Right now we are trying to evaluate various open source JCE providers for encryption and signing capabilities for our project. It is J2EE based web application project.
I came across "Legion of the Bouncy Castle" which seems to satisfy our requirements. Though before finalizing to it, I want to know its pros and cons and its evaluation w.r.t. nearest competitor?
I asked the same question some time ago and failed. I couldn't find any OS alternative to Bouncy Castle, so we ended up using it - for verifying the signature of GPG-signed archives. It works quite well, although there is no real documentation and searching for examples on the net is not trivial. So expect a little experimentation - I'd say 1-2 days to get yourself familiarized with it.
I'm not aware of other open source JCE providers (unless you count OpenJDK). But in general, I've found BouncyCastle to be a superb provider with tons of capabilities, and portability good enough to never fail me so far.
Performance was fine for our needs, YMMV (but probably not that much).
Related
In my project (windows desktop application) I use symmetric key in order to encrypt/decrypt some configurations that need to be protected. The key is hardcoded in my code (C++).
What are the risks that my key will be exposed by reverse engineering ? (the customers will receive the compiled DLL only)
Is there a way for better security for managing the key?
Are there open source or commercial products which I can use
Windows provides a key storage mechanism as part of the Crypto API. This would only be useful for you if you have your code generate a unique random key for each user. If you are using a single key for installations for all users, it will obviously have to be in your code (or be derived from constants that are in your code), and thus couldn't really be secure.
What are the risks that my key will be exposed by reverse engineering ? (the customers will receive the compiled DLL only)
100%. Assuming of course that the key protects something useful and interesting. If it doesn't, then lower.
Is there a way for better security for managing the key?
There's no security tool you could use, but there are obfuscation and DRM tools (which are a different problem than security). Any approach you use will need to be updated regularly to deal with new attacks that defeat your old approach. But fundamentally this is the same as DRM for music or video or games or whatever. I would shop around. Anything worthwhile will be regularly updated, and likely somewhat pricey.
Are there open source or commercial products which I can use
Open source solutions for this particular problem are... probably unhelpful. The whole point of DRM is obfuscation (making things confusing and hidden rather than secure). If you share "the secret sauce" then you lose the protection. This is how DRM differs from security. In security, I can tell you everything but the secret, and it's still secure. But DRM, I have to hide everything. That said, I'm sure there are some open source tools that try. There are open source obfuscation tools that try to make it hard to debug the binary by scrambling identifiers and the like, but if there's just one small piece of information that's needed (the configuration), it's hard to obfuscate that sufficiently.
If you need this, you'll likely want a commercial solution, which will be imperfect and likely require patching as it's broken (again, assuming that it protects something that anyone really cares about). Recommending specific solutions is off-topic for Stack Overflow, but google can help you. There are some things specific for Windows that may help, but it depends on your exact requirements.
Keep in mind that the "attacker" (it's hard to consider an authorized user an "attacker") doesn't have to actually get your keys. They just have to wait until your program decrypts the configurations, and then read the configurations out of memory. So you'll need obfuscation around that as well. It's a never-ending battle that you'll have to decide how hard you want to fight.
I'm trying to secure my play application but I have no idea where to start. In play tutorial I have not found any chapter about that topic. As far as I see security topic is changing between play versions. So what are You guys using to secure Yours applications.
I'm new in Play so please forgive me if I'm asking obvious questions.
Edit:
Ok, maby question was't clear enough(I'm really sorry about that). When talking about security I mean that I need something to deal with users credentials and tool which allows me to restrict access to some pages and eventually to some rest actions in my application.
Edit2:
I'll try deadbolt2 now and we'll see how does it works. But I still encurage You guys to share Your knowledge about Play security with others:)
The documentation seems to still be a bit lacklustre on this topic, but essentially, authentication/authorisation functionality is usually performed using Action composition, which is the basis of reusable controller code in Play. There an example here (also linked from the docs that should help give you the general idea.)
Action composition in Play 2.2.x is done using ActionBuilders. These take a block which accepts a request and returns a Future[SimpleResult]. This allows the action builder to either execute the given block, or return a different Future[SimpleResult] (say, an Unauthorized in the case that a user's credentials did not check out.)
In our app we use the Play2-auth module for handling authentication with session cookies. This has (just) been updated to work with Play 2.2.x but uses a slightly different mechanism for action composition (stackable controllers.) You might be best off working out how the precise functionality you need can be accomplished just using the native framework tools before adding a dependency to it.
I agree with the other answers but just add that I use securesocial to integrate with other auth providers (google, FB, etc...), so I don't have to do auth myself. It's quite easy to get up and running.
https://github.com/jaliss/securesocial
Access control, security, etc. is a very wide topic, because it means very different things depending on context. This may be one of the reasons why Play has little documentation for it, which puzzled me at the beginning as well.
Play2 has some security helpers, namely it's the Authenticated method, for some insights on how to use it, check the comments in the source code. Its a simple method that you could implement yourself, and most do. It, essentially, just proposes a structure for where to place your methods that would check if request is authenticated and what to do if it's not.
Play2 also has some cryptography logic, which is used for signing cookies.
That's about it, you don't have any more pre-built security structures, but that's a good thing, because you don't want the framework making decisions like that for you, if it doesn't know in what context it will be used.
What is essential is to go and research how attacks relevant to your application are carried out, best practices and so on. I recommend going to OWASP, particularly the OWASP Cheat Sheets. If the list of Cheat Sheets seems intimidating start with the OWASP Top Ten Cheat Sheet. Don't mind the large volume of information, it's very useful knowledge.
I've been using the MonoTorrent library for a couple of weeks now and am looking for any kind of feedback or recommended alternatives.
The only issue I have with the library so far is that it is MUCH slower than uTorrent, I am not sure if this is a configuration issue or whether it doesnt support a required feature etc, but I require higher speeds for my needs and I found that for the exact same file I can get a major difference (times 100) in terms of the numbers of seeders and speeds.
I wanted to give libtorrent a try as well but have not been able to even compile the windows dll, let alone write the required code to use it :-)
I probably don't know much about the history of the torrent protocol but found it strange to find so little support in the C#/.Net world.
Was even considering wrapping the uTorrent client somehow, but it might be 'frowned upon' lol
Ended up using the libtorrent C++ library (running on a seperate process with added REST api to communicate with the main program) it works well and the torrent performance is excellent.
How can I access Microsoft's Crypto API from a client side Web application? More specifically, access user's Windows-MY certificates through a web browser and use them to encrypt data. I've looked at CAPICOM but it is no longer supported by Microsoft. I've also looked into Java's Cryptographic Excention and MSCAPI provider but it does not provide the functionality I need.
You have quite a few questions on this topic. This answer relates to all of them.
First: your problems using SunMSCAPI is caused by an unlucky combination of Entrust's CSP prompting for password when it is not necessary and SunMSCAPI using a slightly strange way of deciding whether a certificate has a matching private key. Can you get Entrust to fix their CSP?
Second: if you cannot get Entrust to fix their CSP, your best bet is Java and JNI. I can see that you tried this but gave up. It is possible - it will probably give you a headache, but it is really the only viable cross-browser solution. Of course if you can live with an Internet Explorer-only solution (you mention CAPICOM) you can implement your own ActiveX/COM-object with the exact functionality you need.
I need to send data from an Air application, using a certificate.
This certificate is to be provided by the user through a USB Key.
I've got a lot of questions regarding this.
Is it possible to do what I'm looking for?
If yes, is it possible to do that only with the Flex/Air sdk or should I use Java or some other language to load the certificate?
Would anyone have a link where I can learn some more about this? I've been looking through the web, but haven't really found anything useful...
For the certificate stuff, you may take a look at the as3crypto library, which is doing an awesome work in implementing various cryptographic and security related algorithms in AS3. I've used this particular library to do data signing and verification, using an external X.509 certificate.
The implementation in this library is pretty straightforward, and you shouldn't be confused about it, if you are a little familiar with cryptography and the whole keys/signing/certificates world.
[Edit] If you are not, you might want to take a look at the Digital Signature page on Wikipedia, which is a pretty good introduction to this world. Also, because the AS3 implementation of RSA is quite slow, if you want to sign a large number of data, you may want to sign hash of the data instead of the real data. For the practical code to do this kind of stuff, there is some code sample in the demo of the library.
Also, as you mention that your certificate is coming from an USB drive, you should be aware that using AIR 2.0, you might be able to monitor plugging and unplugging of mass storage devices. That might be cool for your application.