I have been requested from my partner to use his API, and to use this API, I should encrypt all sent data to AES 256. He shared a .jks file with me, in addition to some parameters with values like (Alias, KEYSTORE_PASSWORD and KEY_PASSWORD), then he told me that the password which I should use for encryption is stored in that JKS file, and to open it, I should use the pre-shared parameters.
So, how can I reach that?
UPDATE ...
This is not a web service am trying to invoke, I just need to get the Password which is stored in the JKS file, so, I am not going to invoke an API or import a certificate into my client app. So, it doesn't matter if opening the app by C# or any other tool, i just need to get the password in order to use it later in encrypting some data.
I opened the given file by using KeyStore Explorer, then I imported the file into the app and providing it with all shared info like KeyStore_Password and Key_Password. Eventually, it opens.
I know that is away off C#, but all what I needed is to get the Password which is stored in that file, and this was my first time to deal with something like that.
But you cannot access "TrustedCertEntry". It is a restriction.
See: https://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallProbs
Related
I want to implement a simple way for a user to upload a save file (a really simple json file with no personal information) to their cloud account.
The main problem is that dropbox, google drive etc... don't work with simple username and password, they need OAuth 2, and a browser for log in. But it's not easy to implement that in a Unity game, and it require that I set up a secret API key connected to my account (with limited put and get possible without pay).
I want to be able to use the final user account to upload 1 single json file to the user account, and be able to download it from another device (that's the only reason why I want to be able to log in... without log in I can use something like htput, jsonblob or myjson... but if I want the user to be able to get their save in another device I would need that they copy a really long and not easy keyurl generated by those services).
I saw that with MegaApiClient it should be possible. I imported it into Unity as a native Plugin and I was able to use it in my code.
Problem is that I cannot Login because I get an error:
TlsException: Invalid certificate received from server
the code I use it the one in the example:
var client = new MegaApiClient();
client.Login("username#domain.com", "passw0rd");
There is a way to make it work? If not do you have any idea how to solve my problem?
In the end I decided to go with Dropbox. It's easier than I expected, but you will need to use the code flow with copy/paste (you cannot use the redirect_uri, at least I don't know how to redirect to the app on all platforms).
I don't know how to solve the mega problem.
EDIT. With Unity 2018.2 now MegaApi works.
EDIT. You can use the redirect_uri too, just redirect to 127.0.0.1 on android and localhost on pc.
I'm currently working on a Windows Application Project and I have two problems in securing data.
First,I need to make a file that store a password as string which the user should enter it every time the main form loads, I tried many ways but each one has a problem:
Hashing the string and save it in a file, so every time user enter the password the input password will be hashed and compared with the hashed string
Problem: Decompiling the application let anyone see the hashing method and file location, so he/she can create text file with hashed value of any string like 0000 and replace that file with my application file, then use the 0000 to open the application
Using encryption algorithm with custom encryption key
Problem: key can be accessed after Decompiling the application
The other problem is for connection string of an online MySql Database that used in the application but I do not want any user see the connection string:
Encrypting the connection string with DataProtectionConfigurationProvider
Problem: other machines can't decrypt and use the string
Encrypt and save the connection string in a file and decrypt and use that file when application load
Problem: Decryption method can be known from source code after Decompiling
Is there anyway I can use except Obfuscating the source code?
I mean like storing these sensitive data in a file that can be read/written by my application only?
Feel free to write any advice about my problems and Thanks in advance
Try to save your files with hashed passwords in the web with read-only permissions. Or use dll written using unmaneged code (c++)
what is the recommended approach for polling password changes only in Active Directory, get the updated password and update else where ?
I have looked into classes in System.DirectoryServices.Protocols namespace like 'DirectoryNotificationControl' class but seems like this would poll for any attribute and later on we need to query to see if attribute we are interested (password) has indeed changed.
Also how do we get password value from active directory ? It is possible using LSA although very complex..
The only "simple" way (and those are VERY big quotes around "simple") is to write up a Password Filter Dll that is hosted on the Domain Controller.
You can implement the PasswordChangeNotify interface and have your code update whatever external thing that needed to be notified of the password change.
However this must be done in native code, so no C# allowed.
I originally went down this road and ended up giving up on it and used a different method of tracking the changed passwords, however one thing I did discover along the way was an open source project called passwdhk that may be helpful for you.
What passwdhk does is it implements a Password Filter DLL for you, however all the filter does is launch another executable with the command line arguments that where passed in to the password change notify function ("post-change program" is forwarding the arguments from PasswordChangeNotify, "pre-change program" is forwarding the arguments from PasswordFilter). This allows you to still write your code that updates the other service in C#, it just takes the password in from the command line instead of intercepting the password itself.
As far as I know, by default the password (stored in an encrypted way) cant't be read in Active-Directory. You can change the policy to store it in a reversible way, but it's really not a good thing.
The only way I know, is to install a componant on each client machine. The component catch the password change and you can do what you want.
From NT to XP this component was called GINA (DLL). Begining Vista this companent should be written using Credential Provider API.
Whilst pair programming with database systems, sometimes we end up temporarily hardcoding credentials (typically of our own accounts), which leads to slight awkwardness with the partner trying to look away whenever the password is onscreen. Is there any simple way of using basic obfuscation (ie, rot13) to hardcode a password without other developers taking a quick look and seeing my password?
It doesn't need to be secure. It only needs to grease the social aspect. I don't want anything complex involving super secure encryption or reading passwords out of files etc. This has to be quick to implement (i.e. 10 seconds max) whilst coding on the fly. Ideally I want something like:
string password = string.rot13("zlcnffjbeq");
Does anything like this already exist?
To configure SQL Server for Windows integrated security
From the Windows Start menu, select Microsoft SQL Server, and then select Enterprise Manager.
Open the node for the server and expand the node for the database you want to give users permissions for.
Right-click the Users node and select New Database User.
In the Database User Properties dialog box, enter domain\username in the Login name box, and then click OK. Additionally, configure the SQL Server to allow all domain users to access the database.
From MSDN. Connection strings become Server=x;Initial Catalog=y;Integrated Security=true instead of Server=x;Initial Catalog=y;User=you;Pwd=yourpassword.
I would suggest to store your password in a config file. For source control, use a dummy one. Then after getting latest version of the config file on your PC, you can modify the config by adding your password.
You could use base64 and just keep the base64 version of your password somewhere handy for cut and paste, bearing in mind that your system admin will have a blue fit if they find out about this. Both the suggestions in comments (#Oli/#CodeCaster) are preferable to this, imo.
DPAPI is more work but arguably a balanced solution to your requirement, with some security.
The .NET Framework provides access to the data protection API (DPAPI),
which allows you to encrypt data using information from the current
user account or computer. When you use the DPAPI, you alleviate the
difficult problem of explicitly generating and storing a cryptographic
key.
Maybe you can store your password in a String variable like here
/* Variable that stores the password */ string pwd = "12345";
string password = string.rot13(pwd);
and tab it out of the visual range of the editor. This would be a proper solution to your problem.
Then you can use the string variable somewhere else in your code and no one can see your password unless he scrolls to the right
I have written a C# winform program that uses the google drive SDK and that I want to release publicly. However, I'm not sure if it's safe to store my Google Drive client and secret ID's in the source code, and if it's not, what is the recommended way to store them?
Example, i have a class that explicitly defines two varialbes - String CLIENT_ID = and String SECRET_ID = . If I send out the .exe for this, is this information easily attained by someone?
Yes. Using a tool like reflector, you can pull out that information in a few seconds.
The answer is, don't use YOUR google drive. Make the user use their drive. Or, if it's something your program needs to just READ...well, make the file public.