cryptography

Non-random salt for password hashes

Typically, I always recommend using a cryptographically-strong random value as salt, to be used with hash functions (e.g. for passwords), such as to protect against Rainbow Table attacks. But is it actually cryptographically necessary for the salt to be random? Would any unique value (unique per user, e.g. userId) suffice in this rega...

Html.AntiForgeryToken() causeing errors after upgrading to .NET 3.5 SP1

I've just updated to .NET 3.5 SP1 and my once working ASP.NET MVC page has now stopped working. When trying to load a page I get the following YSOD [CryptographicException: Padding is invalid and cannot be removed.] System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCo...

Is using 2 different hash functions a good way to check for file integrity?

I have a website where users can upload their files; these are stored on the server and their metadata recorded in a database. I'm implementing some simple integrity checks, i.e. "is the content of this file now byte-for-byte identical as when it was uploaded?" An example: for content of userfile.jpg, MD5 hash is 39f9031a154dc7ba105eb4f...

How do you verify an RSA SHA1 signature in Python?

I've got a string, a signature, and a public key, and I want to verify the signature on the string. The key looks like this: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfG4IuFO2h/LdDNmonwGNw5srW nUEWzoBrPRF1NM8LqpOMD45FAPtZ1NmPtHGo0BAS1UsyJEGXx0NPJ8Gw1z+huLrl XnAVX5B4ec6cJfKKmpL/l94WhP2v8F3OGWrnaEX1mLMoxe124Pcfamt0...

How would you keep secret data secret in an iPhone application?

Let's say I need to access a web service from an iPhone app. This web service requires clients to digitally sign HTTP requests in order to prove that the app "knows" a shared secret; a client key. The request signature is stored in a HTTP header and the request is simply sent over HTTP (not HTTPS). This key must stay secret at all t...

How would you design OO classes to handle cryptosystems and their keys

This a wider question than my previous one but related. I want to implement oldish crypto systems in Ruby such as ADFGVX, VIC cipher and others, mostly for fun. These cryptosystems are built on top of more general systems like substitution (monoalphabetic such as Caesar or polyalphabetic like Vigenere) and transposition (simple, double...

Recommendations for Java + OpenPGP?

Hi! I want to develop a small OpenPGP client and I'm searching for a Java library for OpenPGP. Are there any (open source) recommendations for this approach? Cryptix.org does not seem alive anymore... Greetings, guerda ...

How Is My Password Transferred from My Browser to the Web Server Securely?

How is the password I enter in, say a Gmail login form, transferred to the web server securely? What does the browser or any client application do? What does the web server do? ...

Need help approving a user with encryption url.

I'm working on a piece of a web application in ASP.Net MVC where the user registers for membership using an sql membership provider. When they register they are put in the system but not approved. The code then sends an approval email to the user with the email given. BfEncrypt refid = new BfEncrypt(); refid.Encrypt(user.ReferenceID);...

AES encryption of 16 bytes without salt

How secure is it to encrypt 16 bytes of data as a single block with AES? No salt/IV, no mode of operation, millions of different 16 byte blocks encrypted. I don't know enough about crypto but this smells to me. Edit: to give a bit more detail this is not about encrypting a message but a database table column where the plain text length ...

Rijndael support in Java

We have a requirement to do some Rijndael development in Java. Any recommendations for articles, libraries etc. that would help us? Any pointers to keystore maintenance and how store the keys securely? Edit: It would need to be open source. Essentially, it's just standard encrypt / decrypt of data using Rijndael. ...

What RSA key length should I use for my SSL certificates ?

I'm in the process of creating a CSR, and I wonder which is arguably the best length for my RSA key. Of course, 384 is probably too weak, and 16384 is probably too slow. Is there a consensus on the key length one should use, depending on the certificate lifetime? Edit : Like most people, I want my key to be reasonably strong. I'm not...

How to load an RSA key from a PEM file and use it in python-crypto

I have not found a way to load an RSA private key from a PEM file to use it in python-crypto (signature). python-openssl can load a PEM file but the PKey object can't be used to retrieved key information (p, q, ...) to use with Crypto.PublicKey.construct(). ...

Using GetHashCode to "secure" users passwords

The company I work for has taken on a support contract for a large order processing system. As part of the initial system audit I noticed that the passwords stored in the database were actually the hashcode of the password. Essentially: string pwd = "some pasword"; string securePwd = pwd.GetHashCode(); My question is, how secure or o...

Ruby Integer to Binary string

I need to encrypt a integer, but all the crypto libraries only support strings. What is the proper method to convert a integer to a binary string in Ruby? (not '10111', I think that it's ASCII values) EDIT: I wasn't thinking about Rijndael as stream encryption. ...

SslStream on TCP Server fails to validate client certificate with RemoteCertificateNotAvailable

This question is all about solving a SslPolicyError.RemoteCertificateNotAvailable error. I have developed a TCP Server with SSLStream and a TCP Client for the other end. I authenticate the server with: sslStream.BeginAuthenticateAsServer I authenticate the client with: sslStream.BeginAuthenticateAsClient I am loading my client c...

Purposely create two files to have the same hash?

If someone is purposely trying to modify two files to have the same hash, what are ways to stop them? Can md5 and sha1 prevent the majority case? I was thinking of writing my own and I figure even if I don't do a good job if the user doesn't know my hash he may not be able to fool mine. What's the best way to prevent this? ...

I have the wrong hash values? C# Cryptography

My text file says The quick brown fox jumps over the lazy dog, however when i try to get the hash from this file both the md5 and sha1 is different from the wikipedias result. I have 3 questions. 1) What did i do wrong in the code? 2) How can i have this piece of code better? (do i need the Initialize) 3) How do i salt this? { ...

Which is the best encryption mechanism?

Triple DES or RC4? I have the choice to employ either one. ...

Fastest Sha1 Function (Linux, up to 2GB files)

Is there any linux command line implementation that performs exceptionally well for generating sha1's on large files (< 2GB)? I have played around with 'openssl sha1' and it takes minutes to get the sha1 for a 2GB file : /. ...