This might be a very basic question and might have been discussed, but I want to make sure I understand it right and hence stating along with problem
My company is to get files from 5 different vendors. Each of them will encrypt file before sending to me. They have also sent their public keys to me in advance - so I have 5 public keys from individual 5 vendors
Now my question is can I make a single keyring composed of those 5 public keys?
If the answer to 2 is yes, then in my program can I use keyrong to decrypt message from any of those vendors with KeyRing?
I am trying to use bouncycastle for my operation if that helps.
Unfortunately the bouncycastle API does not provide this functionality out of the box.
You will need some extra coding to achieve it through the bouncy castle class PGPPublicKeyRingCollection.
You can also check this example from a commercial BC wrapper that provides such feature:
http://www.didisoft.com/java-openpgp/examples/import-keys/
Related
Recently I started working with a TPM (version 1.2), and after checking the oficial GnuTLS API, I was wondering which API functions are the correct ones to do all the crypto stuff inside the chip (sign certificates get pk+ keys etc...).
At the moment Im able of getting this data outside of the TPM so I can sign or get a private key in my C code but thats not what I want.
Thank all!
The sequence of events is something like this:
Invoke gnutls_tpm_key_list_get_url to get the list of the TPM keys.
Choose the key you want to sign with from the list and import it with gnutls_privkey_import_tpm_url.
Now you have the gnutls_privkey_t object you can use with the abstract API just like any other key. In your case, you probably want to use gnutls_privkey_sign_data or one of the similar signing functions.
Keep in mind that going with this approach limits you to TPM 1.2. From GnuTLS docs:
Note that we recommend against using TPM with this API because it is
restricted to TPM 1.2. We recommend instead to use PKCS#11 wrappers
for TPM such as CHAPS14 or opencryptoki15. These will allow using the
standard smart card and HSM functionality (see Smart cards and HSMs)
for TPM keys.
I am developing standalone app for cross platform using electron.
I want store private data like private key, private data for some
execution in app. Execution like encrypt / decrypt data.
Or
I want store some secured information like user password, proprietary
data on app
Are any possible way to store these kind of secure information and app user unable to get any way?
There is an NPM module made for Atom editor (the app Electron was made for) called Keytar. It uses the native OS APIs for secure storage. eg. The keychain on OS X.
https://github.com/atom/node-keytar
I don't know the specific technology that you are using, so my answer will point in general to the key storage issue.
First, two big remarks:
Even with some heavy specialized hardware (banks and other critical systems use Hardware Security Modules -HSMs- for this), there is always a risk of getting your key stolen. What you choose to do depends on how important is your key and how much are you willing to do to protect it. I will try to avoid to mention solutions involving hardware, because they are usually overkill for most people.
There are, however, good practices that you can follow: https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
Now, some advise. Whatever you do, don't store your key in plaintext (and much less hardcoded). If you are using public key cryptography, PKCS12 files (usually with extension .p12 or .pfx) are the standard way to store the data. They are usually password protected.
Here you face a problem: if you have a key, you need to use it. If you use the key, it will be in "plaintext", at least in RAM. So, you need a way to enable the access that keeps the key as isolated as possible. If the actions are triggered by a user, things are relatively nice, because you could ask for the password before using the key.
If the actions are automated, however, you need to find a way to store the password. Even security software like some PGP implementations have approaches for this that aren't nice:
Ask for the password in command line: command -password my-password. This, put in a bat, works. But the password is stored and, depending of the operating system, even available with the command history.
Store it in a file: at least you don't leave copies around, but the password is still in plaintext.
Encrypt it using system data as encryption key: the password is relatively protected, but you lose portability and an attacker with access to the computer won't be stopped by the control.
Ask for the password once one the service is on: a bit more reasonable, but not always possible (if the service is critical but just one person has the password, availability might be compromised).
Fancy things could be done with threshold decryption, but that's probably too much for that case also.
I do not provide details on each option because what you can do probably depends on what your framework allows and the way in which your system is used, but I hope it helps as a reference of the different options. In any case, do not implement any cryptographic functionality on your own. Bad crypto is worse than no crypto at all.
Avoid storing private or server-side details like a private key in an electron app. Electron app's data and file can be accessed from the app.asar file and electron do not protect the content at all. There is no such mechanism of code protection in electron. However NW.js supports source code protection, You can read it here. So according to me, it's not safe to store private accreditations like signing a certificate or private key in electron source code.
As another way, you can store these data using node-keytar in the keychain for mac, the credential manager in windows and Gnom Keyring in Linux using native api. But still, these credentials are accessible to the user and does not make sense to storing private tokens (i.e. Token for GitHub private repository having administrative rights). It depends upon the user, If he/she is sophisticated enough to understand what did you stored in Keychain, Credential Manager or Keyring, they can misuse it or can use against you. So the final answer is,
Do not store Credentials/Private key or Administrative Tokens in electron source or using node-keytar.
the perfect way of storing data in electron is this package: https://www.npmjs.com/package/electron-data-holder
this package stores data in a JSON file but it gives you the ability to encrypt the data.
read more in the documentation
I am using Bouncy Castle to generate a public/private keypair and using it for encryption tasks.
What would be the best way to store the keypair securely?
I have been unable to find a way to store on the devices keystore. Storing on a txt file wont work because it is as insecure as it gets. I could store it in RMS but then how does one secure this from a person with enough motivation to snoop?
Data store Update:
Problem with RMS is that if the application is saved in the mem card then the datastore is easily accessible to anyone.
As you're already using Bouncy Castle, then just implement a simple PBE (password based encryption) scheme to allow the records stored to be encrypted. For an example on how to do this have a look at the simple application I wrote many years ago.
http://www.eaves.org/jon/j2me/pocket.shtml
If you look at the .record package, you can see what I've done to encrypt and store individual records.
The "downside" to this approach is that you need to get the user to choose a "passphrase" and use that as part of the PBE. I'm not aware of any other approach to do what you want to do, and maintain security over the information stored. Any attempt to "hide" the key is futile, and insecure.
see my answer here, its secure to save in record store
How to sort recordstore records based on a certain field in it?
every application have its own record store and removed on application uninstall
How do you secured a key into your iPhone application?
I have an API key that is used by the client application, and do not want anyone to see it, only the application should be able to read it.
1) how do I safely store this in my application? storing it into a variable? is good enough?
2) What happens if someone decrypts my application? (Is that possible?)
There's a lot of questions here so let me answer one at a time:
How do you secured a key into your iPhone application?
I assume that you are trying to secure it from the user of your application. This is impossible unless you are using a trusted computing platform, ie. a platform that can be trusted to not obey orders from its owner (sometimes called treacherous computing for that reason). iPhone is not such a platform to my knowledge.
I have an API key that is used by the client application, and do not want anyone to see it, only the application should be able to read it.
If your application can read it then the owner of the platform that your application runs on can read it as well. (The exception would be a trusted computing platform - see above.)
how do I safely store this in my application?
You can't.
storing it into a variable?
You might.
is good enough?
No.
What happens if someone decrypts my application?
Then he gets your key.
Is that possible?
Yes.
If you don't want your users to know your key then don't give it to them in the first place. Set up a proxy server that your application would connect to and keep your secrets there.
There's an old saying that every secret has to be treated like a public knowledge unless it's known by no more than two people. This applies to software too.
Consider storing the key in the iPhone's keychain repository. Take a look at the Apple provided keychain sample app here:
http://developer.apple.com/library/ios/#samplecode/GenericKeychain/Introduction/Intro.html
Hope this helped. Good Luck.
I agree with Greg Thompson, Apple recommends the use of the keychain to store secure data such as credentials.
By the other hand there is a couple of articles around the web that says that the keychain is no longer "the safer zone", because some people were able to decode its data (and pretty quick).
With iOs 4.0 and later, some improvements about security where made, that is called Data Protection (you can google it like: iOs data protection).. if you are interested in this topic, you'll find the Session 209 - Securing Application Data from WWDC 2010 Session Videos very interesting ... You can get this video for free via iTunes store - iTunes U
Hope this helps
I am looking for advice on where to store encryption keys and other sensitive application data. Is a certificate on a USB stick really the way to go here? What can you do to keep your secret keys safe?
Keep them on a smart card, or use the Trusted Platform Module (TPM) that is present in many machines sold these days.
A keystore (see: getKey()) is often a place where a secret, like a privet key is kept. In order to access this key store a password. These are created using a symmetric cipher.
If it's a secret and you have to store it somewhere, then at some point it can't really be considered a secret anymore because one way or another somebody will be able to find it, etc. Security is always best considered on a case by case basis, what is acceptable for one solution is not for another and therefore there is not any "fits all" answer. However, where possible (or always) make sure you use a tried and tested method rather than roling your own. Hopefully that does help, but is such a wide open question.