How should I format digital signatures? - algorithm

I'm working on implementing DSA digital signature algorithm. I understand the algorithm itself, one thing I don't really understand is how should my message look after it was signed?
For example, I have a text file that I'd like to sign and send to someone else. Where should I put the generated keys for verifying the signature, and how should I parse this message to verify the signature?

PKCS#7 is your friend.
Update: I forgot to mention, that CMS (Cryptographic Message Syntax) is an evolution of PKCS#7.

Eugene's link should answer your question. I will add one thing: Don't expect any actual security from your implementation of DSA. If you want the information secure, use an already-written DSA implementation. When not expertly written, crypto primitives can be terribly insecure.

Related

Is there a way to decrypt an encoded string without a key in Ruby?

Here's the problem, a string has been passed through three separate encryptions in the following order: Original -> Base64 -> AES-256 -> Blowfish (Keyless) -> Final. Write a method that takes this triple encoded string mystery_string = "OXbVgH7UriGqmRZcqOXUOvJt8Q4JKn5MwD1XP8bg9yHwhssYAKfWE+AMpr25HruA" and fully unencrypts it to its original state.
I looked into different libraries/documentation for aes256 and blowfish but all of them required a key. The only one that did not require a key was Base64 (i.e. Base64.encode64('some string') ). Not really sure where to go from here.
Firstly, the only way to crack AES-256 and Blowfish without the key is by brute force enumeration of every possibly 32-byte combination that could be used as the key. In theory, this means it's not crackable in our lifetime. There may be some vulnerabilities you could exploit as you also have the plain text, but I doubt you would have that in a real-life situation.
Second, and most importantly, just going by that site, encode-decode.comhttps://encode-decode.com/, you don't actually have enough information to decode the string even if you did know the password.
The various modes of operation for the AES256 cipher function requires either a 32-byte (or sometimes a 64-byte) key. The secret that you used (you may have just left it blank) needs to be converted into a 32-byte encryption key. This is done using a hashing algorithm, but we don't know which one is used. Hopefully, the site used a key derivation function, which provides several security benefits. However, key derivation functions require multiple parameters, and we would need to know what parameters to enter along with our secret to get the right encryption key.
Finally, we don't know if the secret is being concatenated with a salt before being hashed. Without knowing if a salt is used and what the salt is, we cannot determine the correct 32-byte key used to encrypt the plain text.
In summary, the answer to your question is: No, there is not a quick way to decrypt that string without knowing the key.
However, encryption is an awesome topic to learn.
I'd encourage you to look over the ruby docs for the OpenSSL library. They're actually quite good (besides the don'ts I mention below).
The PBKDF2 Password-based Encryption function is one of the key derivation functions I was referring to.
When encrypting with AES, you will most likely want to use AES-256-GCM which is authenticated encryption.
A couple of don'ts:
Don't use ciphers at random... understand their strengths and weaknesses
Don't use AES-128-EBC - explination
Another good encryption library is rb-NaCl.

How do JWTs Implement Public-key Cryptography?

This actually breaks down into a lot of separate questions to understand the overall process.
From what I understand a JWT is just three JSON objects encoded into base64 separately from one another. Then the Base64 strings are separated by periods. This is done purely for "shorter message" purposes?
These include a header, "payload," and signature. The header and payload are 100% available to read by anyone who intercepts them. They are just base64 strings that can be decoded into JSON and read.
Then the MAGIC: The server receives the SIGNATURE, which cannot be decoded. The signature is actually a hash of the header, payload, AND a secret key. So the server takes the header, the payload, and ITS OWN secret key, and makes a hash. If this hash MATCHES the signature that came with the message, the message is trusted. If the signatures DO NOT match, the message is invalid.
My problem with all this? Where are the two separate keys here? It seems that the key used to encrypt the message and the key used to decrypt the message are the same. This is the root of my question - if you answer nothing else, please help with this.
Other than that, I wonder if I understand the process correctly? Also, where is the standard "agreeing on a public key" and then trading "mixtures" of public/private keys occurring here? All I see is the same key being used to encode/decode. But when did the agreement happen? Viewing this in context of .NET and Auth0 btw, but overall q.
Random stuff I watched/read/used if anyone is interested on seeing this q later:
Summary of JWTs: https://scotch.io/tutorials/the-anatomy-of-a-json-web-token
Public-key/Assymetric Cryptography: https://youtu.be/3QnD2c4Xovk
Hashing: http://www.webopedia.com/TERM/H/hashing.html
Base64: http://en.wikipedia.org/wiki/Base64
Firstly, JSON Object Signing and Encryption standards (JOSE) use base64url encoding and not straight base64 encoding, which differs slightly.
JWT header and payload are JSON objects but the signature is not, that's a base64url encoded binary blob
the whole JWT is available to anyone who intercepts it, all 3 parts of it
you're describing a symmetric key algorithm, where sender and receiver use the same shared key; that is just one option for JWTS, another option is to use public/private key pairs for signing/validation/encryption/decryption
As with all crypto, agreement on keys needs to happen out of band.
Then the MAGIC: The server receives the SIGNATURE, which cannot be decoded. The signature is actually a hash of the header, payload, AND
a secret key. So the server takes the header, the payload, and ITS OWN
secret key, and makes a hash. If this hash MATCHES the signature that
came with the message, the message is trusted. If the signatures DO
NOT match, the message is invalid.
There is no magic here. JWT supports four well-known signature and MAC (message authentication code) constructions: HMAC (a symmetric algorithm), and ECDSA, RSASSA-PKCS-v1.5 and RSASSA-PSS (public-key algorithms). Each of these may be used with the SHA-256, SHA-384 or SHA-512 cryptographic digest. See also the table of Cryptographic Algorithms for Digitial Signatures and MACs from RFC 7518 - JSON Web Algorithms (JWA).
My problem with all this? Where are the two separate keys here? It
seems that the key used to encrypt the message and the key used to
decrypt the message are the same. This is the root of my question - if
you answer nothing else, please help with this.
There are not necessarily two separate keys - if a public key algorithms is used, the signature will be created using the server's private key, and verified using the corresponding public key. But if an HMAC algorithm is used, a shared secret key must be used for both signing and verification.

How to decrypt a string with unknown encryption algorithm?

How to decrypt a string with unknown encryption algorithm?
There is a string:
5aaC5p6c5L2g5a+55oiR5Lus5Zyo5YGa55qE5LqL5oOF5pyJ5YW06Laj77yM5bm25LiU5a+5cmFpbHMv5YmN56uv5byA5Y+R5pyJ6Ieq5L+h77yM5qyi6L+O5Y+R6YCB6YKu5Lu25YiwZ2hvc3RtNTVAZ2l0Y2FmZS5jb23pooTnuqbkuqTmtYHml7bpl7TvvIznoa7lrprkuYvlkI7lj6/ku6Xnm7TmjqXmnaXliLDmiJHku6znmoTlt6XkvZzlrqTlj4Lop4LkuqTmtYHvvIzosKLosKIK
I don't know the encryption algorithm. How to decrypt it?
To analyze and solve this problem, what should I learn?
It's not an encryption algorithm, it's base64. You can tell because of the +s.
http://www.opinionatedgeek.com/dotnet/tools/base64decode/
Try running it through this page, it'll turn into this:
如果你对我们在做的事情有兴趣,并且对rails/前端开发有自信,欢迎发送邮件到ghostm55#gitcafe.com预约交流时间,确定之后可以直接来到我们的工作室参观交流,谢谢
NOTE: If it was actually encrypted and you actually had no clue what it was encrypted with, you would be screwed, because any good encryption algorithm turns the output into meaningless gibberish, unusable without the key. Base64 has no key, you can just reverse it the same way every time.
This string appears to be a Base64 encoded string.
The decoded value is: 如果你对我们在做的事情有兴趣,并且对rails/前端开发有自信,欢迎发送邮件到ghostm55#gitcafe.com预约交流时间,确定之后可以直接来到我们的工作室参观交流,谢谢
Well, the string is likely Base64 encoded. If you decode it, you should get an effectively random piece of binary data if its encrypted (EDIT: As others have shown, it isn't encrypted, but the following would still apply if it were)
By checking the length, you can determine the block-size of the cipher. If its not an even block size, it likely could be a stream cipher (or a block cipher operated in stream mode).
However, any more information will need to be gleamed from other sources - as the point of good encryption is to make the data truly opaque.
Its Base 64 encryption.The above code is translated as:
如果你对我们在做的事情有兴趣,并且对rails/前端开发有自信,欢迎发送邮件到ghostm55#gitcafe.com预约交流时间,确定之后可以直接来到我们的工作室参观交流,谢谢
"If you are doing things we are interested in, and on the rails / front-end developers are confident, please send e-mail to communicate ghostm55#gitcafe.com appointment time, after determining the direct exchange of visits to our studio, thank you"

md5/hash on vb6?

I'm making a program that has a login. Is there any way to encrypt the normal password so that it can't be read in the data base? I've done a trick but I'm not content with it. What I did was to get the first, mid, and last char only and convert each char into ascii. Is there a way to convert all the text into ascii or something like md5/hash in php?
I'm really sorry about this thing, I haven't mentioned that my project is a VB6 project.
Don't use MD5 to store hashed passwords! See stuff like http://www.freerainbowtables.com/ for reasons why. MD5 is thoroughly broken... Check what you have available in VB6 (I'm hardly a VB6 guy ;-)) in the realm of cryptography. Something based on (salted) password-based encryption stuff is what you want, Google for "vb6 pbkdf2", I see a lot of hits there :)
I have been using a class by Phil Fresle for generating MD5 signatures for strings. You can copy and paste the source to create the class. To use it in your application I suggest storing the hash rather than the password. The class source code can be found here.

Is this some form of encrypted data?

Is this some kind of encrypted text. If so what is the message? What algorithm do they use to encrypt it.
/wEPDwUKLTg4NzIyNzcwNw9kFgICAw9kFggCAw8PFgIeBFRleHQFD1N1Z2FuIEtyaXNobmFuIWRkAgUPDxYCHwAFATVkZAIHDw8WAh4ISW1hZ2VVcmwFEX4vaW1hZ2VzL0ZpdmUuanBnZGQCDQ8PFgQfAAUOVHJ5IG9uY2UgbW9yZSEeB1Zpc2libGVnZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDEltYWdlQnV0dG9uMbKoXKekKw34NtoM3F7LSsVyk27i
and this one also
/wEWAwKF0NmYAwLs0bLrBgLSwpnTCAezV8kYXyYZ4dulPyQ9ezcN3auX
Maybe; have you tried base64 decoding it, etc?
EDIT: yep, or something close to, as it's not all human readable -- if you let us know the context in which you acquired it, someone might be able to guess the format. Otherwise, we'll be making all sorts of guesses.
ÿ
-887227707ddTextSugan Krishnan!dd5ddImageUrl~/images/Five.jpgdd
Try once more!Visiblegdd_ControlsRequirePostBackKey_ImageButton1²¨\§¤+
ø6ÚÜ^ËJÅr“nâ
(Thanks to this online Base64 decoder).

Resources