Is adding encryption before hashing more secure?

One way to secure a password in the database is to hash it with salt i.e. appending a random string to the password and then hash it and store the value.

Does encrypting the password || salt then hashing it make it more secure? Is it really necessary (or can I skip the encryption part)?

Go to Source
Author: xcoder

reversing php dencryption function using openssl_encrypt

hello all,

i’m solving a ctf challenge and i have this function that decrypts the cipher
i want to build a function that encrypts plain text using
vmUeu7D9bzE5JmNE as a key

example output:

//$EncString = encryptString("aaaaaaaaaaaaaaaaaaaaa", "vmUeu7D9bzE5JmNE");
 output:SElIT1dBUkVZT1VCUk8hIdk8ZHn/lvhO9Vammhqvg8N6OlV2KOX3uRiQ7gsn8ZXuvE4UUPOK9Q4ZhufvCiyXhAIdJxY+22Rt5AgkVy0CDcI=```

decryption function :

function decryptString($ciphertext, $password)
{
    $ciphertext = base64_decode($ciphertext);
    if (!hash_equals(hash_hmac('sha256', substr($ciphertext, 48) . substr($ciphertext, 0, 16) , hash('sha256', $password, true) , true) , substr($ciphertext, 16, 32))) 
        return null;
    return openssl_decrypt(substr($ciphertext, 48) , "AES-256-CBC", hash('sha256', $password, true) , OPENSSL_RAW_DATA, substr($ciphertext, 0, 16));
}

i want to reverse the decryption function , i tried but i couldn’t

Go to Source
Author: Mo Salah

Key handling for shared-key encryption with sodium

Being not a cryptography expert, I am having some basic questions on how to manage keys wrt. sodium-plus. Let me briefly explain the context: the use case involves sending data from a web frontend to a backend, but the backend should not be able to read it (deliberate design choice due to privacy concerns). The data in question needs to be usable from different client machines (the same frontend used at different times on differnet machines). It should be en- and decrypted using a secret that is under the control of the user and not stored by the application. There is no second user involved that should be able to decrypt the data, so I see this as a scenario for using a shared-key encyption approach.

I am looking into using sodium-plus.js for this and in particular to use crypto_secretbox, but am actually not clear on how to manage the key part in the scenario — ultimately, the user needs to have a way to access the same data on a different machine. Looking through the API documentation, I see two options:

  1. Generate a random key, convert it to a hex string, present the hex presentation to the user and leave it up to the user how she stores it. Then the user could use this hex presentation on the next client machine to decrypt her data.
    Unfortunately, I seem to be unable to re-create a cryptographic key from the hex presentation (hex2bin returns a (Promise for a) string). Is this even feasible? Also, I’m not at all convinced that this approach is not entirely defeating the idea of generating a random key in the first place?
  2. Derive a key from a password via crypto_pwhash that the user has to specify. However, this requires also a salt, so I’m back in a similar unclear situation on how to handle it: if the user would give the same password on a different machine (on which to decrypt the data) I also have to use the same salt to generate the same cryptographic key. How do people handle this?

If I could easily have read up on all of this, I would appreciate pointers, as my search-fu seems to fail me.

Go to Source
Author: schaueho

How should I sign a CSR using a signature created in HSM, in C# .NET Core?

I’m exhausted after looking for an answer for 3 days. I don’t know if my suggested flow is wrong or my Google skills have really deteriorated.

My API needs to create a valid certificate from a CSR it received, by signing it with a private key that exists ONLY inside an HSM-like service (Azure KeyVault), which unfortunately doesn’t offer Certificate Authority functions BUT does offer signing data with a key that exists there. My CA certificate’s private key is stored in the HSM. I’m using ECDSA.

My suggested flow:

  1. Client generates Key Pair + CSR and sends CSR to API
  2. API creates a certificate from the CSR
  3. API asks HSM to sign the CSR data and receives back a signature
  4. API appends the signature to the certificate and returns a signed (and including CA in chain) certificate to the Client

Flow

I’m using C# .NET Core and would like to keep it cross-platform (as it runs in Linux containers), so I have to keep it as native as possible or using Bouncy Castle (which I’m still not sure if runs in Linux .NET Core).

I really appreciate your help!

Go to Source
Author: NOP-MOV

Password relevance of symmetric key generation for hybrid crypto systems

For symmetric key generation we need to provide a password. What is the threat of using an universal password input for symmetric key generation in hybrid crypto systems and how should this be handled if following best practices?

Go to Source
Author: NowsyMe

Can InnoDB data at rest encryption be overriden

I am exploring options for distributing a MySQL/MariaDB database with my app. I want to ensure users (even the root user) cannot view or manipulate data in my database/tables. Recent releases of MySQL and MariaDB have data-at-rest capabilities:

MariaDB
https://mariadb.com/kb/en/mariadb/why-encrypt-mariadb-data/

MySQL 5.7.11 comes with InnoDB tablespace encryption
https://dev.mysql.com/doc/refman/5.7/en/innodb-tablespace-encryption.html

But what is not clear to me is: Can the MySQL root user reset the encryption password on my database/tables to view or manipulate the contents?

Go to Source
Author: TSG

Safe to sell used Android-phone without doing factory reset

I’ve got an Android One-unit with Android 10. However it refuses to boot and I’ve decided to get rid of it and I think I get get some money by selling a broken phone online. However since it refuses to boot I can not perform a factory reset or similair procedures. Is is safe to sell it or can personal data get in the wrong hands?

Some information:

  • I have not changed the encryption settings, so I think it’s encrypted by default
  • I got two factor authentication turned on on my Google account and removed the device from my “trusted devices”
  • I have screen-lock turned on with pattern needed to unlock it.

Go to Source
Author: Cleared

What affect does modulus have on CSPRNG outputs?

What affect does modulus have on CSPRNG outputs?

I work in security and I’ve seen modulus (modulo) used in many encoding and crypto algorithms. However, today, a friend of mine mentioned that using modulo like this:

unsigned long int result = some_CSPRNG_output % 556600;

“Limits the security effectiveness of the CSPRNG.”

If you are not familiar with C, the pseudo-code there is essentially stating that the output of some cryptographically secure random number generator, such as /dev/urandom on a linux system, modulo 556600, squeezed into a positive integer, is assigned to the variable “result.”

The idea behind his argument is that modulus limits the number of possible outputs, therefore weakening the strength of the entropy. He stated for example, that if we have a CSPRNG output and we compute it with modulo 2, there are fewer possibilities of outcome, thus the entropy is weaker.

Is this true? Please explain why or why not.

Go to Source
Author: the_endian