I have a NodeJS api which takes data array and create xls file. That xls file need to be encrypted by a third party software. Right now we are doing it manually. For that we have a banking encryption software which is very simple and only ask two things input folder path and output folder path. After providing both paths to the software when we press encrypt button. The software encrypt the file inside input folder and save it in output folder.
We have no clue the encryption key use by that third party software.
Is there any way we can execute software (software is a jar file) and get the encrypted file via api.
any help will be much appreciated.
Related
The id_rsa.pub file is basically some encrypted text in the .ssh folder under the home folder in Linux and is used for public-key cryptography. It uses the .pub file format. But why does this file format also happen to be the file extension for Microsoft Publisher? Microsoft Publisher isn't involved with this kind of encryption in any way, so why does id_rsa.pub also use .pub? Also, how do computer program distinguish between these uses?
Nobody enforces file extension choices.
The file extension .pub was selected for a public key because it is short for public.
The file extension .pub was selected for a Microsoft Publisher document because it is short for Publisher.
That they conflict is unfortunate.
There is no central registry for file extensions, so many extensions are re-used by different applications.
A better system for figuring out 'what type is this file' is probably not an extension, but a mime-type. But because there's no standard way for a file to say 'I am this mimetype' and that information to be carried along with the file, systems end up using extensions for this and sometimes there's a collision.
TL:DR? Word Documents are packages, is it dangerous to upload them to the server then?
I'm developing an application in Angular 4, and Node JS, that at some point allow users to upload files, that should be only images, pdf's and Word documents.
Front end validation goes well, until node rejects a Google Docs file exported as .docx and says the file is actually a zip (application/zip).
Okay, perfectly normal, but native Word documents, have a different MIME type, so:
Should I enable the upload of zip files?
Considering that I could successfully use a docx as a zip, add a script and go back to use it as a docx file, should I have any security worries?
Is it possible to include malicious software inside a docx file and somehow use/run it on the server side?
Am I worrying about nothing?
There is no danger in a Word file on your server UNLESS you open it with Word or some other tool that processes it and essentially "runs it". Then, that provides a vector for macro malware that could be run when the file was opened in some program that might runs those macros.
Just storing it and enabling others to download it does not put your server at risk in any way. A plain file that you just store or send to others upon request is just a bucket of bits that doesn't "run" any code.
If you are providing a storage and retrieving mechanism, you may want to prevent yourself from becoming a distribution mechanism for malware by using some sort of scanner on all files that are uploaded to you such that you can filter out files that might harm someone else who downloads them and does attempt to open/run them.
I've recorded an interview as an .mp3 file and would like to send this file to someone over email. Because the contents of the interview needs to remain confidential, I need to find some way to encrypt it.
I tried zipping an audio file with the 7-zip program, and encrypting the zipped package, but when I tested this by sending the audio file to two friends (along with the password), one person got the message "an error occurred" and another got the message "unable to open this file."
I found this website, which seems promising, but it is way too technical for me. Does anyone know of a simple way to encrypt audio files?
7-zip can encrypt a file while compressing, not after. Just add a password while you're making the .7z file. (Note that mp3 files won't compress much, if at all. You're just using 7-zip for its encryption).
You could also use PGP, if the person you're sending the file to has given you (or registered) a public key. PGP is a higher level of security than most zip programs.
It would appear that VS2012 uses PFX files for signing instead of SNK files. I get the impression this is related to delayed signing; but I don't care.
When I build my application, I can use "sn -tp <my assembly>" and see it is signed.
When I ilmerge the debug folder and use the /keyfile directive (the way I was successfully doing with SNK files), the DLLs merge into one unsigned DLL.
I have read articles suggesting clever workarounds, such as extracting the public key from the original DLL and then using this in the /keyfile directive...which also failed to allow me to create a strongly signed DLL.
So, what do I need to do to get ilmerge to work with the PFX file so that my assembly will be strongly typed?
Thanks
I recently was attempting to do just the same thing (this time with VS 2015, but I am sure the results are the same).
PFX files are password-protected by default and ILMerge (at the time of this writing) does not appear to support them.
Manual Signing
The "clever workaround" as you describe it is presented here, and it appears to be the only way to accomplish this:
>sn -p some.pfx some.pub
>ilmerge /keyfile:some.pub /delaysign /out:merged\some.dll some.dll
>sn -R merged\some.dll some.pfx
Note that extracting the public key from the PFX file requires user input - allegedly it was previously possible to pipe in the password, but the current version of sn.exe does not permit console redirection.
Automated (CI Build System) Signing
In order to strong sign ILMerged assemblies in an automated way, it is necessary to install they key on the local build machine. This still requires user input in the form of password input, but only has to be done once per build machine.
As before, we need to extract the public key from the PFX file (this only has to be done once, and the PUB file can be saved alongside the PFX or even checked-in to source).
Here is the one-time setup code (both require password input):
>sn -p some.pfx some.pub
>sn -i some.pfx SomeContainerName
During the automated build, it is now possible to run:
>ilmerge /keyfile:some.pub /delaysign /out:merged\some.dll some.dll
>sn -Rc merged\some.dll SomeContainerName
I would like to start checking that the open source projects that I am using in my apps are what the developers released. I noticed that many projects have a SHA1 and MD5 digests presumably these can be easily tampered with for example if a hacker replaces the orginial zip file on a mirror they can also replace the .md5 and .sha1.
How can I check the integrity of third party open source libraries that I depend on?
I think , there is No trusted way for this, since the hacker may change the source files and its (md5 or sh1) files. He simply may replace the whole project with another one.
so , download the source from trusted sites such as sourceforg and code.google.com and codeproject and mirrors recommended by these sites.
typically an open source project, although open to all to download and modify themselves, the ability to actually change the uploaded files is restricted to certain individuals governed by the project owner.
A good example is https://github.com/thecodemine/formwizard, where you can see a read-only link, but cannot modify directly unless authorised.
However you can fork the project to your own account and modify as you wish, for example https://github.com/AlexKey/formwizard
I'm also guessig on large open source projects like linux distributions for example, even code / files uploaded by authorised individuals will also go through stringent reviews before official release.
A hacker of course on comprosising a system could change files at will, but this isn't a weakness of an opensource model but instead could be a problem for any project.
Also things like Code signing help detect unauthorised modification.
http://en.wikipedia.org/wiki/Code_signing
Code signing is the process of digitally signing executables and
scripts to confirm the software author and guarantee that the code has
not been altered or corrupted since it was signed by use of a
cryptographic hash.
You have not Googled your question. If you do so you'll get a lot of content about it. The link below will teach you how to check the integrity of a downloaded file.
https://help.ubuntu.com/community/HowToMD5SUM
You may also check the following link, which shows that it is very difficult to modify or replace the .md5 and .sh1 files.
Here's the link.