I'm looking to port a small Java security library to PHP. The Java implementation makes use of a keystore for signing some stuff and I'm wondering how to go about recreating this functionality in PHP. Of course the original Java implementation must still work with the same key pair/keystore.
I have very little experience with PHP and havn't tried to do anything portable with Java keystores before.
I expect there is some way to export the private key to a format that can be used by PHP.
Does anyone know exactly what I need to do in this situation?
If you aren't absolutely set on porting your code to php, you can use the php-java bridge to make calls to it from php. If your java code is proven, there's no reason to discard it out of hand.
http://phpkeystore.org/ may be of use.
EDIT: As implied by Mihir below, that site appears to be gone.
The last "good" archive of it is available at https://web.archive.org/web/20170607151254/http://phpkeystore.org/
Related
I am working on a project which requires the secret key to be hidden somewhere in the Android app, so that it can't be taken out even after decompilation.
The requirement even states that the key should not be visible to the developer, that means it should be embedded into some pre-compiled library.
I have tried the following things:
Making Jar and obfuscating the jar, Which becomes unusable after that. And its useless method to work with Strings (it doesn't encrypt Strings).
Making C library and using that library(NDK). The strings can be easily read using linux commands. Example: '$ strings '.
I am trying to find out other ways by which this can be done.
Please help me with this. If you have any idea, please share. I would be more than obliged.
Thanks.
Anything that your app can do, can also be reverse engineered by a determined capable hacker, so don't expect some magic way to make this key perpetually secured.
If your goal is to supply an SDK that will be licensed to different developers, then the easy approach is to allocate a unique key for each developer, and let them take care of hiding it from hackers.
On the other hand, if I read your requirement literally, it is enough that the key string will not appear in plain text in the APK. The easy solution is to encode it. You can do something as easy as base64 encoding of the key, or as tricky as providing a C function that will calculate this key on the fly (so no traces of the key will appear in the output of strings).
It's a hard problem. You're fighting a battle against reverse engineering your application. There are tools that are build for this, notably DexGuard and Arxan. Arxan is really, really clever, but it will cost a lot more than a solution like DexGuard.
For aar and jar protection against decompilation you can use Quixxi. Of course the effort is about raising the overall protection as much as possible, impossible is nothing. But this solution joins the best of both the points you made. What happens is the following conversion:
input: unprotected jar file
output: java file calling the native layer
You [or the developer that will need to manage the app containing your library] can later integrate it as described in the same link. Moreover the entire app can be protected with the same tool if other parts of it will need to be secured
I'm afraid the answer to my question is no, but I'm asking it anyway just in case.
What I would like to do is stream audio from a chrome browser to a server written in Java via WebRTC. My understanding is that to accomplish this I need a Java implementation of peerconnection. All I've found so far is the libjingle Java API for android but that hasn't been particularly useful for integrating into my server app (I'd prefer an actual Java implementation, not just a C++ wrapper).
If a library to do what I want really doesn't exist does anyone have any pointers for how I might approach actually implementing the WebRTC spec myself? When I look at such a large spec I don't really know where to start.
You can use IceLink. We (I helped develop it) wrote a Java implementation for it, as well as .NET and Objective C.
This is a complete Java WebRTC signal server written with Java i/o sockets. https://code.google.com/p/jfraggws/ Just make a project, include the .Java file and include rt.jar in the project. Next set the port on the Html 5 client and plug in your servers IP. You now have java webrtc.
I have a Java GUI application that has been interacting quite nicely with a standard C++ based DLL on the back end via SWIG-generated files. The back end program is currently a combination of C++ and managed C++/CLI. The problem is that we may eventually port all of it to C++/CLI.
Please correct me if I'm wrong, but from what I've been able to tell, SWIG currently doesn't work with C++/CLI and there are no plans to make it do so. I imagine that I could do write JNI code to make it work. But using SWIG was a whole lot easier. So what other options are there? The simpler to use, the better.
It is not correct to say that SWIG won't work with C++/CLI... You should be able to use the generated interop stubs exactly the same way you did. I didn't encounter a scenario where switching on the CLR support broke existing well formed C++ code...
I'm writing java swing app. I need my app connect to server CentOS 5.5, using username + *.ppk file (I don't have password). Then, my app execute some command line on this server.
Is this possible ? What library is best for it ?
There is a number of libraries that support what you're trying to achieve in different ways.
Connecting to an SSH server via Java is no big thing anymore these days.
Those are some libraries that you might consider:
Ganymede
http://www.cleondris.ch/opensource/ssh2/
Ganymede was made by some students at the ETH Zurich and works quite well. I personally use it in a project that runs on a very old machine using Java 1.3. It doesn't require anything besides a JRE. It is, however, not very active anymore. There is that company that seems to support it (Cleondris), but I wouldn't know how reliable they are. Doesn't matter much though since it's open source anyways. If you need to run your app on old java versions or need to know, that your app runs withou the Java Cryptography Extension (JCE), you could chose this.
JSch
http://sourceforge.net/projects/jsch/
JSch too is a mature piece of software and just works. If you've ever used ant to do SSH/SCP related tasks, you probably know it already. It's always a bother since you have to provide it to ant manually :-)
The project is well maintained, as it seems and widely used. I used it in a lot of modern UI/Batch applications and was/am always happy with it. It does use JCE though and I did once experience problems with that (on an older JRE, but still). If you plan to distribute your software to clients unknown to you, this might be a problem. JCE needs stuff installed / configured inside the JRE installation itself. Probably works 99% of the time, but still...
SSHTools
http://sshtools.sourceforge.net/
Never used this one but heard good things. May be worth a try.
Converting ppk to OpenSSH format using Java
As this is obviously possible, it's only a matter of implementing it. Fortunately for you, there are actually multiple implementations around. It might even be implemented in one of the suggested SSH libraries, but I didn't check.
A quick google search revealed two choices to me:
trilead-putty-extension
https://github.com/kohsuke/trilead-putty-extension
Seems to me like a very nice choice. Even though it's an extension to Trilead SSH library (which, it seems, isn't available anymore), it's not a lot of code and could easily be integrated into an existing project. There is one class that does the work and can convert a ppk key into a openssh one. String to string, so no surprises there. Should really be a piece of cake.
I don't know what happend to Trilead. The company doesn't mention it anymore on their website, but it certrainly existed at some point (http://techtavern.wordpress.com/2008/11/13/about-trilead-ssh-open-source-project/).
By the way: The guy who wrote it is the one who also wrote Jenkins/Hudson. http://kohsuke.org/
"ChillKat" Java Library
http://www.example-code.com/java/ssh_ppk_to_pem.aspn
Well... this just as an alternative. Doesn't seem worth the effort and overhead to download a "multi-purpose" library just for that. You could maybe extract the relevant parts or let yourself be inspired by it. Maybe the trilead extension doesn't work and you have to pick this one, but I wouldn't consider it first choice.
You can of course always convert the .ppk file manually, as explained here: http://www.lmolnar.com/geek/how-to-convert-puttys-private-key-ppk-into-opensshs-private-key-format-in-linux/
And other places, I guess. There is the graphical tool puttygen too, which is included in putty-installer or downloadable standalone via the putty website (http://www.chiark.greenend.org.uk/~sgtatham/putty/).
Would you like to know more?
Check this: http://linuxmafia.com/ssh/java.html or write a comment.
If converting the .ppk to a less proprietary format (i.e. .pub rsa or dsa) is an option, then give a try to puttygen (usage: "puttygen keyfile.ppk -o id_rsa -O private-openssh") from the putty-tools package.
Then use SSHTools, a java API for SSH (and more)
One of options is to use SSHBlackbox package of our SecureBlackbox product. It supports loading of Putty keys and full scope of SSH-related functionality (SFTP requires SFTPBlackbox package). SecureBlackbox comes with extensive samples and support.
The current JSch version does not support *.ppk files,
but JSch can use those files by using jsch-agent-proxy via Putty's Pageant.
Install and open puttygen
Click on "Load an existing private key file"
Click on menu item "Conversions" -> "Export OpenSSH key"
Save file, and use this in your Java app
I'm looking for a secure symmetric-key encryption algorithm compatible with both JavaScript and Java.
I've tried implementing one but I had some encoding issues.
You don't want to encrypt with JavaScript, especially on the client-side where it is open to tampering, and has no cryptographically secure random number generator.
I've tried implementing one but I had some encoding issues.
You tried to write your own encryption algo? You've gone against everything that the security world hold dear. No. Actual tutorials that explain how encryption works are so scared that people are going to screw things up because they don't understand the math behind it, I've actually seen this in one of them:
If you don't understand encryption, things like, what "cryptographically secure pseudo random number generator" actually is, and common attacks on it, you shouldn't do that.
If you don't understand things like side-channel attacks, you shouldn't do it.
If you don't understand what's going on in crypto and have read at-least two books on it you have no business implementing it.
Crypto is not a magic black box, it's something that is very VERY easy to screw up, even without touching any bit of code in a packaged solution.
What should you do? Forget about JS encryption. I know, I've tried it myself. It's a waste of time. Learn from my mistakes.
Go get an SSL certificate, SSL is the best way for us to encrypt messages on the transport level from a server to a client. It's about as secure as you can get. If you face an advesary that can defeat SSL, trust me, your JS-based crypto is also compromised.
Once it's at the server where it's secure from being tampered with, encrypt it. Anything else is a really long way to waste your time.
Also, go read these books:
![This one is free][4]
[![This one is cash money][5]][5]
(source: [schneier.com](https://www.schneier.com/images/book-ce-150w.jpg))
Then when you understand them come back and scream at me about why I'm wrong and don't understand how much you need JS on the client to do crypto.
There is an excellent DES (and by extension 3DES) implementation in JS, which I use quite often. I'll put up the link Monday, when I'm at the office and have it ready. Results from this (after base64 encoding for the transport) work perfectly with .Net/Mono (builtin), Java (bulitin) and PHP (mcrypt).
Found the links, but both are dead: http://www.shopable.co.uk/des.html and http://www.netdealing.com. I have put it up on http://pastebin.com/KbRsWKJY
This page has CTR mode, which is available in Java. I would recommend keys of 128 bits or you might run into trouble regarding the Java export policies on larger key sizes.
Here is a page which uses some very usefull methods of encryption, including password encryption techniques and ciphres with integrity checks and authentication, although you may need the bouncy castle libraries on Java to match those all.
There are oodles of libraries for JavaScript, but character encoding issues will be present on any of them. So make sure you use the same encoding both on the JavaScript side as well as on the Java side. A quick look up assures me that JavaScript uses UTF-16 internally, but don't hang me up on that.
Finally, don't try this at home, the libraries are there, use them (especially if they mention tests and/or official test vectors).
Like the other answers said, if you don't have to encrypt with JavaScript, avoid it. However, there are some valid use cases to encrypting in JavaScript.
When you need to, I recommend this library: https://keybase.io/triplesec/.
It's more secure than DES, which another answer links to.