I did all the encryption process setting a secureKey but I chose Blowfish algorithm, but now I need to use AES as the algorithm but I changed the config in the secure property config (in my global) it seems that is not recognizing the algorithm change, and if I want to encrypt I still need to choose Blowfish and the same secureKey, to desencrypy or encrypt
Do you know why?
or what can I do to modify the algorithm?
If you encrypt information with an encryption algorithm you must use the same algorithm to decrypt it. You can not use a different algorithm. That's how encryption work.
Encrypt again the properties with AES this time and then use also AES in the secure properties configuration.
Related
After much reading of the latest Bind9 AMD, did I correctly sense the diminishing usage over the year of Public/Private SIG(0) in favor of shared-key TSIG for AXFR/IXFR transactions?
Why is shared key the preferred mean of authentication? And why only limit to nsupdate/dynamic-DNS tools?
What is wrong with Public/Private Key approach and it’s ability to encrypt the zone transfers?
It does seems a bit more attractive to be using ED25519 over HMAC-SHA512 for protecting a DNS zone transfer.
Create key => save it => use it to encrypt passwords from registrations in a website
Is this secure to do ?
If you have to ask, the answer is generally "no." You should be using a tested, audited, and proven crypto library to do your password transformations, and never store passwords themselves, encrypted or otherwise. You need to hash them using a cryptographically secure, one-way hash function with a salt and enough resource consumption to deter hash cracking attempts down the road.
If you don't know what any of that means, that's fine, but it means you shouldn't be trying to do these things yourself; let a tool (e.g. a popular library or framework) do it for you. Without knowing what web site technologies you're working with, I can't give you a very good recommendation about specific methods.
How can I securely store the p12 file?
As per my knowledge the in p12 file certs are encrypted with RC 40 bits and keys are encrypted with des3 but brute force is the technique which can reveal the password of certs and then same can be used to get the keys and this makes the p12 file bit insecure.
I want my p12 file to be securely stored in the file system.
Can I encrypt this file and store it.If yes, then will the file still be usable.
PKCS#12 by definition does not define what algorithms are legal to use. PKCS#12 is just a structure of a container for certificates and private keys. That container can be encrypted and signed. See more here: https://www.rfc-editor.org/rfc/rfc7292
Theoretically any encryption could be brute forced. The question is what is the cost and effort to do that successfully. By picking up a trusted algorithms (see the list of NIST approved algorithms for example) you can sleep your night rather well knowing that your private key inside of an encrypted PKCS#12 container would remain safe against brute force.
If your PKCS#12 file uses 3DES encryption it could still be considered safe. See more here: https://security.stackexchange.com/questions/146710/is-the-3des-algorithm-secure
But if you want to restrict access to the PKCS#12 file and the private key inside of it, cheap option would be restricting permissions of the file in the file system. This basically means that only the user running the process have access to that file. More pricier options would be to use hardware tokens and HSMs. Some vendors are SafeNet and Thales for example and you can use those through crypto engines and interfaces such as PKCS#11. The PKCS#12 file could also be protected by a passphrase, which is often recommended if you can tolerate human interactions. In server environments or other use cases where human interaction is not possible, passphrase protected PKCS#12 may be tricky since you need to find a way to protect the passphrase itself.
I wanted to know what is the best way to encrypt storage at rest. Lets say financial information for 1000 users is on a system. Besides making sure nobody unauthorized gets to how do we encrypt the data that is being used everyday so that if god forbid they get it, it should be impossible for them to decode or read?
I believe AES is a correct measure?? How can i implement AES using PHP for phpmyadmin data?
Neither SHA nor MD5 are encryption algorithms, so forget them for now.
The answer to your question is more organizational then technical. First you need to identify what storage you plan to use for the data. If it is the DBMS, then (a) it can offer certain encryption and authentication mechanisms, and (b) you can store the files of the DB on the encrypted storage.
If you have files (either the data itself or the DB with the data), you can store them on encrypted disk. This can be an encrypted NTFS disk or virtual encrypted disk (the one which resides in a file and is mounted as a virtual disk by software).
If you create backups of the data, then backup tools usually offer encryption mechanisms too.
In all of the above cases used algorithms don't matter too much: modern algorithms, offered by above mentioned mechanisms, are secure enough given that you choose 128-bit or larger key for symmetric encryption and choose long passphrase (more than 22 characters if you only use [A-z0-9] alphabet for 128-bit symmetric encryption).
There exists symmetric encryption and public-key encryption (PKI encryption). PKI lets you encrypt the files using public keys (private key is used for decryption), and one of the benefits is that you can encrypt the data for several different private keys. This means that any of the given set of keys can be used for decryption, and the owner of one key doesn't need another key for decryption. The benefit is that you can assign keys to certain users or roles instead of sharing a single passhprase.
The above is just a small guideline and you need to learn a lot (or better involve a security specialist) before you implement the solution, cause security made wrong is worse then no security at all (cause it gives false sense of protection and this makes people careless).
That depends on your platform; most modern operating systems offer disk encryption options with various degrees of security. Note that SHA and MD5 are hash algorithms and thus unsuitable for encryption.
I'd base my choice of algorithm on the capabilities of the system that is supposed to work with the data. Some CPUs have special instructions for AES processing, which gives a significant speed boost here; also, there are harddisk controllers that include encryption support.
Dedicated hardware has two major advantages: it is significantly faster, and it is more difficult to retrieve the symmetric key as a prelude to stealing the actual disk drives.
I'm trying to figure out if it is alright to store passwords that are encrypted using the AES algorithm rather than storing passwords that are salted and hashed with SHA1.
The reason I am wondering this is because my company is in the middle of updating our membership system which is included with our proprietary CMS. Currently, we use AES encryption for passwords. This allows us to easily look up Admin passwords when customers call in for support. When we have staff changes, it is policy to change all admin passwords. The password lookup tool allows us to get the new passwords easily and our work flow isn't interupted.
I get the impression that most people think that hashing salted passwords is the more secure way of handling passwords but I can't figure out a way to comply with current company operations when using hashed passwords. And, the corporate cultural shift required to change our password operations probably won't happen unless I can give them some very compelling reasons to hash passwords.
Is a hashed password generally accepted as required versus an encrypted password? Why?
Encrypting passwords with a reversible encryption is of dubious value.
Obviously the lookup program has access to the key. That means you should assume that anyone who has access to the program also has access to the key. If you are paranoid you should also assume that their spouses, significant others, roomates, etc all have access to that key. Also anyone who has ever broken into the network ever in the past (since key was used) also has access to the key.
The problem with using a system like that is you will never know it is broken. Do I have access to the key? Right now? Can I lookup the password at anytime? As soon as you change it I know what it was changed to?
Using salted hash (vs reversible encyrption) presents its own challenges in implementation but you can be assured that stealing the password list is of little value (if properly implemented with a strong algorithm, multiple rounds, min password standards, and random per record salt). Your current system is "feel good encryption". While it may makes management "feel" safe they aren't actually being safe. It is marginally better than storing passwords in plaintext or on a sticky note it is at best a minimal speed bump to a determined attacker. The largest problem is you can never prove you are "safe" and may not have any warning when you are compromised. You could be compromised right now and not know it.
You mean, inside an application which stores passwords for user authentication.
Normally the motivation for hashing them vs storing encrypted is that it prevents someone who has stolen the database or compromised the server from obtaining the passwords.
If you encrypt them with AES, you're clearly going to have to keep the key somewhere, and can't ever change it (unless of course, you decrypt them all and re-encrypt).
If someone compromises the machine, they can obtain the key, as it is necessarily kept (at least) in memory at some time to decrypt the passwords.
It's either that, or use some fancy PKI. AES is a symmetric cipher.
Encrypting the passwords won't really help the application defend its database against any but the most casual attackers (as an attacker MUST be able to obtain the key). Hashing them makes it difficult for the cleartext to be obtained if passwords are strong.