Windows Mobile Supports Encryption (Settings -> System -> Encryption). My application needs to read encrypted files and decrypt it. How can I get encryption key used by Windows Mobile and decrypt it?
If the only reason you want the key is to use it to decrypt an object, then just use the CryptDecrypt function of the Windows Mobile Cryptography API.
-PaulH
Related
I am working on security implementation in web application. I have developed a node.js web server and a clients in HTML for displaying the data to end users. I want that the data shown to the clients be encrypted and sent from server. I though that i will encrypt the data using AES at node.js server and decrypt it at client. But decryption at client will need keys to be stored in the client application which is not recommended. I read about SubtleCrypto interface of WebCrypto API. But these are not supported in all browsers. Now I am not able to understand that how I implement encryption and decryption of data in my web application. Where should I keep the keys. Please advice any suitable architecture and technology so that I should be able to serve encrypted data to the clients without compromise of keys. Please suggest if symmetric or asymmetric encryption algorithm will be suitable for my scenario.
I am aware that there are SSL libraries available for SGX. But How to establish a secret between the SGX and the clients without letting the host knows it? Trivial methods fail, like:
Have a public-private key pair built-in the SGX, then the client sends the session key to the SGX. The session key is encrypted by the public key of SGX.
This doesn't work because the host can get the private key directly from the compiled SGX enclave executable.
Running an https server in the SGX can neither do the trick, also because there is no authentication nor pre-shared secret between the SGX and clients.
What you are looking for is called "(remote) attestation". This process is used to verify that your compiled enclave was not tampered with and that the (remote) node is indeed the one you expected it to be.
As part of the attestation step, you can securely exchange information (a session key perhaps) with the enclave.
I am working on a project using TPMs & am trying to figure out if the AIKs can be used to decrypt any blob of text?
I was able to get my head around AIK enrollment & am now trying to use it for identity. For that my plan is to send a blob of text encrypted with AIK public key & ask the platform to decrypt it for me.
I thought of an alternate approach to have the AIK sign a blob of text for me at first, but looks like AIKs can be used to sign only the PCRs.
No, as a signing key the AIK is not meant to be used for decryption. You may be misunderstanding the purpose of the AIK. It is almost exclusively used for signing system quotes (obtained via TPM_Quote) which is then checked against the AIK certificate signed by a CA you trust. Intro to TPM 1.2 explains well how the EK and AIK play together.
I'm building an application and want it to securely transfer data to a server.
Thinking to use public/private keys for initial handshake to encrypt a key with which to encrypt subsequent data.
Is it reasonable to have the private key integrated in the executable which will be distributed out in the wild for anyone to reverse-engineer?
I also thought of using three-pass protocol, but read about some of its weaknesses and it probably won't work for me
I followed Martin's advice and posted to security exchange (https://security.stackexchange.com/questions/158650/distribute-private-key-with-application).
There I received an answer that I accepted, by user Serverfrog:
Generate the Private/Public Keypair on the client, encrypt this with a
password (maybe choose from the User itself).
The send the Public Key encrypted via Server Public Key to the Server
and you have your entire Public/Private Stack.
I recently created a PGP keypair using GnuPG keychain tool on mac. I can see that it automatically creates a master key and an encryption sub key. Now I want to use a key for encryption and signing on my smartphone as well.
So what is the best practice for it?
Does one create new subkeys for smartphone for this purpose or use the same which were generated?
Can you please provide an example for same?
Create an additional signing subkey (gpg --edit-key [key-id], addkey) and then only export the subkeys. If the keys on your smartphone get compromised, you only need to exchange the subkeys, and do not have to distribute your key again.
You could create an additional signing subkey for each device. For encryption subkeys this is a little bit more complicated, as the OpenPGP protocol does not know a way to bind keys to certain usage or devices; the other party's client will usually just select the newest usable encryption subkey, so you'll have to use the same encryption subkey on all devices.