I am a new user of py-cryptography. I am finding that even the encrypted token is modified at end, it still decrypts OK. How so?
Here is a test script
from cryptography.fernet import Fernet
f = Fernet( Fernet.generate_key() )
word = b"very secret thing"
print("encrypting...", word)
token = f.encrypt( word )
print("decrypting...", len(token), token,)
reword = f.decrypt( token )
print("works as expected" if reword == word else "oops!")
modtoken = str.encode( token.decode() + "?abcd." )
print("modified token, appended stuff")
print("decrypting...", len(modtoken), modtoken)
reword = f.decrypt( modtoken )
print("whoops! still decrypts ok" if reword == word else "good boy!")
and the output was
encrypting... b'very secret thing'
decrypting... 120 b'gAAAAABb3TIJLCgbVdq-CgQ3V7V3eehQ02h_O70iZkCjd6KCU9GsErog-c-LluWITQg5lTsp5ldoTc0J_XdFCd-jhoJPOYAKyQbzbHDJZKTGORIJSflO1do='
works as expected
modified token, appended stuff
decrypting... 126 b'gAAAAABb3TIJLCgbVdq-CgQ3V7V3eehQ02h_O70iZkCjd6KCU9GsErog-c-LluWITQg5lTsp5ldoTc0J_XdFCd-jhoJPOYAKyQbzbHDJZKTGORIJSflO1do=?abcd.'
whoops! still decrypts ok
Is this expected behavior? If so, how do I check if the token is not modified between encrypt and decrypt?
python 3.6.6 on ubuntu under WSL
cryptography - github.com/pyca/cryptography
---EDIT---
I changed the line
word = b"very secret thing"
to
word = b"very secret thing XXXXXXXXXXXX"
and the effect was (1) the token length went from 120 to 140 (2) decrypting modtoken raised an Exception!
After reading Paul's answer I also am wondering if it would be wise to use this library in production code or if someone could suggest a suitable alternative.
This is an artifact of the malleability of base64 with Python's decoder. When the fernet token is base64 decoded everything you've added is discarded. This means that when the HMAC value is checked the ciphertext is untampered and the token passes.
While this is not directly a problem, it could become a problem if a user does something unwise with presumed token uniqueness. To be clear, Fernet has strong integrity guarantees for the token payload, but the base64 itself has limited malleability.
Over 3 years ago I tried to get the Fernet spec updated to require strict base64 encoding (https://github.com/fernet/spec/pull/11) but unfortunately the authors are not maintaining their spec and nothing has happened. We don't want to break compatibility with other Fernet implementations and this issue, while annoying, isn't enough to convince me that we need to fork it at this time.
Related
Test Text: username
Encryption Result:
uname1 = b'\x01\x02\x02\x00x]n\xe8\xe6\xae\xae\xdf\xb7F\x87^!\xc1l8\x0eC\xb0\xcc\xf5\x00\xe7%j\xa2S\xc7\x84\xb4\xf2\xea]\x01K\xf9\xf9\xe7c\xa7\xc8A\xec\xf3\xd1\x9f\xd9\x9f\x86\xb7\x00\x00\x00f0d\x06\t*\x86H\x86\xf7\r\x01\x07\x06\xa0W0U\x02\x01\x000P\x06\t*\x86H\x86\xf7\r\x01\x07\x010\x1e\x06\t`\x86H\x01e\x03\x04\x01.0\x11\x04\x0c;\xaa\xe9\x03\x84\x00Z\x96"\t/\x18\x02\x01\x10\x80#\xdd\xf1C\xafy\x1e\xf07Z\x0fI_\ncr\x80\xdc\xf5>o\xb9`\x1a\xf8\x0c\xec\x0f\xc3\xd1\x8f\xdd\xe6~\xca\x16'
Supposedly the following is also the result of username being encrypted by KMS and I have to decrypt it:
uname2 = "AQICAHiRhVOkDetQTv51rimwyQpfSKJYi6zefQF+Wz32zFAYKwEyMctEfb/Oos0Mq48uPt2AAAAAZjBkBgkqhkiG9w0BBwagVzBVAgEAMFAGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM7vxxEHGmH5vHJX1zAgEQgCM2Uee6e6zM0mQgli9kXQVJ3pNid+waG6nrDnB9P3VjVquaCA=="
Decrypting uname1 works just fine but uname2 does not work and results in the following error:botocore.errorfactory.InvalidCiphertextException: An error occurred (InvalidCiphertextException) when calling the Decrypt operation:
Documentation I was following: https://docs.aws.amazon.com/kms/latest/developerguide/programming-encryption.html
I am trying to decryptuname2, uname1 was just a local test I did.
Is this a character encoding issue? Why do the strings look so different?
You simply need to decode the uname2 string, as it is Base64 encoded after being encrypted. You will then be able to decipher it.
We want to create a logfile at customer site where
the customer is able to read the log (plain text)
we can verify at our site that the log file isn't manipulated
A few hundred bytes of unreadable data is okay. But some customers do not send us files where they can't verify that they do not contain sensible data.
The only reasonable option I see so far is to append a cryptographic checksum (e.g. SHA256(SECRET_VALUE + "logtext")). The SECRET_VALUE would be something hardcoded which is plain "security through obscurity". Is there any better way?
We use the DotNet-library and I do not want to implement any crypto algorithm by hand if that matters.
You can use standard HMAC algorithm with a secret key to perform the checksum.
Using a secret key prevents in a simple way that the checksum can be regenerated directly. A hardcoded key could be extracted from code, but for your use case I think is enough
The result is a binary hash. To insert it into the text file encode the value as hexadecimal or base64, and ensure you are able to revert the process in server side so you can calculate the hash again with the original file.
You could use also a detached hash file to avoid modifying the log file
Target
customer readable logfiles
verifyable by our side
minimum of binary data
must work offline
Options
Public-Private-key-things... (RSA, ...)
would be secure
but only binary data
Add a signature
We are not the first ones with that idea ( https://en.wikipedia.org/wiki/Hash-based_message_authentication_code )
DotNet supports that ( System.Security.Cryptography.HMACSHA256 )
Key must be stored somewhere ... in source
Even with obfuscation: not possible to do so securely
Trusted Timestamping
again: we are not first ( https://en.wikipedia.org/wiki/Trusted_timestamping )
needs connection to "trusted third party" (means: a web service)
Build Hash + TimeStamp -> send to third party -> sign the data (public-private-key stuff) -> send back
Best option so far
Add a signature with HMAC
Store the key in native code (not THAT easy to extract)
Get code obfuscation running and build some extra loops in C#
Every once in a while (5min?) put a signature into log AND into windows application log
application log is at least basically secured against modification (read only)
and it's collected by the our error report
easy to oversee by customer (evil grin)
I am writing a Perl script which will create a new user (on Ubuntu).
It will need a step along the lines of
$encrypted_password = crypt ($password, $salt);
system ("useradd -d $home -s /bin/bash -g $group -p $encrypted_password $name");
What should the value of $salt be? Examples on the Internet seem to use arbitrary values, but if the encrypted password is going to be tested against what the user enters, then the kernel needs to hash the input with the same salt in order to pass the comparison.
This website claims the salt is encoded in the output of crypt, but that is apparently not true.
In Perl the output of
print crypt("foo", "aa");
print crypt("foo", "aabbcc");
print crypt("foo", "aa1kjhg23gh43jhgk32kh325423g");
print crypt("foo", "abbbcc");
is
aaKNIEDOaueR6
aaKNIEDOaueR6
aaKNIEDOaueR6
abQ9KY.KfrYrc
Aside from there being identical hashes from different salts, which is suspicious, it seems only the first two characters of the salt are used. This does not make sense from a security point of view. Also the output is not in the format as claimed in the link above.
So what value of salt should I use when encrypting a password for useradd?
All the information about crypt is in perldoc -f crypt.
Here is the part that answers your question:
When choosing a new salt create a random two character string whose characters come from the set [./0-9A-Za-z] (like join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64] ). This set of characters is just a recommendation; the characters allowed in the salt depend solely on your system's crypt library, and Perl can't restrict what salts crypt() accepts.
I hope this helps.
I recently had to convert challenge questions and passwords for an OpenAM implementation.
The plan was to convert these values as part of the user entry in a LDIF file and load it. The attribute to complete is iplanet-am-user-password-reset-question-answer. This is a multi valued attribute to support multiple question/answer pairs.
The challenge question key, answer and question key and question status flag had to be combined in a single line delimited by tabs.
[question-key]\t[answer]\t[1|0]
The value needs to be encrypted. This was the class used to encrypt but it did not work.
AMPasswordUtil().encrypt(question.get(challenge) + "\t" + response + "\t1")
What to do to make this work?
Finally gave up and dropped ForgeRock support a question. They were very helpful and supplied the solution and it worked immediately. Here it is...
It turns out the AMPasswordUtil class should not be used. Instead this should be used
encrypted_str = AccessController.doPrivileged(new EncodeAction( clear_text_str ))
The encryption key needs to be set as a system property
System.setProperty("am.encryption.pwd", key );
The encryption key can be retrieved from OpenAM.
How can I safely store sensitive data online?
I want to store some extremely sensitive information online in a public folder, and I'm not sure how to go about it.
Specifically, I want to store bitcoin private keys in a .json file named "walletData.json" in a public folder. The file contains the wallet address and public key in plain text, along with an encrypted version of the private key.
Assuming anyone can access the file and attempt to crack the encryption password with their "super computers", what's the best way to safely encrypt that private key?
I know a longer password would be a good start, but ideally I don't want to need a password longer than 10 characters.
I was thinking of maybe hashing the password 1000 times, then using that hash+password as an AES encryption key. But, as everyone can see the key generation method, i'm not sure that will help? I was also thinking of padding out the encrypted private key with some other random data, but again, I don't know if it'll really help??
Is there a safe way to do this?
EDIT - after Reid's answer:
I'm trying to do this 100% in Javascript/jQuery.
When I export a CoinPrism.com wallet, I get this:
{"keys":[{"addr":"1PNLiLgW2fBokCB2wmfhZTtbmioitkqtMm","priv":"172655af193edeb54467a52fc6eb94c67eeeff8cd03555767e5cf12df694bb88f9c8b25c4019147d9e4993405274c96a","encryptionMode":"PKBDF2-SHA256","iterations":2000}],"salt":"2222b67fc7255aaf0b4027bfcabffb5e62f39e9e0aa13e8ad70f2dc75a484f26"}
The "priv" value is an encrypted private key. I don't know exactly how it's encrypted, but i'm sure that there's a way to decrypt it using just my 10 character password.
Does anyone know how they're doing this?
Is it safe to store this information online?
Well, I will just say outright that you don't need to be the one who writes the code to do this — it is far too easy to mess up, and your post makes suggestions that are concerning. (For instance, you describe something of an ad-hoc key derivation scheme, but one that is insufficient in protection.)
So, you need a library of some kind to handle this business for you.
My suggestion: Use GPG with the ASCII armor option. For example:
gpg --symmetric --armor --cipher-algo AES file.txt
This will symmetrically encrypt (--symmetric) a file (file.txt here) using the AES cipher (--cipher-algo AES) and store the resulting encrypted file in an ASCII armored format (--armor). Note: the resulting encrypted file will be stored in the filename plus the extension .asc; e.g., here, it puts the result in file.txt.asc. You can change this with the --output option.
Now, the above command will prompt you for a passphrase — this passphrase needs to be very strong, far more than 10 characters I'm afraid. This is the burden of passphrase-based encryption: you need passphrases that are strong. Ideally, you want a passphrase that is long and complicated, hard-to-guess and hard-to-bruteforce.
Since we are on StackOverflow, you may be looking to automate the passphrase entry (using scripting). To do that, there are several --passphrase related options for GPG. For example,
gpg --batch --passphrase "test" --symmetric --armor --cipher-algo AES file.txt
will use the passphrase test instead of prompting the user. Command line arguments are not safe, however, on a system, so it would be better to use the --passphrase-from-file option, which takes a single file as an argument. The first line of that file is the passphrase to be used.