Client will send me data in the form of XML and JSON and I need to built service which store this data into database.For security purpose we want to get in the form of encryption and our backend is in java script we want to decrypt it in JavaScript. Client request can come either from PHP, Java, C# etc. Do you know any standard algorithm which has implementation in all popular languages and we can use for this project. We already implementation of DES algorithm in our system. If will be fine if there will be implementation of this algorithm in all other languages. If any one of you please let me know.
Thanks in advance
Why not use an https link? This will transparently encrypt the complete session and is available on all platforms.
Related
I am new to NodeJS and have made a web application login feature using passport.
I know when someone registers an account, the app needs to hash their password and save the hash to the database. But when I use console.log(), the object still contains the user's password in plain text. I have a feeling it's not safe but I'm not sure how to approach this. Can anyone explain what I am doing wrong here?
Irrespective of whether it is node.js or any other framework used for backend development, it is a good practice to pass the sensitive data such as passwords in encrypted format.
Typically we prefer using Json Web Tokens(JWT) - https://jwt.io/
You can use https://www.npmjs.com/package/jsonwebtoken to encrypt and decrypt it.
Don't bother too much with it.
If a malicious agent has access to the runtime environment of your server he will be able to do, possibly, everything. Even if you are using jwt he will be able to get the secret and decode it easily.
Focus on:
leaving the password encrypted in the database (as you did very well)
using SSL between you and the entry point on your servers network
making sure that you only expose the necessary, having a firewall/barrier in the exterior of your server is a very good pratice
sanitize and validate your server inputs to avoid injections and exploits
I just want to say only on don't use third party API or packages for it
My client-secure algorithm need a Random oracle... And I am using a HTTPS webservice for it,
https://www.random.org/integers/?num=1&min=0&max=255&col=1&base=16&format=plain&rnd=new
... But many people notice that
random numbers transferred over the public internet are not cryptographically secure for most purposes
... So, the question is:
the described architecture is secure? Need to use HTTPS POST instead GET? Need to add some cryptographic layer in the response?
there are a way to check/quantify "how much secure" is it, to compare with another solutions?
Context
It is not "so simple" and I really need a webservice, that is like a random oracle, must be an exteral device input (the oracle)... I can't use a local client algorithm (ex. local CSPRNG). The focus in the question is the secure communication protocol, for a very simple webservice (simple and fast RPC).
PS: here a javascript fragment example of client-side service request: xmlHttp.open("GET", url, true) where url is the random.org link above.
Most systems provide a Cryptographically secure pseudorandom number generator (CPRNG), use that.
Per the context update use HTTPS and pin the certificate so you know there is no MITM and you are contacting the correct site. Note that you still have to trust the site.
I want to implement in-app messaging in my iOS and Android application, and I am unsure about how the backend functionality should be created. From before my backend is running with Node.js and users etc. are stored with MongoDB.
I figure that I quite easily could implement messaging just by saving the messages in the database and sending a push to the recipient with the new message and also showing it in the app, but I do not want the messages to be readable on the server. It would therefore be necessary to encrypt them in the database and decrypt them on the clients.
Do anyone have any suggestions for either how the encryption could be implemented or about node frameworks to use? I have looked at socket.io, but this seem to be created for real time chatting applications, which is not exactly what I'm looking for. I have also looked at RabbitMQ, but I don't really understand if it suits my requirements or not.
Many thanks in advance!
You are talking about end to end encryption. Your encryption would be easy to break if the key for the encryption is hardcoded inside the application. In order to implement something like this, you'll need a library for iOS and a library for Android.
For iOS, I recommend using OpenSSL and implementing a encryption scheme(Public key Cryptography). For Android, you can use the Spongy Castle library.
Due to limitations with iOS push notification size, it is not a great idea to send data via PUSH.
You will also (probably)need to implement a authentication mechanism for users to login.
You can go on two paths here..
Have the server generate a secret for the clients to decrypt
Separate keys, (hashed password on database, and public/privatekeys on client)
I have not used socket.io/rabbitmq, so unfortunately I cannot help you there. It seems like you are new to this, I would take a good look & reading on public key cryptography. http://en.wikipedia.org/wiki/Public-key_cryptography#Examples
Background:
My company has a REST-api developed in Play Framework 2.2 and we use Play's built in authentication using signed cookies as security. Our application is split up into multiple instances of Play all sharing the same application.secret. This enables us to read the session cookie on all instances of Play very easy.
Problem:
Right now we're in the process of migrating some parts of the REST-api to Node.js and would like to use the same session cookie there (with same application.secret) to detect if a user is logged in or not. I've searched the internet and I haven't found anything on the topic.
Question:
So, is it possible to do it? Is it considered secure enough or do I need to migrate to another method of authentication?
The cookie is encoded in CookieBaker:
https://github.com/playframework/playframework/blob/master/framework/src/play/src/main/scala/play/api/mvc/Http.scala#L430
with an HMAC-SHA1 signature using Crypto.sign:
https://github.com/playframework/playframework/blob/master/framework/src/play/src/main/scala/play/api/libs/Crypto.scala#L98
You have the application secret and presumably Node.js has the same signature algorithm, so you should be good to go.
I'm not very expert in this kind of programming, and I know there is several similar questions, but anyone answered exactly that I need.
My team (and I) are developing a Public Key Infrastructure. We are stuck in the key generation (on client side), but we found so few documentation about it.
We know there are these options:
keygen tag --> generates a SPKAC request --> works in Mozilla to internal keystore, token and smartcard
crypto.generateCRMFRequest() --> generates a CRMF Request --> works in Mozilla to internal keystore, token and smartcard
CryptoAPI, CAPI, XEnroll CEnroll --> generates a CSR PKCS#10 (I think so) --> Works in Internet Explorer (we still haven't found code's examples)
Javascript or java Applet (yes I know, both are different) generates in all with sunpkcs11, bouncycastle or iaik API (can't reach any goal)
We found this options. but we don't know how to get the results, how to create to a CSR PKCS#10 request and how to handle it.
please, could you give me an advice about select the strategy, find how to implement and handle results, convert results and so? we are getting crazy!
Example: we know how to use the keygen tag, but we don't know how to set the key to only RSA 2048, and how to handle the SPKAC request to convert in a good CSR signed on SHA256
We tried to develop a Java Applet with iaik API, but the CSR generated had an error.
You are correct on all counts, as far as using browser tags to generate the keypair and/or certificate request. I recommend you take a look at the Odyssi CS project on Sourceforge. It's a very simple CA implementation written in Java/JSP. Take a look at the JSP files and you can see how the various options are being passed to the key generation tags.
Basically, you generate the keypair as part of a form submission. From there, they're available in the same way as any other request parameter. You'll need to know how to decode them on the backend. IE generates the request as a PKCS#10, which is nice since it's a well-documented standard. The SPKAC format isn't as widely used, but there are still good documentation and libraries available.
http://sourceforge.net/projects/odyssipki/
As Daniel pointed out, SPKAC is not broadly supported (even by CAs), it would be better if viable for your case to use PKCS10 in all browsers.
Here is an example doing that - https://github.com/PeculiarVentures/csrhelp