I am having a difficult time understanding NTLM for example I was told that NTLM is a hash algorithim but I researched it and I found NTLM uses MD5 so its not an algorithim as much as it is a protocol. If I am correct then when is NTLM used? Is it used during the logon to a system?
NTLM is a legacy (very old) proprietary single sign-on authentication protocol used by client operating systems to logon to a system by passing it's credentials onto Microsoft Active Directory. It was developed during the Windows NT days back in the 1990's and is still somewhat in use today, but that use has been widely diminishing for years now in favor of the industry-standard single sign-on authentication protocol known as kerberos. See the StackOverflow tag info on ntlm for further details.
Related
everyone.
When we talk about information security, we usually think that the more the system rely on secure hardware, the saver the system is than that rely secured software for the same security function. Why? Won't a secure hardware have a bug within it?
Thanks
It depends upon your system. What type of system are you talking about.
Stand alone system, server, application system etc. Suppose if you talk about server, developing firewall using s/w is not enough. We have to use different h/w devices as well as securing the server from different hazards.
When we talk about the stand alone application there can be firewall, password security and also user lock devices. So every system has its own type of security requirements.
I know this type of question has been done to death.
My question relates to protecting my code that is installed on a clients PC.
I know the answers are to obfuscate, get a patent, put code on my server, accept it will be hacked, consider that my code is not THAT important or unique etc..
BUT, I am supplying the Windows PC to the client(s) with my software pre-installed.
It is a C# .Net app.
Under these circumstances where I am supplying the hardware is there any other 'tricks' I can use to prevent decompilation my code?
Thanks
Use BitLocker (at rest encryption) on the hard disk and a user for your client with limited privileges. Don't share the admin user's password with your client.
I have multiple applications which work with one centralized Oracle database.
The applications are targeted on following platforms:
iPhone
Android
Windows (XP, Vista and 7)
Linux
Mac Os
Web applications (ASP.NET, PHP and JSP)
I want to know which kind of cipher I should use to make sure all my encrypted data will be readable (decrypted) for all my application
E.g. 3DES or RIJNDAEL_256 or TWOFISH256?
You should be able to implement those ciphers on all of the target platforms you mentioned.
As for which to use, I'd suggest Rijndael (AES) since it has received a lot of attention and has a proven security track-record.
http://gpg4browsers.recurity.com/ has JS implementations for all ciphers you mentioned.
All OSes you mentioned support all of these ciphers either directly or via mcrypt.
This reduces the question to opinionizing: So here is my opinion - do NOT standardize (in the sense of hardcode) to any of those ciphers, but invest the on-time penalty to develop your apps and protocols in a way, that allows them to handshake the cipher used. This way you can trade speed for security now and are open for developments in cryptography (or cryptanalysis)
I need a way to protect a private key on a mobile device.
I know in "Writing Secure Code" chapter "Protecting Secret Data" says "Windows CE" cannot be used in secure environments. But the book is many years old now, 2003.
Is this still the case? Tell me it ain't so. There has to be a way to secure a private key today.
The DPAPI is embodied in a set of Win32 functions, CryptProtectData and CryptUnprotectData. These functions are available on Windows CE and Windows Mobile platforms (see links), although I don't know at what version they added support.
The .NET wrapper for the DPAPI is the ProtectedData class in System.Security.Cryptography namespace (assembly System.Security.dll). However, I don't think .NET Compact Framework implements this yet, so you'll have to use P/Invoke if using .NET.
If the a user has access to a device, then no you can not 100% securely store a key. You can raise the bar but you cannot remove it.
You have to externalize the access to the key, e.g. User entered username and/or password or sent to the device via another method (e.g. asymmetric encryption over a network connection). Which is what the security for Windows Mobile programmers recommends.
Any way you store the key on the device can be reverse engineered. This includes the use of CryptProtectData and CryptUnprotectData API.
What's wrong with using standard encryption algorithms?
http://www.windowsfordevices.com/news/NS5217487259.html?kc=rss
Webcast covers security for Windows Mobile programmers
This looks like it will be good.
What are some platform-specific API's that web browsers use to securely save passwords with reversible encryption on local systems?
Since they must be able to reproduce the exact characters to pass up to a web site, the data can't be a one-way hash. My initial thought is there are system methods which utilize your current authentication data to perform encryption/decryption, but do not give access to applications to read it (your system login data) directly. I'm wondering what these are on different platforms (Windows, Linux, OS X) and how well they protect the information if the hard drive is accessed directly; i.e. a stolen laptop hard drive is placed into another computer or analyzed via a Live CD.
Here's how google chrome does it. Looks like they use CryptProtectData on windows.