I am currently trying to build a little, secure password manager. As of now, I've implemented the encryption. Each website has its own file and each file has a number of fields (Most commonly username and password). I am using serpent 256 to encrypt the files, and I use a random key (created Crypto.Random in python) that is encrypted using GPG, with a 4k key. Side question: The key is sha256 hashed in order to be able to enter whatever size you want ('cause sha256 always has 256 bit result), do I lose any entropy/security/etc.?
My main question, is how can I securely transfer the decrypted data from my program to, let's say a browser text field or a terminal. I am concerned about keyloggers. So, clipboard is out, virtual typing is out.
I don't know what to google, so search term suggestions are welcome too. I am working on linux (I don't care about other OSes) with python.
The code so far: http://git.dzervas.gr/panman
I started reading about password hashing recently on multiple sites like this page on crackstation and others, and for what I have understood, I should avoid using hashing algorithms like md5 and sha1 for they are outdated and instead, I should use sha256 with salt. But, after reading this page on the php manual, I noticed that they discourage the use of even sha256 and instead they recommend using the password_hash() functions. I also noticed that most of this articles/pages were written in the interval of 2011-13, so I am not sure of how secure sha256 hashed password with salts are nowadays
I’m working for a large organization which is using some Windows products that require python to work. Python is used to execute built in utility scripts and the user never recognizes that python... since it’s not allowed to add applications or functionality to the system. So we are looking for tips about how to restrict python so that only some scripts are allowed to run while the interactive... settings for executable locations only checks the python.exe and not the script location itself (the GPO system only sees the python script as a generic argument to the python.exe executable). So my
to accommodate application-specific passwords (create an encrypted private key per password), in case I ever want to develop apps besides the web interface. My question is: How fundamentally (in)secure...?) secrets on the central server. Each file is symmetrically encrypted with a per-file secret. Those secrets are encrypted using the public key. The private key needed for decrypting a file's secret (and thus decrypting the file) is encrypted using a secret based on the user's password. This means that files can only be read by the server if the decrypted private key is kept in its decrypted form
some time reading Wikipedia on AES, block cipher modes and key derivation algorithms, and I also read "If You're Typing The Letters A-E-S Into Your Code, You're Doing It Wrong". All this has made me... at any time, so I want to protect against someone who steals the device and tries to decrypt the data I am not worried about software exploits, keyloggers and so on (assume I never borrow the device... PBKDF2 with SHA-512 so I can derive a key of double length. There is no reliable random number source on the embedded device, so my plan is to have the user generate the random key (k1) on a PC
folder. (although means of transfer should be irrelevant). Each of us has a RSA keypair, we have exchanged public keys using a secure method (in person via USB stick, or via GPGed email). I... decrypt HMAC and AES Key authenticate file decrypt using key and iv save as original filename So, am I doing it right? In other words, do you see any problems, any faux-pas, no-gos... key. I don't know whether to use RNGCSP or the HMAC internal randomkeygen, because until now, I wasn't able to find out how secure that internal method is. (Is this NIST-approved?) The HMAC
Many files we download don't have digital signatures. Files may get infected or someone may intentionally modify them on our hard disk. So I wrote a simple file hashing program in c# that creates a SHA-256 hash of each file & stores it in a signed XML document. The private key is taken from the Windows certificate store with a High security level. (That is, each time I use the private key... to exploit my program so that even if a file is modified it will show it as still matching the stored hash? (I am on Windows 8 x64 with DEP & ASLR on.) The program's executable checks its own digital
confident that the virus has not / cannot infect both partitions, or am I playing with fire here? I realize that MBPs don't ship with a TPM, so a boot-loader infection going unnoticed is still... of BIOS. This leads to my question: is the dual-partitioning approach outlined above more or less secure than using a Virtual Machine for isolation of services? Would that change if my computer had a TPM... overlooking anything here and try to figure out if my dual-boot scheme actually is more secure than the Virtual Machine route. Most importantly, I'm just looking to learn more about security issues. EDIT #1
but are served under SSL (e.g. all-SSL sites or 'My Account' pages that don't have 'New Password' fields). Might be configurable at an 'all requests' / 'HTTPS only' Standardise an HTTP header... in memory for minimal time, up to and including using a mutable character array instead of an immutable string, pinning it so it cannot be paged or copied, and zeroing each array element when done (or using... the pinning/clearing for, say, an HTML <input type="password" /> field? One might reasonably expect the browser to go the extra mile for password fields (although I expect they don't), because they can
requires an API secret key to access. This has essentially the same problem noted in the question above, with the keyserver API secret key being directly comparable to the keystore password: how.... We are using AES-256 symmetric encryption, but the fundamental problem remains even for a PKI solution, as you still need to secure the private key. Note also that we could use a keystore instead... the fundamental question, as noted in one of the comments: how would you protect the keystore password on the cloud? We are designing a SAAS web application in the AWS public cloud, which will have many end