I am sending some text from a J2ME app.
I want to digitally sign it with a private key available to the j2me app.
The other side has the corresponding public key to decrypt the same message.
How do I do this signing in J2ME and decryption in C#?
I have tried using Bouncy Castle but it gives me an insufficient memory if I don't use obfuscation and if I do use obfuscation then it gives me a ClassFormatException.
Related
I understand the use case of Asymmetric Encryption using a private and public key. A client side Web Application can encrypt a JWE using a servers public key and the server uses its private key to decrypt the encrypted message.
Is it possible for a Web client to receive an encrypted message from a server encrypted by the Web Clients public key and have its own private key to decrypt the servers encrypted message?
From what I understand about security the browser is not a safe place to hold keys since an experienced person can read them if they wanted.
So is the encryption and decryption with JWE only possible in one (server to client) direction? Or is it possible for a Web client to hold a private key for decryption for encrypted messages from a server safely?
I am working on security implementation in web application. I have developed a node.js web server and a clients in HTML for displaying the data to end users. I want that the data shown to the clients be encrypted and sent from server. I though that i will encrypt the data using AES at node.js server and decrypt it at client. But decryption at client will need keys to be stored in the client application which is not recommended. I read about SubtleCrypto interface of WebCrypto API. But these are not supported in all browsers. Now I am not able to understand that how I implement encryption and decryption of data in my web application. Where should I keep the keys. Please advice any suitable architecture and technology so that I should be able to serve encrypted data to the clients without compromise of keys. Please suggest if symmetric or asymmetric encryption algorithm will be suitable for my scenario.
I'm wondering how I can guarantee that messages received by the server are definitely from a client that is running my app on their smartphone.
Messages sent by clients running my app will be secured by SSL encryption, so would a good solution be to include some sort of secret key that is stored on the device and on the server, that is then embedded within the message body? (but then this key is prone to being discovered through reverse engineering)
Well, no, if you cannot trust your code and if you do not have access to some kind of protected key store (that performs it's own encryption, e.g. a TPM or suchlike) then anybody can steal the key. If you require authentication you can of course use the normal authentication methods such as user passwords.
If you require the messages to be protected you can then derive a key from the password (using a PBKDF such as PBKDF2 for instance), decrypt a private key with it and use it to sign the messages. If that's too slow, you can use the private key to encrypt a session key, and use a message authentication code.
I am new to PKCS#11 and Common Access Cards but as I understand it, on the card you have the certificates(s) that can be extracted and the private key(s) that can't. I am trying to write an app that communicates with a web server that requires certificates for authentication. The PKCS library provided from the hardware vendor is pretty thin. I can essentially access the certificate object or sign data using the on-card private key.
What I am unsure of how I handle the handshake and such when connecting to the webserver. Am I supposed to provide the certificate along with something else signed by the private key? If so, what is it that I sign with the private key? I have Googled this but have been unable find some kind of explanation for this process.
If you are using an RSA key on the common access card for authentication, you'll need to send a CertificateVerify message in the handshake, which contains digital signatures over the handshake records to that point. You'll also need to send the client certificate, of course. See §7.4.8 of the TLS specification for details.
Hopefully, your TLS library supports the use of a PKCS #11 cryptographic module. If not, you might have to switch. Implementing TLS yourself when you aren't familiar with the specification is unreasonable.
I think you just need to retrieve your client certificate from your PKCS#11 device and then use it along the request you are making to web server. You don't need to implement SSL if you use existing libraries. They should contain all you need.
Windows Mobile Supports Encryption (Settings -> System -> Encryption). My application needs to read encrypted files and decrypt it. How can I get encryption key used by Windows Mobile and decrypt it?
If the only reason you want the key is to use it to decrypt an object, then just use the CryptDecrypt function of the Windows Mobile Cryptography API.
-PaulH