I am going to develop an application with Spring framework and JSP as follows:
1) When the client enters any text and presses encrypt button, the data should be encrypted at the client side, but that encryption should be done using eToken.
2) When the client uploads any file it should be stored in encrypted format in a database.
For that I searched on google but didn't find any helpful resources. We are using eToken that contains a key pair using the RSA algorithm. My problem is how to encrypt and decrypt data and files at the client side using eToken?
I am stuck here, please help me ASAP. Thanks.
Assuming that you want to do this via browser, you would need to have an ActiveX or Java applet, which will do the job. The task can not be accomplished using client-side javascript.
We developed similar solution in our SecureBlackbox product, though it works for signing at the moment (we couldn't imagine a real-life use case that would require encryption).
JFYI: To do encryption you don't need a private key but only a public key. Public key can be exported from the token to the computer.
Related
I have spring mvc based web application. One of the use cases requires a customer to digitally sign the information that he provides in a form . This signature then gets embedded into a PDF that will be generated on confirmation. How can I implement this in secure manner.
Currently I request the customer to download the PDF and sign it it offline and then upload it again as I do not want them to upload their private keys to the server
Could you please recommend a better approach for the same
The user could provide his private key in the form but it never gets send to the Server. Instead all the other fields of the form are sent to the server, the server then sends back the SHA hash of the generated PDF. Now this hash can be signed locally and the resulting signature can be sent back again to the server and be attached to the PDF.
However most users would never provide their private key in any online form and additionally it is not that easy to create a digital signature inside the form.
So instead you can go for a partial approach where the user just has to sign the SHA hash of the PDF and paste its signature on the next page of the form. So now download / upload is required. I would still make the download of the PDF optional so the user can check if the hash is valid.
I am using vfs s3 plugin to perform file related operation in S3.
Official guide for Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C) is here http://docs.aws.amazon.com/AmazonS3/latest/dev/sse-c-using-java-sdk.html but I am using vfs s3 plugin.
I have checked code of copyFrom method in S3FileObject in com.intridea.io.vfs.provider.s3 package but I didn't found any code to implement Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C) There is option for set
Server Side Encryption but how can achieve it with Customer-Provided Encryption Keys
Is there only way to modify code of s3 plugin? or there is any other way to do the same
Right now it is not possible to use customer-provided encryption keys with vfs-s3 library but I can take your PR or need some time to implement it - you are first one who have asked for it.
I'm working on an android project which communicate with the server via a Webservice (WS).
All Urls to access to my server was declared in a config.raw file.
To prevent any kind of attack only the webservice has permission to access to the server.
I have to upload a file to the server via the webservice (WS). So I encoded it in order to send and save it in the Sql database as a varbinary. But the WS can't receive the stream because of his size.
So I decide to upload it without passing through the webservice but the url to access to the server are in the config.raw file.
I know that just with the apk file, it's possible to recover the project.
My question : Is there any way to encrypt this file in order to avoid that?
Some algorithms of Bouncy Castle are shipped with Android, but I recommend to use Spoongy Castle for this. Use symmetric encryption/decryption (e.g. AES)
My Java app needs to handle encrypted files. This is the workflow:
Customer encrypts files (RSA encryption for example) and uploads them to Amazon S3.
My Java app picks up the files from AS3.
My Java app decrypts the files.
My Java app creates other files using decrypted ones.
My Java app encrypts new files with different key and uploads to AS3.
Customer picks up the files.
Customer decrypts the files.
Amazon S3 provides the Java classes for download/upload, decryption/encryption. This API takes as input java.security.KeyPair. I am unsure how the customer should supply the key to My Java app, so that the app can get the key as java.security.KeyPair?
What would be the proper way to exchange the keys between Customer and App? Which key file format could be used?
Ussually, assymmetric encryption/decryption works like this:
You generate a private/public key pair. The private key should be held secret and should not be sent around etc. The public key can be given to the customer without security concerns.
Now the customer encrypts his files with this public key. The encrypted file can only be decrypted with the private key. So the user can send the file to you (over Amazon S3 in your case).
You receive the file and decrypt it with your private key.
Now you have got a file from the customer. To be able to send back encrypted messages, you need another public/private key pair. This time, the customer must be the only one knowing the private key. He can - for instance - put the public key in his file that he has sent to you. Anyway, somehow you need to get a public key from him. With that key, you encrypt your files and send them to Amazon S3. The user picks them up and decrypts them with his private key.
So, the customer must not give you a java.security.KeyPair, because those contain the private key. It's unsafe to send the private key. But he can send you the public key as a java.security.PublicKey. I think the best way would be to send it to you either within the file he supplies anyway, or within a separate file that he uploads at the same time and besides the supplied file.
The problem is that you don't have a method of distributing trust yet. Fortunately there is one that works reasonably well: TLS. TLS certificates are stored within the browser (and in the JRE, if you require a thick client instead).
Your key pair should be generated locally (or on a secured machine and imported). The private key should be kept safe the whole time. The customer connects to your site using TLS, and downloads your public key. Then the customer uploads the public key of his key pair. This can be performed during some setup/configuration phase.
Now the customer can encrypt files for you, and you can encrypt files for the customer. Note that TLS already provides encryption (confidentiality). So what you have gained is that files are protected during storage, after they have been transported. Once you have trust in the public key (and a trustworthy system) you could send files over plain HTTP.
Adding a signature is pretty important, otherwise anybody can replace the files in storage. Some audit logging is probably required as well, otherwise files may be removed.
Other schemes are possible (I prefer a PGP scheme for file encryption/decryption), but they require out of band communication of the keys. Note that this is just the basic scheme, there are a lot of pitfalls, but working out a specific security architecture for you application is clearly off topic.
I am building a public facing REST application for clients to access. In trying to develop security for it, I looked at how AWS handles their REST authentication using an access key and secret key to sign the message before sending to the AWS server. So I coded an example with Jersey, JSP, and javascript (jsonp) to test, and it seems to work ok.
1.) On page load the JSP takes the client's access key and date/time (converted to EPOCH) and writes out to the page. It also takes those two pieces of information and combines them with the client's unique secret key via HMAC-SHA1.
2.) When I execute the JQuery ajax request, I pass in all three pieces of information.
user access key
date/time (EPOCH)
signed message
3.) On the Jersey side I take the access key and date/time and check a database for the users secret key. Then I perform my own HMAC-SHA1 signature and compare that to the signed message from the user submitted signed message. If they match, then allow them to use our web service. I also check the date/time and only accept messages signed within the last 15 minutes.
My question is, is this secure enough?
This isn't a complete answer, but I don't have the points to just comment quite yet. I would add to your security a salt on the server side. Please see this article for a good discussion on hashing using Master Keys and salts.