cryptography

libmcrypt and MS Visual C++

Has anyone tried using libmcrypt and visual c++? I was trying to use Crypto++ but it seems not fully compatible - and I need to decrypt data encrypted in PHP using linux libmcrypt. I found only cygwin version of libmcrypt but no .lib files or header. I'm using RIJNDAEL_128 - maybe there is easier way to decrypt it in Visual C++? Thank...

Can a product that uses BouncyCastle be exported from the UK

We are doing work for a company, based in the UK, who are planning on developing an application that uses the BouncyCastle.Crypto.dll. They intend to make their product (including the crypto dll) available for download over the Internet. Are there UK restrictions on the export of crypto software that would prevent them from doing this? F...

Password Cracking in 2010 and Beyond

I have looked a bit into cryptography and related matters during the last couple of days and am pretty confused by now. I have a question about password strength and am hoping that someone can clear up my confusion by sharing how they think through the following questions. I am becoming obsessed about these things, but need to spend my t...

What is the Difference between a Hash and MAC (Message Authentication code)?

Hi Folks, What is the Difference between a Hash and MAC (Message Authentication code)? By their definitions they seem to serve the same function. Can someone explain what the difference is? Thanks ...

Why doesn't my implementation of ElGamal work for long text strings?

I'm playing with the El Gamal cryptosystem, and my goal is to be able to encipher and decipher long sequences of text. El Gamal requires the plaintext to be an integer. I have turned my string into a byte[] using the .getBytes() method for Strings, and then created a BigInteger out of the byte[]. After encryption/decryption, I turn t...

Secure password transmission over unencrypted tcp/ip

I'm in the designing stages of a custom tcp/ip protocol for mobile client-server communication. When not required (data is not sensitive), I'd like to avoid using SSL for overhead reasons (both in handshake latency and conserving cycles). My question is, what is the best practices way of transmitting authentication information over an ...

establishing strong web security

I have seen many sites who claim to have bank grade security encryption. if their web sites have been built with php what other forms of security can exist aside from using mysql_real_escape_string and a 128bit ssl encryption? ...

Calling CryptUIWizDigitalSign from .NET on x64

I am trying to digitally sign files using the CryptUIWizDigitalSign function from a .NET 2.0 application compiled to AnyCPU. The call works fine when running on x86 but fails on x64, it also works on an x64 OS when compiled to x86. Any idea on how to better marshall or call from x64? The Win32exception returned is "Error encountered d...

How do you save and retrieve a Key/IV pair securely?

I'm using VB.Net's RijndaelManaged (RM) to encrypt files, using the RM.GenerateKey and RM.GenerateIV methods to generate the Key and IV and encrypting the file using the CryptoStream class. I'm planning on saving this Key and IV to a file and want to make sure I'm doing it the right way. I am combining the IV+Key, and encrypting that w...

how does public key cryptography work

Hello, What I understand about RSA is that Alice can create a public and a private key combination, and then send the public key over to Bob. And then afterward Bob can encrypt something using the public key and Alice will use the public and private key combo to decrypt it. However, how can Alice encrypt something to be sent over to B...

NoSuchAlgorithmException: Algorithm HmacSHA1 not available

Look at the following line of java: Mac.getInstance("HmacSHA1"); If I put this in a simple test program, it runs without problems on my server. However, if I use this line in a container, I get java.security.NoSuchAlgorithmException: Algorithm HmacSHA1 not available at javax.crypto.Mac.getInstance(DashoA13*..) The same JDK instal...

Is there a pure Perl module for AES?

Is there a pure Perl module for AES? ...

Security strategies for storing password on disk

I am building a suite of batch jobs that require regular access to a database, running on a Solaris 10 machine. Because of (unchangable) design constraints, we are required use a certain program to connect to it. Said interface requires us to pass a plain-text password over a command line to connect to the database. This is a terrible se...

License key pattern detection?

This is not a real situation; please ignore legal issues that you might think apply, because they don't. Let's say I have a set of 200 known valid license keys for a hypothetical piece of software's licensing algorithm, and a license key consists of 5 sets of 5 alphanumeric case-insensitive (all uppercase) characters. Example: HXDY6-R3D...

Do encryption algorithms require an internal hashing algorithm?

When I use C# to implement the AES symmetric encryption cipher, I noticed: PasswordDeriveBytes derivedPassword = new PasswordDeriveBytes(password, saltBytesArray, hashAlgorithmName, numPasswordIterations); Why do I need to use a hashing algorithm for AES encryption? Aren't they separate? Or is the hashing algorithm only used to create...

AesManaged and RijndaelManaged

Im currently developing a Silverlight application that connects to an old webservice. Our old webservice uses an encryption tool which silverlight does not support. Finally, we decided to used AesManaged for encryption, however, our webservice does not support AesManaged. Is their a way to decrypt an AesManaged to RijndaelManaged? If y...

Lua library/wrapper for cryptography

Hi, I'm looking for a library or wrapper for Lua to use some cryptographic functions. Initially I only need to create SHA-1 hashs. Any tips or suggestion are appreciated. ...

Can HTTPS connections be hijacked with a man-in-the-middle attack?

I'm using gmail from work, but I need to enter a password for a proxy when accesing the first web page. The password is asked from inside the browser. I receive a certificate from the proxy which I must accept in order to make the Internet connection work. Can my HTTPS connection, between gmail and browser, be tracked in this situatio...

When is it safe to use a broken hash function?

It is trivial to use a secure hash function like SHA256 and continuing to use md5 for security is reckless behavior. However, there are some complexities to hash function vulnerabilities that I would like to better understand. Collisions have been generated for md4 and md5. According to NIST md5() is not a secure hash function. It ...

Building an 'Activation Key' Generator in JAVA

I want to develop a Key generator for my phone applications. Currently I am using an external service to do the job but I am a little concerned that the service might go offline one day hence I will be in a bit of a pickle. How authentication works now. Public key stored on the phone. When the user requests a key the 'phone ID' is se...