cryptography

Safely Storing Biometric Information for Comparison

I'm using a biometric fingerprint scanner with an SDK that allows me to compare two images of a fingerprint. My question is if I wanted to locally store one of the images for later comparison what is the safest way to do this? My line of thinking is that when doing the same thing with passwords, an easy safe way would be to hash the or...

Elliptic Curve Cryptography

I’m studying “Elliptic Curve Cryptography”. It seems like that; it is very hard to understand the concept of “Identity Element”. Actually my question is why we need “Identity Element”? As far as I understood, we need “Identity Element” in order to define inverse –P of any group element P. Am I correct? Moreover can somebody show me so...

What mechanisms could be used to easily generate a high entropy password on a smartphone without having to resort to alphanumeric input?

I'm working on a version of Password Safe for android. Password Safe uses a passphrase to encrypt your passwords, but typing out long passphrases on a smartphone can be tedious, especially if they're masked. I'd like to investigate using alternatives to a passphrase, such as arrays of simple images. Are there any good examples of su...

Trying to perform a Diffie Hellman Key exchange, using Win32 CAPI, in C#; can anyone provide a step-by-step guide

Hi, I'm trying to build some code that will switch between the old CAPI or the new CNG-based Diffie-Hellman algorithms. (Despite documentation, the new ECC-based DH algorithm, as part of CNG, is not supported on Windows XP). Anyway, I've begun exposing the Win32 CAPI, as follows: public static class CAPI { private static int ALG_...

How to distribute keys securely with binaries in .NET?

Can I distribute a .NET app that uses a key that the user can't access, but the app can? Note that I am using the word distribute in the sense that the application is delivered to run in the user's computer, not in a cloud or cluster. ...

Security, Hacking, Cryptography Reading?

I'm very interested in learning about cryptography, steganography, and similar practices. What books, resources, would you guys recommend in this area? ...

Desktop software development (possibly using web technology) and cryptographic checks

OK, go easy on me as it's my first question here. ;) I am experienced in Web Application development, but I need to design 2 different desktop applications at work. I need advice on what languages to use (I use PHP for Web Applications, I have little other experience), any frameworks that may help me accomplish this easier and any IDEs ...

C# HMACSHA256 Problem - Matching Facebook Signed Request Implementation

Hi Everyone, I thought I would try and get the new Signed Request logic added to my facebook canvas application, to make this "easy" on myself I went to the facebook PHP sdk over at GitHub and took a look at the unit tests. http://github.com/facebook/php-sdk/blob/master/tests/tests.php My actual problem is that I cannot get the hash...

Rijndal Algorithm using C#

I want the code of Rijndael algorithm to encrypt any given text to store it in a database, I also want to know how to reverse the encryption method, ie: decrypt the encrypted text to use it. ...

Issue with SecureRandom: PRNG not consistent in java 1.5

Hi, I am facing an issue with SecureRandom in java. This was the code that used to work as expected ,Generating PRNG when it ran on java 1.4. So basically when it was executed any weblogic server running on 1.4 generated same PRNG Problem: In a clustered env , data is encrypted in the one weblogic 10 instance , and the same needs...

Secret keys differ between Android and server

I'm working on a one-time password application, using the hotp algorithm (RFC 4226). I've got an Android app (via simulator) for otp generation, and a server-side app for validation. On their own, both are working fine and passing tests. However, the secret key I'm generating on my device is not the same as the secret key I'm generati...

Fastest string decryption with java

I have a unique problem of decrypting strings in realtime. It has to be super fast as it is a part of a caching system. As the caching system is a Java system I am looking for anything compatible. Is there a way of maybe tweaking the code to run super fast. Maybe write some C/C++ or low level code program and interface it with java? Any...

Installing SunJCE on Android?

The company I work for is wary of Android app development because the default cryptography library, Bouncy Castle, is not FIPS-140 certified. Nothing I can do to change their minds or policies. I'm wondering what options I have for installing (or at least bundling) SunJCE with my app. For one, I can't find where I would download the...

Cipher Text Stealing Algorithms - Which one is correct?

There are two algorithms presented in the web. In both the algorithms, the first part is the same... 1. Pad the last partial plaintext block with 0. 2. Encrypt the whole padded plaintext using the standard CBC mode. 3. Swap the last two ciphertext blocks. 4. Truncate the ciphertext to the length of the original plaintext...

Backwards HTTPS; User communicates with previously generated private key

I am looking for something like https, but backwards. The user generates their own private key (in advance) and then (only later) provides the web application with the associated public key. This part of the exchange should (if necessary) occur out-of-band. Communication is then encrypted/decrypted with these keys. I've thought of some...

License scheme, spoof-safe and revoke capabilities

Hi, this is my first question so please be gentle... I am working on a software which I would like to protect using some kind of licensing scheme. A basic scheme would be to generate some "unique" key for a user. The user sends this key and a registration code when he wants to register the software and receives an activation code. Whe...

Safe mixing of entropy sources.

Let us assume we're generating very large (e.g. 128 or 256bit) numbers to serve as keys for a block cipher. Let us further assume that we wear tinfoil hats (at least when outside). Being so paranoid, we want to be sure of our available entropy, but we don't entirely trust any particular source. Maybe the government is rigging our coins...

Is prepending salt to the password instead of inserting it in the middle decreases security?

Hi, I've read somewhere that adding a salt at the beginning of the password before hashing it is a bad idea. Instead, it is much more secure to insert it somewhere in the middle if the password. I don't remember where I've found this, and cannot neither find any other articles saying the same thing, nor understand why this may increase...

Generating MD5 password on OS X

I'm working on OS X Snow Leopard and need to programmatically generate an MD5crypt() password to match with passwords generated on Ubuntu 8.04 (crypt() on that platform uses MD5 if the salt starts with $1$ because it uses the crypt() found in glibc2 which has that functionality). There is a md5crypt routine on OS X, but unfortunately, i...

What is the most secure seed for random number generation?

What are the most secure sources of entropy to seed a random number generator? This question is language and platform independent and applies to any machine on a network. Ideally I'm looking for sources available to a machine in a cloud environment or server provided by a hosting company. There are two important weaknesses to keep in ...