Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
I have a Web API project made with .net core, I'm using IdentityCore for the user password sign up and log in. However, I need to migrate the API to Java. How can I do it without losing all my user data, is there any way to replicate the algorithm that IdentityCore uses?
Your data are saved in a database when you are using .net core Identity: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/customize-identity-model?view=aspnetcore-3.1
So if you have correctly setup the IdentityCore authorization in your api, then there should be a connection string somewhere in your config like this:
{
"ConnectionStrings": {
"DefaultConnection": "Server=(localdb)\\MSSQLLocalDB;Database= IdentityDB;Trusted_Connection=True;MultipleActiveResultSets=true"
}
}
You can follow it, extract the tables and the data and you are set.
The source code can be found here: https://github.com/aspnet/Identity
The hashing algorithms: https://andrewlock.net/exploring-the-asp-net-core-identity-passwordhasher/
ASP.NET Identity Version 2: PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations
ASP.NET Core Identity Version 3: PBKDF2 with HMAC-SHA256, 128-bit salt, 256-bit subkey, 10000 iterations
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 5 years ago.
Improve this question
We have found files encoded using XOR Encryption, but Im newbie on JAVA, please how to decrypt XOR using this xor encoder.
The code is generating a random int (4 bytes) and using it to XOR the input - it is not asking for the encryption key, it is generating it randomly. Unless the receiver has some way of knowing what the next random int is, it will not be able to decode. EG, perhaps the sender and receiver are expected to initialize their random generators with the same seed value when they start up. Regardless, it is not a real encryption algorithm, just another example of some half-cocked idea someone invented in their head. You really need to replace this code with a correct usage of encryption.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I have a requirement to encrypt a string in java using AES algorithm and to decrypt the data in PHP. I have searched SO but I dint get any exact answer.
In some posts, they used Padding. And also they spoke about the key size.
But, I don't have any idea about the key size and what padding I should use.
So please help me by posting some sample code and explanations to understand better.
Thanks in advance!!
The key size is not important, any of the available sizes are secure.
AES is a block cipher, that means that input must be a multiple of the block size: 16-bytes. Unless the input is always a multiple of the block size padding will be required.
The standard padding for AES is PKCS#7 (sometimes stated PKCS#5). The problem is PHP and the usual mcrypt library used, it does not support PKCS#7 padding, only null padding and can not be used with binary data. The bozo maintainers refuse to add PKCS#7 padding. You will have to add your own PKCS#7 padding support if you use mcrypt, it is not hard, generally three lines of code.
But there are more issues. The encryption mode and CBC mode requires an iv which should be random data. Authentication to determine if the decrypted data is correct. The key should not be a string, if it is it should be used to derive a key with a function such as PBKDF2.
I suggest using RNCryptor which is available for Java, php and many other languages. It provided all the necessary elements to create secure encryption including: AES-256 encryption,CBC mode, password stretching with PBKDF2, password salting, random IV, encrypt-then-hash HMAC authentication, and versioning.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I am currently learning Java and am starting to use file IO. For a random personal project, I would like a user to create an "account" with a password. I would like to store the information for later, but I would like to have a way to encrypt the password (something even very basic would work for now).
Any tips are much appreciated.
Thanks.
This is where something called Hashing comes in handy. Hash functions work by creating a hash key (integer value) from the original string using a function. The benefit of this is that you can check that a password is correct by checking whether the entered password is the same as the stored hash key, without actually knowing the password.
Creating your own hash function is something you wouldn't normally be expected to do as there are secure hash functions available. Although you may want to play around with them for fun.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I read about hybrid cryptosystems in some books. public-key cryptography is used to secure and distribute session keys like ecdh algorithm ; those session keys are used with symmetric algorithms like Aes to secure message traffic. The idea from this method enhancing performance better than public algorithm ok.
I searched about any example use ecdh with any symmetric algorithm by java language but I don't find.
I need any link or book has any hybrid algorithm use ecdh with symmatric algorithm.
also Is hybrid cryptosystems better than public cryptosystems? If yes? Why?
Hybrid and public cryptography supplement each other. As they are different concepts there is little need for direct comparison.
As for a good example for DH together with symmetric keys you could take a look at implementation of ECDH cipher suites in Java TLS implementations.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
Given a one-time password generator that is time-based (such as Google Authenticator), how many instances of (time, PIN) pairs would one need to significantly weaken the algorithm to a point where one would be able to narrow down possible seeds to the original function? If one were to send out PINs to clients via SMS or email (instead of using a keyfob or the actual Google Authenticator app which does not let one see past PINs), would a compromise that reveals past PINs be a significant threat to the system (note that both emails and SMS carry relatively precise time information)?
Details of the OTP Algorithm: http://www.ietf.org/rfc/rfc4226.txt
Reference Java Implementation:
http://rfc-ref.org/RFC-TEXTS/4226/chapter16.html