Our company is switching over from using SHA-1 certificates to SHA-2 certificates.
I noticed that CAPICOM only has a CAPICOM_CERTIFICATE_FIND_SHA1_HASH find method.
Will switching over from SHA-1 to SHA-2 mean we will need to switch to an alternative to CAPICOM for verifiying/encrypting/decrypting using these certificates?
CAPICOM_CERTIFICATE_FIND_SHA1_HASH - that's not about hash algorithm, used for signing, but about searching for certificate via fingerprint (i.e. hash of certificate data).
Since CAPICOM uses Microsoft crypto providers, which supports CALG_SHA_256, Capicom should support them as well.
However, you can use other commercial solution, there is a bunch of them, available on the market (BouncCastle, /n software, SecureBlackbox).
Related
In the Gnupg there is gpg implementation for different platforms, even android, but not IOS.
Is there anyway I can use GPG in my IOS app?
I am looking for the very basic operations as described in this title (Create keypair, List Keys, Import public key, encrypt, decrypt)
I found zero material out there except for apps that use gpg within (which is what I want to accomplish)
any directions are valid
lets talk, thanks
For iOS there is ObjectivePGP framework that covers that functionality, you may want to use it to incorporate PGP in your application.
PGPro and Privacy are both free softwares, they rely on ObjectivePGP and they work like a charm. Maybe there are some limitations in the support of elliptic curves but RSA just works. Please ensure that you don't mistakenly export both your public key and your secret key when using PGPro when you only want to share your public key with someone else who would like to send you encrypted messages.
N.B: Please note that I don't recommend you to encrypt/decrypt messages under proprietary operating systems because it requires you to blindly trust the corporation that provides the operating system as it can't be audited by an independent organization. I recommend you to install a GNU Linux free software distribution like Debian (or Postmarket OS but it's not very mature yet) on your phone instead. As it might be unclear for some people, I highly discourage the use of OS X, iOS, Microsoft Windows and even Android to encrypt/decrypt messages.
I am currently searching for an iOS GnuPG client app as well and found this page Uwes Blog that lists and compares four different apps (iPGMail, oPenGP, Secumail, NouveauPG).
I could find an answer from 2013 that iOS does not support ECC based encryption and a recommendation to use OpenSSL. I see at the Security Framework Reference some definitions for TLS_ECDH but it is not clear to me that ECC based is fully supported. I need to be able to generate a key pair based on secp256r1 and use the other party 64 byte public key to generate a shared secret by using ECDH. I also need to be able to use ECDSA to sign and verify signatures.
We are building a Rails application and one of our clients had asked if we are using industry-standard 256-bit encryption to ensure the confidentiality of personal information.
Are there are any gems which can be used to enforce this?
First enforce the use of ssl in rails. A good summary how to do this can be found in http://www.simonecarletti.com/blog/2011/05/configuring-rails-3-https-ssl/
Second you have to configure your webserver, so that it forces clients to use aes256 for secured connections. If you are using apache, you might start reading here http://httpd.apache.org/docs/2.4/mod/mod_ssl.html
That should be about it.
I'd like to authenticate the caller of my SOAP webservice (deployed in Ruby 1.8.7/Rails 2.3.5using datanoise gem in Red Hat enterprise linux 5) using some encrypted tag in the XML requests. Normally the client is a windows program (maybe C#/.Net windows programs - not Java/Ruby) which should generate a varying encrypted key in each call to the webservice based on a key/salt - while my server side would always be able to decode it with the private key. Knowledge of the encrypted token on the wire should not allow a third-party program to simply replicate the fully encrypted token and access the webservice. I am looking into OpenSSL but am a newbie to cryptography. The string being encrypted for identification could be (among other items) the MAC ID of the trusted client, which when decrypted would match the stored value on the server side of the trusted hosts.
I've found lots of possibilities on the Ruby side, but need to ideally ensure that the solution does not impose (or minimizes) any library or installation requirement on the windows client side. What i'm most struggling with is a way to generate a new key each time the call is made, so that anyone sniffing the traffic cannot simply infer the mode to create the encrypted tag by getting access to the key.
As you are authenticating the caller here and not necessarily just the contents of what they send, there's no need to put the authentication mechanism into the SOAP request. Others have tried to do what you are after with WS-Security, so if at all, I'd go with that.
There have been problems with the security of the scheme, though, but probably the biggest deal breaker is that there's no support for it available in Ruby (that I know of at least, please correct me if I'm wrong!).
Probably the easiest way to achieve client authentication on both ends would be using mutually authenticated TLS (the former SSL). This will ensure authentication on the transport level, which should suffice in your case. Actual authentication will then happen by first checking the validity of the certificate that is sent by the client (Ruby OpenSSL takes care of that for you), and once that is established, you check it against a white list of known certificates that you maintain on your server.
Please don't invent your own scheme, cryptographic protocols are among the hardest things to get right (that's why there are problems with WS-Security), TLS is probably as good as it gets right now and it has broad support in any language.
I'm looking for a good standard based component for digitally sign documents with x509 certificates. I can't see no one native component for this. Only Activex components.
You can use OpenSSL for that.
take a look here: delphiopenssl
The problem with doing it yourself is that you don't have a third party being an independent verification of the validity of the certificate.
It's a trust thing, and that's why companies like VeriSign and Comodo make the big bucks.
Check out Secure Black Box from Eldos which I have used in my apps to "sign" files.