I have a requirement to decrypt the SHA1 user password from Active Directory to Forgerock OpenIDM, using below java script I am able to decrypt the password in base64.
if (source != null)
{
var base64 = Packages.org.forgerock.util.encode.Base64url
b64tO = new Packages.java.lang.String(base64.decode(source));
logger.info("Decoded: {}", b64tO);
target = b64tO;
}
Could you please help me
I am expecting to decrypt the password from SHA1 to plain text and store it in Forgerock OpenIDM.
Decrypting SHA1 is not possible because it is not an encryption, but a hashing algorithm.
But there are ways so sync a DS password to IDM in cleartext during it being changed. You can use the plugin documented here for that: https://backstage.forgerock.com/docs/idm/7/pwd-plugin-guide/chap-sync-dj.html
Related
We are using PGP encryption to encrypt files before transfer. We are using the npm package OpenPGP.js to encrypt the files using a public key from the recipient. I have exported the public key in armored format to use with openpgp.encrypt function.
Here is the code to encrypt the file:
const publicKey = await openpgp.readKey({ armoredKey: key.publicKey });
const encrypted = await openpgp.encrypt({
message: await openpgp.createMessage({ text: readStream }),
encryptionKeys: publicKey
});
However the function call produces this error:
Error: Error encrypting message: Could not find valid encryption key
packet in key ea8be7d9f2fd53a7: elgamal keys are considered too weak.
The output of gpg --list-keys gives the following information
pub dsa1024 2010-07-23 [SCA]
ABCDEFGHIJK
uid [ unknown] my recipient <my.recipient#email.com>
sub elg2048 2010-07-23 [E]
I'm able to encrypt a file using GnuPG, but OpenPGP does not seem to like the public key. Is this error message valid? Do I need to request another key from the client, or is there a way to bypass this error message?
*Edit: After some research I have found that DSA-1024/(ElGamal-anything) is not safe anymore, so I'll probably have to request new keys be made.
OpenPGP implementations have different security considerations, and OpenPGP.js seems decided to reject DSA/ElGamal by default via this PR: https://github.com/openpgpjs/openpgpjs/pull/1264/files#
However it is possible to override this behaviour via config, examples are available in tests.
I'm starting with the JWT, and I did a decryption test of my token on base64 and I actually decrypt it, except for the Signature part that I don't decipher it, my question is: is the JWT token normal to decrypt it? and if it's normal how I can prevent this.
I'am using algorithm HS256
thanksgiving
What you have is not an encrypted token (JWE => RFC7516) but a signed token (JWS => RFC7515).
The algorithm HS256 is a signature algorithm referenced in the RFC7518 section 3.2.
With signed tokens, the payload is not encrypted but only encoded using the Base 64 Url Safe data encoding (see RFC4648).
I am working on a Grails application that uses the excellent Spring Security Plugin. The authentication happens through Oracle Access Manager which protects the application URL. So I just use the PreAuth filter and never had to worry about passwords. Until now.
There is another application that we need to integrate with (that manages freezer Samples and need user access management so that user's don't see someone else's samples) and uses LDAP. The said application exposes an API that takes in a username password and returns data based that user's access (there is no on behalf of user feature).
The problem is that I need to ask users for their passwords and send plain text password to that service. So hashing and encoding needs to be reversible and I cannot just compare hashcodes. Any suggestions on how to manage this in the best way possible?
I was thinking of using a random salt created on server (and cycle that like every 6 hours), encode the password and set it in a short life cookie, and decode it on the server when making the call to the external service. This way a potential attacker will need data from server memory and the cookies from user's system and I don't store plain text password anywhere. Just a naive attempt. Very open to suggestions.
So I hacked one of my apps to work like this:
In the User class: (Spring Security User.groovy)
static transients = ['springSecurityService', 'rawPassword']
//To bypass facebook users who log in via facebook
//we will back up original hashed password string
//log them in then save old password has by calling user.rawPassword=oldHash
//this will update underlying password with string hash value
void setRawPassword(String p) {
password=p
}
Then in the relevant service
//Get old password hash
def oldPassword=user?.password
String authPassword
if (oldPassword) {
def uid = user.password + new UID().toString() + prng.nextLong() + System.currentTimeMillis()
MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] hash = digest.digest(uid.getBytes("UTF-8"));
def token1 = hash.encodeBase64()
user.password = token1
//Generate a random password
authPassword = token1
//Update user Password to be random Password
UsernamePasswordAuthenticationToken uat1 = new UsernamePasswordAuthenticationToken(user.username, authPassword, null)
uat1.setDetails(user)
SecurityContext context = SecurityContextHolder.getContext()
//Re-setAuthentication of springSecurity using new Password
context.setAuthentication(uat1)
if (oldPassword) {
//Now we are authenticated let's set back the original Hash as the hash we collected in oldPassword
//just before doing the hack
user.rawPassword = oldPassword
user.save(flush: true)
}
springSecurityService.reauthenticate user.username
}
This is rather an ugly hack to authenticate as a user without changing their set password (in the end) during process changed and changed back again..
I am not recommending it but it may be an easier option than what you have outlined
I am using the Argon 3 web browser with Vuforia's image tracking. I've taken the license key of my Vuforia application and encrypted it with the GPG Keychain. I've included relevant snippets of my index.html and app.js files here.
Whenever I load up my application, I get the error:
Vuforia: could not decrypt vuforia license JSON
Running it in the debugger shows:
Unexpected token VSyntaxError: Unexpected token V
at Object.parse(native)
...
index.html
<script id="license" type="text/plain">-----BEGIN PGP MESSAGE-----
Comment: GPGTools - https://gpgtools.org
hQIMA3/IreB2WlL1AQ//WZ4evbtnP39ycrb5Z8fa1U0ugbjGOfVA1h0nhgye3IhF
UMRcDF4nJ/+LKYzcePI7orjwjfedTKfX3oVrqb8focLoQvBKwG6bgRhAIr9oTwtO
uXXOVeZFo9iCnEicwGvGtdgUVv/EQHl/VIstLg3+aEtV3Xpjnlx7r2VbUp9L7iEp
mhaTLVpAcgWyqyPYN3QoEbBEtjdRKnHAogb268ZKEWSVjtcDo9NQCI/Lfb+3ghZS
mBVxr3d4Jtb8mcpOYeUfMilD5BuzelhciJb0PPFVdj/JmcVpDsFNNX/FvFNIlm0c
qH64s+ByHGiCGcQeAJx/ZAF9cTjBYDk3HZLlPWHOD7rA1roHLujN/yf3UpLkBFFn
jEj/MMO3KSWJUAXVs+vNpThgqwgIDPeuV9nKH5QeQORpKp3zOVVsXGGYxbVY7sDl
3sbXTYghhE5XM21t4/A/iFwJxB1ndqbhfiA/kdQwsKAb17OdBVzldQ1Wh/JouTFB
m1ETnviMDKZYw7a9yiavvCjjxJHedmQNPWJVJBiOeHvGZLOpdV47TZwiXLs6dsqJ
NxB0352AOw4v66nk6RMUwclAhiz4ll0xQIPTWQpjIjOhf7COK1jFXUs+PDS21MVq
1nwjDDAjKsfj4dxPbzJUGuQwaNqI/Jg7BqhVxo/uZxtvw9c+ERcHdMY9EnK6aMLS
wSABq1kaId5VF5ccHO999AKWrB9IIhpahlFRi3asU62Cz4DZ6XqbiTDTFpmX1ZG0
6JynBv4+H/SH45TPgsBMs6IMgWPrGxTmpipte6W2X98lf5ogzWnSOGv5J7BDYtLz
0GruiAjcIOpneDx4x+i5gh/0GjBIM1ZlaHhW3Gl+zxRj8X2vhoGXFg/qB5YKk05T
womuhvDCGbO0fO1oSlZP+1kjqfsyN8k67LyWwjVvuoGfwrv3WS4dwVTB6YlCKM6l
LH1GcHmkdBVTFHQsltzbeIllcJ2QLSqWRIfPeB0eIAMh9G8P8397I9fWznBGGIz6
lXlH3AF50+cwruWTpv0Jnjyd+n3wGc14UFgaEgjWFCK04OOaZVUuRuJG900VT2qV
Nh8y9KsdTMGkVfU25BA8k04Vi6IKDnl2vbQWnYCs5wsFfj/e2/5B4Ixx7ekjgi5/
vylNv8t12ollHapJ5zSx7KzyV77N3Gam6PrORovx6evIEe+fXnPJoZkMrNRbKv/Z
uH5DMZQU3CW+Dy4hS4VEmRSM5hFa5SM7GrDAAtxsBoY2oX0AJYKs1RyhzokQCN9O
bV1qkcfW+6kKLq3HbNsMJ45ya2mcXZNaXa+JDeRE22U0csrJSsU4M5us9wZc6XiM
DuQ=
=qaTl
-----END PGP MESSAGE-----
</script>
app.js
// Tell Argon that we need Vuforia for image tracking
Argon.immersiveContext.setRequiredCapabilities('Vuforia');
var encryptedData = document.getElementById("license").text;
// initialize Vuforia with our license key
Argon.Vuforia.initialize({
encryptedLicenseData: encryptedData,
startCamera: true,
}).then(function(api)
{
// load, activate, and use our dataSet
api.loadDataSetFromURL('./auburn_map.xml').then(function (dataSet)
{
dataSet.activate();
setupStreetCar(dataSet.trackables.streetcar);
}).then(api.startObjectTracker)
.then(api.hintMaxSimultaneousImageTargets.bind(api, 2));
});
I am unsure of what to do from here. Any help would be greatly appreciated.
Edit:
I encrypted the JSON file using the GPG keychain. I created a new keypair with the email "secure#argonjs.io", went to my JSON file, highlighted the text, selected that I wanted to encrypt and did NOT sign or encrypt with password.
How did you encrypt this JSON file? You need to encrypt with the secure#argonjs.io public key, and do not sign it or encrypt with a password.
Say a user submits their credentials using basic authentication. I have a custom message handler that retrieves the credentials from the header:
protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request,
System.Threading.CancellationToken
cancellationToken)
{
try
{
// Request Processing
var headers = request.Headers;
if (headers.Authorization != null && SCHEME.Equals(headers.Authorization.Scheme))
{
Encoding encoding = Encoding.GetEncoding("iso-8859-1");
string credentials = encoding.GetString(Convert.FromBase64String(headers.Authorization.Parameter));
string[] parts = credentials.Split(':');
string userId = parts[0].Trim();
string password = parts[1].Trim();
// TODO: Authentication of userId and Pasword against credentials store here
I'm wondering - when I actually authenticate the userId and password here, I'm tempted to compare the plaintext from this method to plaintext stored in the database, but I know this is insecure. Should I be hashing both the plaintext from the header and credentials stored in the database to compare indirectly?
If so, it seems like the credentials are in plaintext in the messagehandler, before they get hashed. Does this present any kind of security vulnerability, or is it ok?
There is data in motion and data at rest. Hashing is typically for data at rest, specifically password kind of things, where the user will be submitting the un-hashed form for you to hash and compare against the authority. If you are worried about clear password stored, hash it and store. Retrieve the password in clear text from the header, hash it and compare against the one in the database. If your concern is sending password over the wire, you should not be using basic authn.
SSL covers you on having the credentials in plaintext as they are passed over the wire.
Passwords should definitely be hashed and salted in the database, and never saved anywhere in plaintext.
Having the passwords in a string variable on the server is really only a problem if you have someone memory-scraping your server. And if that happens, you have bigger problems. If you're concerned about minimizing that window of availability, you can take the password from the header and put it into a byte array instead of a string, so you can clear the byte array as soon as you are finished with it. However, the value is already stored in a string in headers.Authorization.Parameter, so that may not gain you much.