I am trying to verify a signature of a file using my windows 10 and I believe I might have reached an egg and chicken problem, looking forward some pros advices.
I was trying to verify the signature of the Maven binary (https://maven.apache.org/download.cgi), so I found this documentation https://infra.apache.org/release-signing#verifying-signature
However, I am using Windows 10, that do not come built in with the gpg: 'gpg' is not recognized as an internal or external command.
So I need to download the GNUPG so that I can use it to verify the signature of my Maven binary.
However, to install the GNUPG (https://www.gnupg.org/download/index.html) I should also verify the .sig file from the GNUPG.
Does anyone know how can I do the verification of the GNUPG file using any Windows 10 built in command line? Or the most advisable strategy?
Thank you a lot
Regards
Personally I think you have to draw the line somewhere.
For me, I would either, compile GPG from source (where if you wish you can/others can audit the code), or use the published SHA-1 (not sure why they still use SHA-1) hashes:
d928d4bd0808ffb8fe20d1161501401d5d389458 gnupg-2.2.27.tar.bz2
9f2ff2ce36b6537f895ab3306527f105ff95df8d gnupg-w32-2.2.27_20210111.exe
5e620d71fc24d287a7ac2460b1d819074bb8b9bb libgpg-error-1.42.tar.bz2
6b18f453fee677078586279d96fb88e5df7b3f35 libgcrypt-1.9.3.tar.bz2
740ac2551b33110e879aff100c6a6749284daf97 libksba-1.5.1.tar.bz2
ec4f67c0117ccd17007c748a392ded96dc1b1ae9 libassuan-2.5.5.tar.bz2
3bbd98e5cfff7ca7514ae600599f0e1c1f351566 ntbtls-0.2.0.tar.bz2
f9d63e9747b027e4e404fe3c20c73c73719e1731 npth-1.6.tar.bz2
b8b88cab4fd844e3616d55aeba8f084f2b98fb0f pinentry-1.1.1.tar.bz2
5ae07a303fcf9cec490dabdfbc6e0f3b8f6dd5a0 gpgme-1.15.1.tar.bz2
3f8a0ba9c7821049d51b982141a2330a246beb55 scute-1.7.0.tar.bz2
61475989acd12de8b7daacd906200e8b4f519c5a gpa-0.10.0.tar.bz2
e708d4aa5ce852f4de3f4b58f4e4f221f5e5c690 dirmngr-1.1.1.tar.bz2
a7d5021a6a39dd67942e00a1239e37063edb00f0 gnupg-2.0.31.tar.bz2
13747486ed5ff707f796f34f50f4c3085c3a6875 gnupg-1.4.23.tar.bz2
d4c9962179d36a140be72c34f34e557b56c975b5 gnupg-w32cli-1.4.23.exe
Then, from there on in, you can retrospectively verify the signature.
You're right to a degree it becomes a chicken and egg problem, which is a recurring theme in cryptographic engineering, again, whereby, you have to draw the line somewhere.
I mean, are you going to be able to verify that the p and q primes used by GPG's private key (that's signing the binaries) have been validated using a correct implementation of Miller-Rabin primality test?
Or should it be an elliptic curve based key that the entropy used to generate the private scalar was high? ...
No! so don't worry too much, you're already an order of magnitude beyond the average user's OpSec.
Related
I want the algorithm for cisco type 7 encryption and decryption. On searching, I found out that it uses Vigenere cipher encryption but it won't work. Please anybody help me out. If I found some small lead then also it will be good.
Thank You.
Decrypting a type 7 key is pretty straight forward if you have the hash value and access to a Cisco device
Create a key chain
config t
!
key-chain test
key 1
key-string 7 "put your hash here"
end
!
show key chain
Note- some of the newer code will not allow you to see the keys however this method usually works and can be used to see the clear-text version of a key.
Alright, here's the story:
I'm getting married soon, and I'd like to create a website (or an app).
Obviously, I'd like that only guests could access to it.
So I was thinking about a system where it would require a security code to sign up.
The problem is that I do not trust anyone not to be silent about the code, so I was thinking about giving a different code for every couple (or family) of invited people.
On the sign up form, I would then verify that the entered code has not already been used.
But since I don't know who will sign up to the app, and I don't really have time to manually register each guest, I won't have a database with what code has been provided to whom information.
So, I need an algorithm to generate a random security code, and the reversed one, to check if a given string is a validate security code
I need the algorithm to be complex enough so people could not guess what's the magic behing the code they received. (I know, it feels pretty paranoid)
The generated Securiy Code should be pretty simple, like 6 to 8 characters (mix of digits, upper and lower case letters)
The main issue is that I have no clue how to perform a reliable system to generate and validate a security codes.
I feel like I should have a secret key stored on the server side, that would be necessary to generate a code, and I would have to find it back if a given string is a valid code.
Let's say secret is my private key.
The generation algorithm would be something like secret + whatever = generated code (where the + whatever operation remains to define).
But then how could I check a given string? string - whatever =? secret would be the solution (where - whatever is the reverses operation of + whatever).
Well, I actually have no clue of what whatever could (or should) be.
Do you have any advice or guidance ?
For the technical part, I will probably code this in JS (with a NodeJS server).
But as I'm talking about the concept of security code generation, any pseudo-code will do the job.
Generate a hash of the person's email address (capitalized) and make the code the first n-characters. So, for example, if your email address is TOUPYE#GMAIL.COM then the SHA-256 hash would be: 038122aedbf777b8c7c3aaed14ae7c08249a9d47f82f4455a0d667cacc57d383 so your code would be "038122". Generate a list of codes for each person/family. If someone has no email address use the telephone number. If they do not have a telephone, use their address.
I've read alot but cant find the answer. I am curious as to how to obtain the command line interface wallet for crypto coins given fresh source code. For example litecoin. I'm willing to bet the steps are the same for bitcoin and others?
Anyway what I've tried is.
git clone https://github.com/litecoin-project/litecoin.git
cd litecoin
make -f makefile.unix USE_UPNP=
I also (dont know why) tried:
qmake "USE_UPNP=-"; make
To obtain the litecoin-cli from the source tree you must clone/fork https://github.com/litecoin-project/litecoin/tree/exp-0.9.3-preview4.
The github reached via a search engine is out of date in this respect.
Also I learned that the rpc api code was simply copied in to a different binary (copied, it's still in litecoind - allcoind's)
So this means I can simple to things like
litecoind getnewaddress
Instead of
litecoin-cli getnewaddress
This applies to all coins.
I'm working on implementing DSA digital signature algorithm. I understand the algorithm itself, one thing I don't really understand is how should my message look after it was signed?
For example, I have a text file that I'd like to sign and send to someone else. Where should I put the generated keys for verifying the signature, and how should I parse this message to verify the signature?
PKCS#7 is your friend.
Update: I forgot to mention, that CMS (Cryptographic Message Syntax) is an evolution of PKCS#7.
Eugene's link should answer your question. I will add one thing: Don't expect any actual security from your implementation of DSA. If you want the information secure, use an already-written DSA implementation. When not expertly written, crypto primitives can be terribly insecure.
I am trying to create a ticket for Remote Assistance. Part of that requires creating a PassStub parameter. As of the documentation:
http://msdn.microsoft.com/en-us/library/cc240115(PROT.10).aspx
PassStub: The encrypted novice computer's password string. When the Remote
Assistance Connection String is sent as a file over e-mail, to provide additional security, a
password is used.<16>
In part 16 they detail how to create as PassStub.
In Windows XP and Windows Server 2003, when a password is used, it is encrypted using
PROV_RSA_FULL predefined Cryptographic provider with MD5 hashing and CALG_RC4, the RC4
stream encryption algorithm.
As PassStub looks like this in the file:
PassStub="LK#6Lh*gCmNDpj"
If you want to generate one yourself run msra.exe in Vista or run the Remote Assistance tool in WinXP.
The documentation says this stub is the result of the function CryptEncrypt with the key derived from the password and encrypted with the session id (Those are also in the ticket file).
The problem is that CryptEncrypt produces a binary output way larger than the 15 byte PassStub. Also the PassStub isn't encoding in any way I've seen before.
Some interesting things about the PassStub encoding. After doing statistical analysis the 3rd char is always a one of: !#$&()+-=#^. Only symbols seen everywhere are: *_ . Otherwise the valid characters are 0-9 a-z A-Z. There are a total of 75 valid characters and they are always 15 bytes.
Running msra.exe with the same password always generates a different PassStub, indicating that it is not a direct hash but includes the rasessionid as they say.
Another idea I've had is that it is not the direct result of CryptEncrypt, but a result of the rasessionid in the MD5 hash. In MS-RA (http://msdn.microsoft.com/en-us/library/cc240013(PROT.10).aspx). The "PassStub Novice" is simply hex encoded, and looks to be the right length. The problem is I have no idea how to go from any hash to way the PassStub looks like.
I am curious, have you already:
considered using ISAFEncrypt::EncryptString(bstrEncryptionkey, bstrInputString) as a higher-level alternative to doing all the dirty work directly with CryptEncrypt? (the tlb is in hlpsvc.exe)
looked inside c:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen9.htm (WinXP) to see what is going on when you pick the Save invitation as a file (Advanced) option and provide a password? (feel free to add alert() calls inside OnSave())