I want an update pushed out to my game pretty soon, but I'm stuck on this question. I added a small function that essentially uses RNGCryptoServiceProvider() (C# & Unity3D) to generate a small random string that I use to identify the user. It is sent as part of a field in POST data to my mysql server but nothing more.
I want to answer "no" for this question, but I'm scared that apple will somehow detect ("using System.Security.Cryptography" at the top of my C# file) that RNGCryptoServiceProvider() is a part of, and think I'm trying to do something malicious by answering no. Am I being paranoid? Is it safe to answer "no" or should I answer yes? Thanks
Generating random numbers is not using encryption, you are not encryption anything.
See: Cryptography and U.S. Export Compliance.
Related
For my first internship I have to do some awesome stuff with European tachograph readers.
In short: I have to use a smart card reader to read a contacted (not a radio smartcard) ISO 7816 company card to read out the unique identifier of that card. Nothing else. I then have to sent that Identifier together with the answer-to-reset to somewhere else, where it is processed, answered, and then some data talk up and down.
No code is there, I have to build everything including the server somewhere in the future. For now, I focus on the card part. I started from scratch and was asked to use C# for this. I use the PCSC-lite library on Linux and can already communicate with the card. I am able to get the answer-to-reset codes and was able to do some other stuff with the smartcard which is not important for my question. I also read most of the ISO 7816 datasheets. Especially the parts that seemed important to me. My code reads back the responses and checks what sw1 and sw2 is. So I can read debug info. So I would like to think that I've at least got some basics covered...
I'm the only one in the company who can do this stuff.. Or should be able to do this. And I'm down on my last breath.
Could somebody, who has any experience in the field. Please explain in simple terms to me:
1. How the memory on such a card is build up
2. How to acces the memory
3. Which APDUs and in which order to send them to get the unique card identifier (or point me in the direction to where I can find a memory map or something)
For question one I specifically mean: I know the data structure seems to work with EF's which i need to "select" and than try to extract data using the correct apdu's. But I don't really understand how it works or how the memory structure is build. I've read the ISO files, but they are a bit difficult for me. Maybe if I get some help, I understand them better.
For question two I specifically mean: Under normal circumstances, what Apdu's and in what order should I send them, to access a piece of memory.
I already read a lot on stack overflow on the subject but couldn't find an answer that worked for me.
I will be forever in your debt and you've helped a student if you are so kind to answer my question :)
Oscar
I'm not sure, whether I understand your question (and I work with smart cards for many years). There is no free-floating available memory on a file-system based smart card (as opposed to dumb memory cards like SLE44), you can only access it via files (EFs in that case). While one can in principle create new files, real life cards require specific authentications for that and you are unlikely to have the keys for those.
Which files already exist (and which data is stored in which record/offset/data object) is given in the specification, in your case in one of the specifications to found here. The used specification is essential, because the card itself could support many applications, and tachograph is just one of them. As soon as you know, where the data is, you have to create the corresponding SELECT / READ RECORD / READ BINARY commands.
I have been looking for a simple encryption/decryption class for storing information in the database. Trouble is I have no clue what I'm looking at half the time, so I really don't know if what I find is really all that worth implementing for what I need, whether it be over-complex or too easy to crack.
I have brain stormed about it for a bit, my first thought-train leading to a simple "switch, add, multiply" key for the ACII Values, but I think that wouldn't really be worth it after seeing what encryption classes actually are.
Essentially I'm looking for a key that encrypts any and all data (including table and column names) on storage, and decrypts on withdrawal. But like I said, doesn't need to be too complex, but if someone does want to access the data, they have to earn it haha.
Can anyone suggest a good link/provide a simple class for what I'm looking for? It could possibly be something I have found before, but like I said, I haven't the faintest as to what I'm looking at half the time
Thanks in advance!
Pre-emptive Edit I know some Databases have their own encrypt/decrypt methods, but I figure this is the easiest way to implement it because I will be working will multiple different database programs.
AES 256 is (while potentially overkill) a very secure encryption algorithm. Microsoft provides an implementation in System.Security.Cryptography and the example at MSDN is a great place to get started.
I've used this for database encryption and it works just fine.
Since you said you are new to encryption, I will try to touch on what encryption does, and doesn't do for you. Encryption takes normal data (ie. ("My private string")) and turns it into random data (bunch of bytes), only reversible by knowing the private key (in AES 256). Data, since it is different between cells, and likely private/important information is a good thing to encrypt.
Your database schema is constant, so encryption is only minimally useful here. The difference between calling a table "Names" and "A" and "oiaeoriuojdklfjsad" (this last is an example "encryption") is minimal. This is what is meant by "security by obfuscation". You could argue that choosing a random name is slightly more secure than a descriptive one, but it is really just going to confuse you when you try to use it, and the real "gold" a hacker will want is the data anyways. Knowing what kind of data it is isn't really going to help if it's going up against a good encryption algorithm.
I wrote some code where I establish a TCPIP-Connection between a server and a client and managed to send data from the client to the server.
Now i want to encrypt the data, with RSACryptoServiceProvider, which will be sent between both, so that the client encrypts the data and the server decrypts it for further work. Unfortunally I don't find anything how to manage this on the internet especially when it comes to the keys, because most of it runs on the same machine inside the same programm. Can somehelp me to solve my scenario in vb.net or c#?
My math teacher gave me something that is very smilar to this but that was in danish and i don't think it's a good idea to let you play with google-translate. But this is just as good :-)
Just note (stolen from my math teather, I'm not sure if the link tells it):
The number that you use need to be really big to get you the security level at a acceptable point. Actually, to be secure, you would need at least 1024 bit (preferably 2048), which corresponds to between 307 and 614 decimals.
Hope that helped :-)
In fact, private methods are implemented in C# that can still be searched with Reflection.
What I am going to do is to write public string Encrypt(string data) and private string Decrypt(string cipher) methods to perform encryption and decryption.
Unfortunately, if someone knows .NET framework, he can use Reflection to find Decrypt methods and it decrypt everything that is encrypted.
It seems that is not that secure. So I want to make Decrypt method to truly private method.
But how to do that?
Updated 09 Jan 2012 10:52PM Sydney Time
bdares provides the technical explanation of this question
Eric Lippert provides the political explanation of this question
Thanks both experts!
You can't. If the attacker has access to your code, compiled or source, he can trace your program and find where it's being encrypted or decrypted.
You can add a layer of security by storing the key in a separate location, but generally if the attacker is executing code on your server, you're already screwed.
(You're only worried about this if the attacker is executing code on your server, because otherwise it doesn't matter whether or not the method is private. Also, he can't use reflection to find method names unless he's executing code on your server. In short: you're worrying about the wrong thing here.)
Your fundamental problem is that you've got the trust model wrong. If someone can use reflection then they are the user. You are the software provider. You work for them. Trust flows from them, not from you. They are the person who has to trust you, not you them.
If you don't trust the user then do not sell them your software in the first place. Don't sell weapons to people who you believe plan to attack you.
I believe you are referring to obfuscation, which is an attempt to hide/disguise code from being read by humans when opened in program such as Reflector.
Supplied within Visual Studio is a community use license for PreEmptive Solutions dotfuscator which will provide this functionality on small projects, and also for Windows Phone projects (if you download the add-on). There are also commercial platforms available too, from the same vendor and others .
This blog post explains a little more.
If you're creating your own encryption method, you're doing it wrong. People who know way more about encryption than you or I have already come up with excellent methods for encryption, and MS has implemented most of them already.
For good encryption, it's the keys, not the method, that makes encryption secure. Keep the keys safe and the algorithm can (and should) be published for all to see.
If you're trying to distribute both content and keep it encrypted, aka DRM, you're most probably doomed to failure unless you can keep the keys very well hidden in hardware, and even that will only buy you some time -- maybe months, maybe years.
I am not sure about your exact application. But if you are selling a product to a customer who will be doing both the Encryption and Decryption on their own system, then there is no way to keep the encryption secret from them. But you can instead allow them to generate a new Private Key for their own use. In this way each customer's data is 'secure' in regards to other customers; though obviously still not so secure within the same customer's site. In other situations where you control the encrypted content you can also look into creating a private master key to be generated on your side and only allow the customer to have a public key.
I'm not asking for a tutorial with code, I'm trying to do the research, but I want to make sure I'm asking the right questions.
What's the best form of encryption I can use out of the box with .NET?
Public/Private key, where do I store these things securely?
What tools should I have in order to do this properly?
I started off with an AESCryptoServiceProvider, encrypted a string I passed in, I was happy. Tested that if I called it twice it would come out with the same value. Then realized I hadn't provided any form of key, so a second run of the app yielded different results. So I began reading up, seeing RSA Public/Private keys etc. etc. And just want make sure I'm going down the right path with the reading I'm doing. There's tons of examples out there, few mention where you put these keys or where you even get them from.
There's a lot of cryptological functions in System.Security.Cryptography.
They have hashes, crypts, streams, and a lot more.
The RSA provider is a good one. And about storing the constants securely. I can only suggest storing them crypted in the solution.
You shouldn't be able to read them from the source, so there needs to be some kind of security after the assembly has build. Maybe obfuscation, maybe something else.
About the generating of the key, do not use your own system, or any development system I guess.
EDIT:
To generate keys you better use either user input, for example, just create a little application, that calculated the time it takes to type a certain piece of text, per letter.
Or use a HRNG/TRNG, Hardware Random Number Generator (uses input from the actual world, retrieved through sensors). Or True Random Number Generator, basically also HRNG, but mostly with other forms of input, very advanced.
RANDOM.ORG should be able to help you out.
If it's not that extreme important, just go smack your head against your keyboard, and see the results :).
Go for AES. Stack Overflow already has a wonderful implementation of AES Algorithm as an answer.
Regarding "Public/Private key, where do I store these things securely?", I recommend that you do not re-invent the wheel. Microsoft has already spent a great deal of effort to build, and is actively maintaining and (hopefully) improving, infrastructure to store private keys: https://msdn.microsoft.com/en-us/library/windows/desktop/bb204778%28v=vs.85%29.aspx. You can use the native key storage.