I used jasypt-1.9.2 to encrypt property value in configuration file.
Unfortunately, I lost key but I have encrypted string and plain text.
In this situation, Is there way to get key from encrypted string and plain text?
If the encryption was not a trivial method the answer is NO.
The best chance you have is to try potential passwords and find one that works.
Note: critical passwords need to be saved securely somewhere that is very hard to loose by accident. One solution is on paper, in a good safe, not a cheap fireproof only safe. Perhaps in a bank Safety Deposit Box.
Related
I am building an iOS app for someone. The app will be used to take mock exams on for a professional license. The question data is stored in Core Data but the question and answers strings need to be encrypted as the client spent a lot of time writing them and doesn't want someone else stealing his work to use in a competing product.
So what I want to do is set the attributes in core data to transformable, use a custom NSValueTransformer to transform the strings to NSData and while they are being transformed use RNEncrypt to encrypt and decrypt.
So far so good.
Here is my predicament: I need to use a key to encrypt and decrypt the data but how do I get/create it?
My options:
hardcode it == bad!
generate key and store in keychain == not the right type of security. i.e.. does not protect against owner of the device.
generate key from user password == no other reason for the user to have to login.
the app connects to a server and gets a key with some authentication stuff(I don't know what is involved exactly) == I don't want to rely on a network connection for the app to work.
obfuscation, I feel like if I create a string from bits of other strings and method sigs and then hash it then that will be enough == It probably won't be.
My questions then are these:
- Obfuscation, can it be enough, has anyone else had success with it?
- From my research I've learnt that a hacker with an ipa can see all the hardcoded strings, class names and method sigs but they can't see the code inside the methods (is that correct?), so how could someone read the key if it was built up/generated inside a method?
- As the title, Can I use Obfuscation?
- Are there any options I have missed?
For the record, if I have to then I'll make people register and login.
You cannot store data locally securely. As soon as you are able to decrypt it an attacker can as well. That goes for EVERY encryption technique. No matter what you try.
You have to store the data or a different decryption key for each data point on a server and retrieve it one by one every time. You additionally have to make sure that the user does not just send 100s of requests and retrieves all data by hand.
Note that storing just one key on a server will result in the exact same thing as writing it hardcoded in the app. And not limiting the requests will just cause the attacker to need a little more time than just looking at an already decrypted local db.
Of course you can obfuscate it to make it seem like it has some good encryption behind it - but if someone WANTS to get the data, he will be able to.
Regarding the code in an ipa: you will not be able to see the original code but you will be able to see some code that produces the same output as the original code. As long as the device can produce the valid key, an attacker can as well.
I do not know if there is a huge community out there that is looking through random apps to steal some of its internal questions / answers / data, I doubt it.
You just have to make the product sooooo good that no competing product with the same data has any chance against it. The data itself can always be "stolen".
I just make an iOs application with my own DRM (The application is for Cydia). I am wondering how I can secure my application from decompilation. I decompiled my app, just to check what the "interested" user can see. I was able to see every string, sensitive strings. Then I decompiled FindMyiPhone and I saw that every string was replaced with "some string from a protected section" Does anyone know protect a string?
First things first; if someone really wants to crack an app, he/she will find a way to do it. Also Cydia and Jailbreak won't help you much for protecting your app.
You should encrypt the string separately and use this encrypted string in your code. Naturally, the string should be decrypted on the runtime before being used. This is very easy to crack and these are the things you can do to make it harder;
Set "Deployment Postprocessing" and "Strip Linked Product" flags to YES from the project build settings. This will strip the symbol table and will make it more difficult to acquire the critical variable and method names (and also their addresses).
In addition to the first step, you can use preprocessor directives (especially #define) to make the compiled code more riddling. For example;
#define importantString temp
#property (nonatomic, strong) NSString * importantString;
Hiding the contents of the string is more tricky. You should encrypt the string, use only the encrypted string in the code and decrypt it on the runtime when needed. This way your string will be hidden when the app is decompiled and any attacker will have to solve your encryption method. You can use directly AES or find some ideas about how to obfuscate a string in here and here. I would suggest to write your own encryption/decryption functions and use NS_INLINE for the decryption function to make the code more complicated when decompiled.
But there is another problem; the string is encrypted in the code, but it will be decrypted on the runtime in some point, even if you wipe the decrypted string just after it's used. Someone can easily debug the code and hook the decrypted string. Luckily, there are some methods to prevent debugging which are described in here.
Still, these are all well-known methods and will only protect the code from curious eyes. For further information, you can look at this tutorial or read Apple documentation or this book.
I am pretty much a newbie at cryptography but I am trying to encrypt some data and save it in a file in iOS 3 because I do not want the user to just go in and edit the file. What is the proper way to securely (relatively) encrypt the data in iOS 3? Most of the documentations I found online were for iOS 5.
Any help would be appreciated!
Thanks,
Alex
I do not know iOS3 well enough to suggest something that is already built-in. If you need to develop encryption from scratch, then RC4 is absurdly easy to program. It is obsolescent now, but still reasonably secure. Its major fault from your point of view is that you need to pick a secure key using a good KDF (Key Derivation Function), such as PBKDF2.
The "proper" way to do it is to use Apple's Key chain in IOS. Unfortunately, as this post says, this isn't really that secure for IOs3. For ios4 it works fine.
Someone probably has a paid solution out there , but you may well end up writing one yourself. You are going to want to
Derive your key from a user supplied password using a key derivation function such as PBKDF2. In fact your need to derive two keys, so you are gong to run it twice with two different RANDOM salts.
Use AES with a RANDOM IV and one of your derived keys (that parts important and all the example code I've seen didn't). prepend the salts and the IV to your cipher text
Use an hmac with the other derived key on all of the above data. Prepend that.
To decrypt, rederive the keys using the key derivation algorithm with the password and prepended salts, regenerate the hmac , take the sha1 hash of the generated one and separately the sha1 hash of the one in the message, and verify that they are the same ( don't directly compare the hmacs directly) and then decrypt the data using the other derived key and the prepended IV.
This is a pain to write and annoying to users since they need to put in a separate password, but there is no way to do it securely otherwise. If you store the key on the iphone, someone can read it and decrypt the data. Yeah you could encrypt the key, but then how do you store that key?
I don't believe apple has decent objective c bindings for any of this,so you need to use the common crypto c API. Its documented here. The objective-c APIs which appear to be useless, are documented here
I would save a couple of values (username-password) with NSUserDefault.
First: is there a way to save them together (like in an array for example)?
Second: is it safe? or do I have encrypt the password in a some way?
Encryption will give you some security. The problem is your program would also have to decrypt the password, which means it must have the key stored in it somewhere. This will make it vulnerable to reverse-engineering. A better approach is to use an one-way function (such as a hash) on the password and store that hash value. When a user enters a password, you then apply the one-way function to the password and compare the result to the stored value. In this manner, the password cannot be compromised (well, there's always a dictionary attack, but that's a matter of password strength).
Instead of using NSUserDefaults, you would be better off using iOS Keychain Services. It's main purpose is to securely store user credentials. Apple has already done all the hard work for you. Take advantage of it.
No. It's not safe.
If you need to store data securely, use the keychain.
you can use an NSDictionary or NSarray to save your values, and you should also encrypt your data because NSUserDefaults works like a plist which can be accessed by anyone
This one is easy to use, works with ARC
I am creating a rails application that needs to store a large amount of sensitive data. To assure my customers that the data is being protected, I want to encrypt it on a per-user basis. I have done research looking for gems that can accomplish this. So far I've found strongbox and safe. Together, this would seem to provide a solution for me.
However, I am wondering if this is a common practice. It would seem that most rails applications have some sensitive data to store regarding their users. AuthLogic is handling my password encryption, but emails and other personal data are just as sensitive. Is it common practice to leave these items unencrypted in the database and assume that it will never be compromised? I understand that the database resides in an area that can not communicate with the outside world, but a determined attacker could easily compromise this. Is it common practice for Rails developers leave their data unencrypted and simply trust the security of their web server?
The problem with encrypting your database is that anything you encrypt cannot be used in a SQL query, and also, it still has to be decrypted before it can be used. This means that you need to place the decryption key in close proximity to the database, and in most cases, if someone can compromise your database, that means they have also compromised your decryption key at the same time. Thus the encryption step has bought you very little. With passwords, no decryption is necessary because it's actually a hash function. You're far better off making sure the database is never compromised in the first place.
Always assume that if a hacker can compromise any portion of your security, they can compromise all of it. Chain is only as strong as its weakest link and all that.
Credit card numbers and social security numbers (which fortunately you don't usually need to index on) are probably the most obvious exception to this, but if you have to ask this question, you've got no business storing those items in the first place. There's all kinds of legal trouble you can get into for messing that stuff up.
Credit card number, SSNs, etc should always be stored encrypted.
Passwords should always be stored encrypted, using a one-way hash. This means that when the user supplies a password, you can determine if it matches what you stored in the DB, but given only the encrypted representation in the DB, you cannot from that determine their password, short of brute force/dictionary attacks.
I find that in my app's, I like to add unencrypted_**** readers and writers to my class, to make dealing with the encrypted representation painless.
class User
# has db column encrypted_cc_number
def unencrypted_cc_number
WhateverEncryptionClassYouUse.decrypt(encrypted_cc_number)
end
def unencrypted_cc_number=(val)
self.encrypted_cc_number = WhateverEncryptionClassYouUse.encrypt(val)
end
end
Using layered security mechanisms and strong cryptography is good practice if you are storing a large amount of sensitive data. It is required by the Payment Card Industry’s Data Security Standard (PCI DSS). I suggest that you read the following guideline document: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf.
You should definitely not "assume that it will never be compromised"