rocks doesn't care what you store in it, just that keys are comparable. So you just need to design a sensible key encoding.
You could use the StackableDB feature of Rocks to implement something between your app and Rocks to handle the encryption. You would still have to design a key encoding for your data.
Look at how compression is implemented in Rocks try to implement something at that level if appropriate

Data encryption at rest in Java Application

I have a Java application (an ESB - Enterprise Service Bus) which deals with customer sensitive data and have a requirement of supporting Data encryption at rest in order to prevent data abuse.
The application stores customer data for processing on the file system and application interacts with it through java.io.File API. So basically, I need to encrypt the file before it is persisted on the file system by the application and then decrypt it before application reads it so that it can be parsed and processed.
Are there any good frameworks or libraries that can help me implement Data encryption at rest? I am planning to use PGP encryption/decryption for implementing Data encryption at rest.
I am looking for best and recommended approach for implementing Data encryption at rest within my Java application and any help shall be appreciated.
Why on Earth would you think pgp is the right tool for this? Seems to me that you only need a symmetric key solution, so pgp feels like the wrong answer.
Cryptography in Java is a minefield. Easy to do things wrong, hard to do things right.
Having said that, you have a better chance to not screwing up if you use BouncyCastle rather than something else. They have example code that shows you how to do various operations.
For encrypting data at rest, I recommend you use AES in either CBC mode or CTR mode. If using CBC mode, make sure you choose your IV in a cryptographic secure way (unpredictable). Also, never re-use an IV for any mode of operation.
You should also consider whether you need message integrity. General guidance about symmetric encryption here.
Even though people often get crypto wrong, the bigger problem is key management. That's a whole new can of worms (and don't be fooled into thinking pgp provides a solution to this: all it does is shifts the problem to somewhere else).

How big is the performance hit when using NSFileProtectionComplete with Core Data?

I am currently comparing multiple data persistence frameworks for iOS.
One important requirement we got is the possibility to encrypt the data we are working with. When using Realm there is an option to use encryption with the consequence of a 10% performance hit as you can read here
When using Core Data there are basically 3 Ways to encrypt your Data
Using iOS-Level Data Protection
SQLCipher
Transformable decryption
I would prefer to encrypt the Data on iOS Data Protection Level using the NSFileProtectionComplete Option on the File Manager.
My Question is:
How big is the performance Impact when using iOS-Level encryption? Are there any Statistics out there or do you have experienced a major decrease in performance? It would be really interesting to here about your experiences.
Thanks in Advance!
How big is the performance Impact when using iOS-Level encryption?
This would be a great thing to benchmark. Just like Realm's 10% overhead number, your mileage will vary based on the type of work you do, how many reads vs writes, the size of the database, the device's storage controller, etc.
I suspect that Apple has gone to great lengths to minimize the overhead of NSFileProtection crypto and would be surprised if it came close to Realm's 10% number.
More than numbers from micro-benchmarks, you should probably be more concerned with the features and limitations of each approach.
For example, NSFileProtectionComplete won't let you access a file when the device is locked, whereas SQLCipher and Realm's encryption let you access it as long as you have the encryption key. Also, if you export the file out of iOS, NSFileProtection won't apply there, so if you need to export an encrypted file, you should use SQLCipher or Realm's encryption.

J2ME Encryption Algorithm

I'm trying to develop my own encryption algorithm for J2ME mobile application with MIDP2.0.
But I don't have any experience in encryption algorithm, Guys please give ideas for me.
I would like to encrypt document and I need to maintain that document in resource directory, Thats why I need encryption from hacking others.
Don't. Crypto is highly specialised, and the smallest mistake can result in a weak cypher. There are plenty of good crypto algorithms out there, such as AES, Salsa20 and others. Use one of them. That also saves you the trouble of writing your own code since there are libraries available.
Read Bruce Schneier on amateur cryptography: Memo to the Amateur Cipher Designer and when you have read it, drop any thoughts of designing your own cypher and use one of the standard cyphers. AES-CTR + HMAC or AES-GCM are my personal preferences, YMMV.
a) I completely agree with rossum. Don't write your own encryption. It's really bad idea (one wrong step and it won't be secure at all).
b) I believe there is Bouncy castle encryption library (http://www.bouncycastle.org/latest_releases.html) which supports J2ME.
c) I recommend to read following article which gives information and examples for encryption/decryption of data on j2me (http://www.ibm.com/developerworks/java/tutorials/wi-encrypt/index.html)

Resources