security

Best practice to store client certificates?

我是研究僧i 提交于 2021-02-19 03:21:45
问题 I am building an app that requires mutual authentication. So I will enable my users to upload a bunch of client certs and when they make calls, they can use either of them. I will match the client cert from the incoming request to see if it matches any of the ones already stored, and if it does, the request will be honored. Now I'm trying to figure what's the best way to store these client certs. I was thinking I could store them in a DB, or some kind of file/blob store, or I've learned they

Is it possible to implement AES with a 64-bit I/O block size?

↘锁芯ラ 提交于 2021-02-19 00:40:15
问题 I'm working on an application with a very specific encryption requirement: We are required to encrypt/decrypt individual 64-bit values, to protect certain parts of our internal architecture from reverse engineering through our public web endpoints. The problem is, the existing 64-bit encryption methods (such as 3DES) are not secure enough to meet our requirements (as far as I know). They also perform slower than AES, which is another painpoint. My question is, can we feasibly implement AES

How does software activation work?

烈酒焚心 提交于 2021-02-18 21:49:51
问题 I have tried searching, and all questions are related to specific things like " how to generate key ", and the like. Can anybody explain how different types of software activation work? 回答1: In the most simplistic case, it is as maxwell5555 described. A registration code ("CD key") is sent to the user who enters it into the program or installer. The whole process can basically be done offline; the program itself locally determines that the code is valid or invalid. This is nice and easy, but

Java client call to Windows Integated Authentication web service

China☆狼群 提交于 2021-02-18 18:16:45
问题 I am writing a Java 1.5+ client that needs to fetch data from an IIS-hosted web service. I created a new web service client in Eclipse and used the Java Proxy client type and Apache Axis2 web service runtime when generating the client proxy. The web service itself runs on Windows 2003 and security is set to use only Windows Integrated Authentication. I have found many articles online that show how to connect successfully from a Java client to this IIS service, but everything I have seen seems

How to read a rsa public key file in java?

天涯浪子 提交于 2021-02-18 17:14:49
问题 I have a RSA public key file like this: -----BEGIN RSA PUBLIC KEY----- this is content -----END RSA PUBLIC KEY----- and i use java to read it: KeyFactory factory = KeyFactory.getInstance("RSA"); KeySpec spec = new X509EncodedKeySpec(bytesFromThisFile); // bytesFromThisFile is created and filled correctly PublicKey publicKey = factory.generatePublic(spec); then i get an exception: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: invalid key format How to read the

Signing a string with HMAC-MD5 with C#

[亡魂溺海] 提交于 2021-02-18 12:35:09
问题 I got the following HMAC key (in hexadecimal format): 52320e181a481f5e19507a75b3cae4d74d5cfbc328f7f2b738e9fb06b2e05b55b632c1c3d331dcf3baacae8d3000594f839d770f2080910b52b7b8beb3458c08 I need to sign this string: 1100002842850CHF91827364 The result should be this (in hexadecimal format): 2ad2f79111afd818c1dc0916d824b0a1 I have the following code: string key = "52320e181a481f5e19507a75b3cae4d74d5cfbc328f7f2b738e9fb06b2e05b55b632c1c3d331dcf3baacae8d3000594f839d770f2080910b52b7b8beb3458c08";

How can I reproduce and prevent the Billion Laughs attack in Java?

江枫思渺然 提交于 2021-02-18 12:18:28
问题 After a bit of research here's a code sample I've come up that I think should be vulnerable to the Billion Laughs attack. However it doesn't seem to be working, Done. is printed to the console much too quickly (instantly from a humans point of view). import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.xml.sax.InputSource; public class BillionLOLs { public static void vuln(String xml) {

How to store secretKey in KeyStore and retrieve it

一个人想着一个人 提交于 2021-02-18 08:45:08
问题 I'm currently developing an android application but i'm expecting some issues due to storage and retrieving of a SecretKey into the Keystore This is my code: Here I generate the SecretKey and then save it into KeyStore, and use it to encrypt my data try { KeyStore keyStore=null; keyStore= KeyStore.getInstance(KeyStore.getDefaultType()); char[] passwordKS="network".toCharArray(); SecureRandom sr = SecureRandom.getInstance("SHA1PRNG"); sr.setSeed("any data used as random seed".getBytes());

Is there a way to shorten a java.security.MessageDigest generated value?

ぃ、小莉子 提交于 2021-02-18 08:19:24
问题 If I generate a message digest (for a security feature in my app) using this Java code: java.security.MessageDigest saltDigest = MessageDigest.getInstance("SHA-256"); saltDigest.update(UUID.randomUUID().toString().getBytes("UTF-8")); String digest = String.valueOf(Hex.encode(saltDigest.digest())); I end up with a really long string like the following: 29bcf49cbd57bbc41e601b399a93218ef99c6e36bae3598b5a5a64ac66d9c254 Not the nicest thing to pass on a URL! Is there a way to shorten this? 回答1:

How check programmaticallly TEE support on Android?

扶醉桌前 提交于 2021-02-18 07:47:06
问题 How check programmaticallly TEE support on Android? In a project we need check if TEE (Trusted Execution Environment) is supported in order to make a decision. Regards. 回答1: Android 7.0 introduced this feature: Key Attestation, which gives you more confidence that the keys you use in your app are stored in a device's hardware-backed keystore. but not perfect since only a small number of devices running Android 7.0 (API level 24) support hardware-level key attestation; all other devices