I am using "Platform agnostic Security Token" for oAuth in Golang - https://github.com/o1egl/paseto
I am not able to understand, why this is better than JWT even after reading README
My Major Question is:
Can "token" generated be altered like "JWT" and pass modified or tampered data?
Can "token" generated using "paseto" be decrypted and viewed like "JWT"?
Paseto library above uses "SET" and "GET" method inside their JSONToken method. Is that how we can verify authenticity of the user?
Sample Code:
symmetricKey := []byte("YELLOW SUBMARINE, BLACK WIZARDRY") // Must be 32 bytes
now := time.Now()
exp := now.Add(24 * time.Hour)
nbt := now
jsonToken := paseto.JSONToken{
Audience: "test",
Issuer: "test_service",
Jti: "123",
Subject: "test_subject",
IssuedAt: now,
Expiration: exp,
NotBefore: nbt,
}
// Add custom claim to the token
jsonToken.Set("data", "this is a signed message")
footer := "some footer"
v2 := paseto.NewV2()
// Encrypt data
token, err := v2.Encrypt(symmetricKey, jsonToken, footer)
// token = "v2.local.E42A2iMY9SaZVzt-WkCi45_aebky4vbSUJsfG45OcanamwXwieieMjSjUkgsyZzlbYt82miN1xD-X0zEIhLK_RhWUPLZc9nC0shmkkkHS5Exj2zTpdNWhrC5KJRyUrI0cupc5qrctuREFLAvdCgwZBjh1QSgBX74V631fzl1IErGBgnt2LV1aij5W3hw9cXv4gtm_jSwsfee9HZcCE0sgUgAvklJCDO__8v_fTY7i_Regp5ZPa7h0X0m3yf0n4OXY9PRplunUpD9uEsXJ_MTF5gSFR3qE29eCHbJtRt0FFl81x-GCsQ9H9701TzEjGehCC6Bhw.c29tZSBmb290ZXI"
// Decrypt data
var newJsonToken paseto.JSONToken
var newFooter string
err := v2.Decrypt(token, symmetricKey, &newJsonToken, &newFooter)
Now, if you see there is code: jsonToken.Set("data", "this is a signed message") and we can get that value in Decrypt data at the end where newJsonToken variable is created.
We can get the value of "data" key using: newJsonToken.Get("data").
But is above data "verifiable" and can't be tampered or modified on user's end?
Like in JWT debugger at JWT.io, People can tamper data and know the algorithm and pass "modified" data.
Can user do the same with my generated token as well? Can they decode and pass tampered data? or they can't decode data or view actual data at all?
1 - Can "token" generated be altered like "JWT" and pass modified or tampered data?
Note that token cannot be "altered" either using PASETO or JWT without knowing the signing key (which should of course be secret).
The fact you mention about being able to view the JWT token data in JWT.io page is because data is not encrypted (so you can see it without the key).
But token is signed, so if you modify any value and don't have the key, you won't be able to sign it back and the token receiver will note the token is not valid when trying to verify it.
2 - Can "token" generated using "paseto" be decrypted and viewed like "JWT"?
It depends on how you generate the PASETO token.
See here:
https://tools.ietf.org/id/draft-paragon-paseto-rfc-00.html#rfc.section.2
Format for the token is version.purpose.payload.
And from the docs:
The payload is a string that contains the token's data. In a local token, this data is encrypted with a symmetric cipher. In a public token, this data is unencrypted.
So if you generate the token as in the code snippet you posted (local token, with a symmetric key), then payload will be encrypted (you won't be able to see it unless you know the symmetric key and use that one to decrypt it).
If you use a public/private key pair, then payload will not be encrypted, so you'll be able to see it without the key (but you'll not be able to change it and sign it again without knowing the private key).
Related
I know from https://github.com/near/near-cli#overview that I can call near state to view general details of an account, like this:
NEAR_ENV=mainnet near state root.near
Account root.near
{
amount: '517981340092537993206924239',
block_hash: '6A4vsQqTjdQgKnWrHVURycSmehBMgtgg4GNemmjZUB6S',
block_height: 64959783,
code_hash: '11111111111111111111111111111111',
locked: '0',
storage_paid_at: 0,
storage_usage: 13899,
formattedAmount: '517.981340092537993206924239'
}
And I know that I can browse on the web at https://explorer.near.org/accounts/root.near
But how can I explore (either via a website or CLI) the contents of all of the on-chain data in an account's storage?
You can use the CLI's view-state command. An example of this could be:
export NEAR_ENV=mainnet
near view-state nft.nearvember-challenge.near --finality final
This will return key value pairs that are base64 encoded. You can loop through and decode these as you wish. For example, one of the key value pairs returned from this call is:
{
key: 'A3YkAAAAAAAAAA==',
value: 'ARgAAABORUFSdmVtYmVyIENoYWxsZW5nZSBORlQBNwAAAHRoYW5rIHlvdSBmb3IgcGFydGljaXBhdGluZyBpbiB0aGUgbmVhcnZlbWJlciBjaGFsbGVuZ2UBTwAAAGh0dHBzOi8vY2xvdWRmbGFyZS1pcGZzLmNvbS9pcGZzL1FtUEt6WnFIdnY1c2VCQ3hIdW5nNFpLRFlHS2QxOFozSzRmWWtHeTJTMjFOQVoAAWQAAAAAAAAAAAAAAAAAAA=='
},
which, if base64 decoded, has a value of
NEARvember Challenge NFT7thank you for participating in the nearvember challengeOhttps://cloudflare-ipfs.com/ipfs/QmPKzZqHvv5seBCxHung4ZKDYGKd18Z3K4fYkGy2S21NAZd
Keep in mind that the CLI will only return state that's below a certain threshold. If the account's state is too large, it won't be viewable unless you configure and run your own node.
I'm trying to reset a MS Active Directory password attribute using ldap in Go. AD won't play nicely with ldap.PasswordModifyRequest so I'm using ldap.NewModifyRequest. (Using gopkg.in/ldap.v2)
AD will accept the password surrounded in quotes and utf16le encoded, in Python I can do this using
unicode_pass = unicode("\"secret\"", "iso-8859-1")
password_value = unicode_pass.encode("utf-16-le")
mod_attrs = [(ldap.MOD_REPLACE, "unicodePwd", [password_value])]
l.modify_s(user_dn, mod_attrs)
How can I do this in Go? Using ldap.NewModifyRequest and Replace I can change other attributes, but I need to pass Request []string for the updated value, that needs to be my encoded password, and I'm running into type mismatches when I play around with utf16.Encode...
modify := ldap.NewModifyRequest(dn)
modify.Replace("unicodePwd", []string{"encodedsecret"})
Thanks.
You can use the golang.org/x/text/encoding/unicode package to encode your string as UTF16.
Using this package you can write something like this:
utf16 := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM)
encoded, err := utf16.NewEncoder().String("encodedsecret")
modify := ldap.NewModifyRequest(dn)
modify.Replace("unicodePwd", []string{encoded})
// do something with modify
I have an application using ruby and sinatra. I want to be able to paste a token which is in this format:
{"access_token":"token...uwD--Of0ikNjr8AeW3oS9zP2rith3fdsf2Wk","token_type":"Bearer","expires_in":3600,"created":1415727521}
into a text-area and use it. Now the problem is, the pasted token is in string format. I have tried converting it into an hash and also to json format but it ain't working still.
Here is my code:
post '/tokenize' do
got_token = params[:token] # the pasted token
token_hash = JSON.parse(got_token) #I am not sure if I did this correctly.but it is producing an hash.
token = token_hash.to_json # producing the token in json format as the original token that I pasted.
get_contacts(JSON.parse(token)) # calling the function that should use the token. giving an error since it is not a valid oauth token.
redirect to ("/tokenize/finish")
end
Error: It is producing an error because the token is not a valid oauth token.
Someone please tell me how I make the token valid and usable.
You can manually instantiate token class OAuth2::AccessToken with params that you have collected full definition of that constructour you can find here.
But eventually you will need OAuth2 client for using that manually instantiated.
For example:
client = OAuth2::Client.new('client_id', 'client_secret', :site => 'https://example.org')
token = OAuth2::AccessToken.new(client, collected_token, collected_opts)
response = token.get('/api/resource', :params => { 'query_foo' => 'bar' })
I am following OpenSSL directives to generate signatures. I am using ruby 2.1.0 and am generating signatures like this:
document = "This is a simple string document to be signed"
key = OpenSSL::PKey::RSA.new([private_key])
digest = OpenSSL::Digest::SHA256.new
signature = key.sign digest, document
The signature is transmitted and reaches the destination where it is to be verified. To verify, I do like this:
key = OpenSSL::PKey::RSA.new([pubkey])
digest = OpenSSL::Digest::SHA256.new
key.verify digest, signature, document # => valid
This is working because if we change just one letter of the document or signature, this returns invalid result:
key.verify digest, signature, changed_document # => Invalid
But with a different SHA, the verification command still results in a valid result:
digest = OpenSSL::Digest::SHA256.new('this will generate different SHA')
key.verify digest, signature, document # => valid
It confused me. Shouldn't a different SHA hash result in invalid result? What is the role of digest here?
Passing an argument to OpenSSL::Digest::SHA256.new causes that data to be added to the digest.
However, the openssl signing functions reset the digest before it is used and so that extra data has no effect in this particular case.
I have to encrypt a particular field value and store in DB. I have used RSA Encryption for Ruby. I was able to encrypt and save it, but then while decrypting it back, i am facing problem. What i have done is as follows,
key_pair = RSA::KeyPair.generate(512)
Stored key_pair in separate column.
ciphertext = key_pair.encrypt("Hello, world!")
Stored ciphertext in another column in same table.
While decrypting, i fetched the key_pair value from database and applied decrypting function
plaintext = key_pair.decrypt(ciphertext)
This step throws error
NoMethodError: undefined method `decrypt' for <String:0xa431b88>
because "key_pair" is not an instance of "RSA::KeyPair".
When i try to decrypt the stored value, i fetch key_pair value from database and then apply decrypt method on it. So the key_pair value has String class. I need a way to solve. Please guide me.
Before decrypt, try:
# get persisted value from DB; then
key_pair = RSA::KeyPair.new(your private key, your public key)
# and then decrypt
plaintext = key_pair.decrypt(ciphertext)