i am createing a math learning app with unity and php for backend
i am using paseto for my application authentication, i geted paseto private key from SealingSecret::generate() method
and i save it in .pem file in none-public place
(but this .pem file is hand maded and content equal private key)
know is that enough secure to save private key?
this is a code that i get .pem file:
file_get_contents("/home/adadshenas/.private/.key/paseto/key/private_key.pem")
Related
i encrypted my file using SSE-C encryption technique from s3 aws.
but when i tried to decrypt it, the following error popups.
i am using the same keys which i used when creating encryption.
the error is as follows:
InvalidRequest
The object was stored using a form of Server Side Encryption. The correct parameters must be provided to retrieve the object.
any suggestions on this please.
I have an iPhone app that is using my php api on the server but it is currently open if someone knows the url. I want to make sure that no one can use this API until I am ready to make it a public api (if I even do)
I have read this article but I am unsure what they mean when they say:
[CLIENT] Before making the REST API call, combine a bunch of unique data together (this is typically all the parameters and values you intend on sending, it is the “data” argument in the code snippets on AWS’s site)
I don't understand how if I hash the parameters I plan on sending with my api secret how this is more secure than just hashing the api secret if I send the parameters/values unencrypted.
HTTPS the API and use an API key. Then you'll know that only people (you in this case) with the key can have access to the API.
You're correct about it not being more secure. That's why I suggest you SSL the connection. Unless you plan on encrypting everything you transmit back and forth.
The public/private key scenario will also work well. HTTPS requires very minimal effort.
Digital signatures provide a way of validating a message sent over an insecure connection.
Setup: each client will have its own private key and public key (only the private key needs to be stored on the client). The server will store the public keys for each client. The public key can be visible to all and can be used by the server to identify the client. The private key, known only to the client, it is never shown to anyone.
The client signs the request: along with the rest of the request data, the client will hash the combined request data and encrypt the hash with the private key. The server will generate the hash the same way (leaving the signature out of the hash calculation), then decrypt the signature using the public key. If the hashes match, the request is authentic.
Note that HTTPS allows for client certificates, so you can leverage existing tools to accomplish all of the above without writing a single line of server-side code (you just have to configure your web server; the only trick is to make sure the server only accepts certificates it already has). Moreover, the amount of client side code should be minimal: you shouldn't need to do much more than set the connection to use the client certificate. Since you're controlling the clients, you can use self-signed certificates and add the server as a certificate authority. There are a number of questions on SO about using client certificates in iPhone apps; you can start by reading through them.
Note also that any scheme to protect the web API only works so long as copies of the app are in trusted hands. Should anyone untrustworthy get ahold of it, they can use the app or extract any secret data used by the app and access the API as they will.
For development purposes you can just use your web server settings to allow requests from your ip only.
So I am setting up an SSO implementation FROM my website TO another site. I understand how to build the requests and sign them and all of that stuff. What I am having trouble understanding is the certificates. Who gets what certificate, to be specific. I know how to generate them, but I am not sure if I send over the certificate to the website I am signing into or if they have to generate the certificate and keystore and send us the certificate. There is a little confusion in this part of the process for me that I could use a little help in clarifying.
Since I am accessing their site, it would seem to me that they should generate the certificate and send it to us, and keep the keystore on their machine for the handshake. If I have to generate both, where is the keystore typically kept? We have a couple implementations of this on our site, but the developer that wrote them no longer works here and there is little to no documentation left behind. Also, is the certificate a self-signed certificate that can be used in production? I believe it is, but just want to be sure. Any help in clarification would be greatly appreciated.
It's public key infrastructure (PKI) so you each get the other's public key certificate. It's normally done using the SAML2 metadata profile so you can have their public key certificate.
Looks like you're an IdP if they want the attributes encrypted you need to use their public key to do that. You sign your SAMLResponse to them with your private key and they validate it with your public key. So you each generate your own keys and keep them secret as they are secret keys for signing. You exchange public keys.
You need a certificate for your login endpoint but the other party don't need to see this. They only need your public key certificate for use with the XML exchange and you need their certificate to validate the signature on the SAMLResponse (if you're an SP).
The certificate for working with the SAML XML is normally 10 year self signed.
I have an application that needs pub ssh key and fingerprint, how can I generate fingerprint from only Public SSH Key?
I just want my users paste their ssh key and I generate fingerprint in php function and show it to theme.
thanks
I have an iPhone app that is using my php api on the server but it is currently open if someone knows the url. I want to make sure that no one can use this API until I am ready to make it a public api (if I even do)
I have read this article but I am unsure what they mean when they say:
[CLIENT] Before making the REST API call, combine a bunch of unique data together (this is typically all the parameters and values you intend on sending, it is the “data” argument in the code snippets on AWS’s site)
I don't understand how if I hash the parameters I plan on sending with my api secret how this is more secure than just hashing the api secret if I send the parameters/values unencrypted.
HTTPS the API and use an API key. Then you'll know that only people (you in this case) with the key can have access to the API.
You're correct about it not being more secure. That's why I suggest you SSL the connection. Unless you plan on encrypting everything you transmit back and forth.
The public/private key scenario will also work well. HTTPS requires very minimal effort.
Digital signatures provide a way of validating a message sent over an insecure connection.
Setup: each client will have its own private key and public key (only the private key needs to be stored on the client). The server will store the public keys for each client. The public key can be visible to all and can be used by the server to identify the client. The private key, known only to the client, it is never shown to anyone.
The client signs the request: along with the rest of the request data, the client will hash the combined request data and encrypt the hash with the private key. The server will generate the hash the same way (leaving the signature out of the hash calculation), then decrypt the signature using the public key. If the hashes match, the request is authentic.
Note that HTTPS allows for client certificates, so you can leverage existing tools to accomplish all of the above without writing a single line of server-side code (you just have to configure your web server; the only trick is to make sure the server only accepts certificates it already has). Moreover, the amount of client side code should be minimal: you shouldn't need to do much more than set the connection to use the client certificate. Since you're controlling the clients, you can use self-signed certificates and add the server as a certificate authority. There are a number of questions on SO about using client certificates in iPhone apps; you can start by reading through them.
Note also that any scheme to protect the web API only works so long as copies of the app are in trusted hands. Should anyone untrustworthy get ahold of it, they can use the app or extract any secret data used by the app and access the API as they will.
For development purposes you can just use your web server settings to allow requests from your ip only.