Jump to content
Please Use CODE Tags

Encryption Public key and Private key.

Joveice
By Joveice
in Programming
 Share
Posted

[Please move if not the correct place]

 

Hello, I need a bit of help to clear my head on this idea I have (If it's even possible for a first).

 

I'm gonna be using Password as the login password for the user and the SecretString as the password he wants to store in his vault to clear confusions.

 

So a user is registered on my application, I only know his username as the password is hashed. He then wants to store is secretstring in his vault. We will encrypt the vault but that could be decrypted if someone gets the password for the encryption.

 

But he will also encrypt his secretstring at our end when he sends it. He will be using his public key (stored at our server) to encrypt. so currently: SecretString > HisPublicKey > OurEncryption > Database.

 

Now he wants to get it back. But we do not have is private key stored at our servers at all. This will be created from his username and password on login. We get his password in cleartext right before it's checked against his hash and it will then be used to create his private key which will be stored in the session only. so currently: Database > OurEncryption > HisPrivateKey > SecretString.

 

So thats the idea, now the facts. Can I create a private key from username: ABC and password: DEF (String is now ABCDEF or something like that) and that private key can decrypt what was encrypted using his public key that was created on register?

Back-end developer, electronics "hacker"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
13 minutes ago, Joveice said:

So thats the idea, now the facts. Can I create a private key from username: ABC and password: DEF (String is now ABCDEF or something like that) and that private key can decrypt what was encrypted using his public key that was created on register?

Yes that's pretty much how that works

pki_faq_1.gif

CPU: Intel i7 5820K @ 4.20 GHz | MotherboardMSI X99S SLI PLUS | RAM: Corsair LPX 16GB DDR4 @ 2666MHz | GPU: Sapphire R9 Fury (x2 CrossFire)
Storage: Samsung 950Pro 512GB // OCZ Vector150 240GB // Seagate 1TB | PSU: Seasonic 1050 Snow Silent | Case: NZXT H440 | Cooling: Nepton 240M
FireStrike // Extreme // Ultra // 8K // 16K

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
2 minutes ago, DXMember said:

Yes that's pretty much how that works

pki_faq_1.gif

Yes, this I know. but the real question is can I get a Private key from the same string that will work as a decryption of the first public key? like I know some of encryption stuff on same string changes each time it's done and will only work with the correct stuff.

Back-end developer, electronics "hacker"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
27 minutes ago, Joveice said:

[Please move if not the correct place]

 

Hello, I need a bit of help to clear my head on this idea I have (If it's even possible for a first).

 

I'm gonna be using Password as the login password for the user and the SecretString as the password he wants to store in his vault to clear confusions.

 

So a user is registered on my application, I only know his username as the password is hashed. He then wants to store is secretstring in his vault. We will encrypt the vault but that could be decrypted if someone gets the password for the encryption.

 

But he will also encrypt his secretstring at our end when he sends it. He will be using his public key (stored at our server) to encrypt. so currently: SecretString > HisPublicKey > OurEncryption > Database.

 

Now he wants to get it back. But we do not have is private key stored at our servers at all. This will be created from his username and password on login. We get his password in cleartext right before it's checked against his hash and it will then be used to create his private key which will be stored in the session only. so currently: Database > OurEncryption > HisPrivateKey > SecretString.

 

So thats the idea, now the facts. Can I create a private key from username: ABC and password: DEF (String is now ABCDEF or something like that) and that private key can decrypt what was encrypted using his public key that was created on register?

Thats not how encryption should work! The keys must be (pseudo) randomly generated! If not, they are not secure.

 

What you basically want to achieve is a password manager right? The server should never be able to see the stored secret right? 

 

So just use AES encryption (symmetric encryption) with javascript on the browser. Basically the user logs in, you send him the encrypted data back, he types his master password in (not the same as login) and boom. When he wants to save something he just encrypts it in the browser end then sends the encrypted secret back to the server. This way the server is never able to decrypt the data. Of course this is just a simple explanation. 

Business Management Student @ University St. Gallen (Switzerland)

HomeServer: i7 4930k - GTX 1070ti - ASUS Rampage IV Gene - 32Gb Ram

Laptop: MacBook Pro Retina 15" 2018

Operating Systems (Virtualised using VMware): Windows Pro 10, Cent OS 7

Occupation: Software Engineer

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 minute ago, Joveice said:

Yes, this I know. but the real question is can I get a Private key from the same string that will work as a decryption of the first public key? like I know some of encryption stuff on same string changes each time it's done and will only work with the correct stuff.

I'm having trouble understanding what you're trying to accomplish.

 

So far what I understand you are building something that is remotely like a storage vault in a bank that keeps peoples stuff safe.

I don't see a reason to use PKI in this situation unless that is, Alice comes to you and sets up a vault box on your server, gives the address of the box to Bob and then Bob is able to place messages on in Alice's box but only Alice can read what it's in the box, it doesn't allow Bob to see what's in the box and prevents him from seeing what Marry put there in Alice's box.

 

If that's roughly what you're trying to make, then there's really no reason to do anything more than just generating a key pair at the moment storage box is being set up, give the Private key to Alice and keep the Public key on the server and use that to encrypt anything that is being placed in the box.

 

The other thing that it might be is that only Alice can place stuff in her vault and only Alice has access to see what's in the vault - in that case just use symmetrical keys IMHO...

CPU: Intel i7 5820K @ 4.20 GHz | MotherboardMSI X99S SLI PLUS | RAM: Corsair LPX 16GB DDR4 @ 2666MHz | GPU: Sapphire R9 Fury (x2 CrossFire)
Storage: Samsung 950Pro 512GB // OCZ Vector150 240GB // Seagate 1TB | PSU: Seasonic 1050 Snow Silent | Case: NZXT H440 | Cooling: Nepton 240M
FireStrike // Extreme // Ultra // 8K // 16K

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
1 minute ago, DXMember said:

I'm having trouble understanding what you're trying to accomplish.

 

So far what I understand you are building something that is remotely like a storage vault in a bank that keeps peoples stuff safe.

I don't see a reason to use PKI in this situation unless that is, Alice comes to you and sets up a vault box on your server, gives the address of the box to Bob and then Bob is able to place messages on in Alice's box but only Alice can read what it's in the box, it doesn't allow Bob to see what's in the box and prevents him from seeing what Marry put there in Alice's box.

 

If that's roughly what you're trying to make, then there's really no reason to do anything more than just generating a key pair at the moment storage box is being set up, give the Private key to Alice and keep the Public key on the server and use that to encrypt anything that is being placed in the box.

 

The other thing that it might be is that only Alice can place stuff in her vault and only Alice has access to see what's in the vault - in that case just use symmetrical keys IMHO...

I want to only allow the persion who owns the box to see / add to it. and I don't want any hard way of them getting it, a simple login page using 1 password and not a pig private key.

 

4 minutes ago, leodaniel said:

Thats not how encryption should work! The keys must be (pseudo) randomly generated! If not, they are not secure.

 

What you basically want to achieve is a password manager right? The server should never be able to see the stored secret right? 

 

So just use AES encryption (symmetric encryption) with javascript on the browser. Basically the user logs in, you send him the encrypted data back, he types his master password in (not the same as login) and boom. When he wants to save something he just encrypts it in the browser end then sends the encrypted secret back to the server. This way the server is never able to decrypt the data. Of course this is just a simple explanation. 

Yes a password vault, just like lastpass but only passwords.

but would this be a safe way to do it? I mean so much stuff can go wrong if half of the function is client sided.

Back-end developer, electronics "hacker"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
Just now, Joveice said:

I want to only allow the persion who owns the box to see / add to it. and I don't want any hard way of them getting it, a simple login page using 1 password and not a pig private key.

 

Yes a password vault, just like lastpass but only passwords.

but would this be a safe way to do it? I mean so much stuff can go wrong if half of the function is client sided.

Client side encryption is the only way to go!

Business Management Student @ University St. Gallen (Switzerland)

HomeServer: i7 4930k - GTX 1070ti - ASUS Rampage IV Gene - 32Gb Ram

Laptop: MacBook Pro Retina 15" 2018

Operating Systems (Virtualised using VMware): Windows Pro 10, Cent OS 7

Occupation: Software Engineer

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 minute ago, Joveice said:

Yes a password vault, just like lastpass but only passwords.

but would this be a safe way to do it? I mean so much stuff can go wrong if half of the function is client sided.

ya but if you're securing the server with a user login that's not better

 

there's more stuff that can go wrong with your server tho'

CPU: Intel i7 5820K @ 4.20 GHz | MotherboardMSI X99S SLI PLUS | RAM: Corsair LPX 16GB DDR4 @ 2666MHz | GPU: Sapphire R9 Fury (x2 CrossFire)
Storage: Samsung 950Pro 512GB // OCZ Vector150 240GB // Seagate 1TB | PSU: Seasonic 1050 Snow Silent | Case: NZXT H440 | Cooling: Nepton 240M
FireStrike // Extreme // Ultra // 8K // 16K

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 minute ago, Joveice said:

Yes a password vault, just like lastpass but only passwords.

but would this be a safe way to do it? I mean so much stuff can go wrong if half of the function is client sided.

The server should never ever be able to read those passwords. Never. Or you have a big security issue in my eyes! For transmitting you use SSL of course!

This is a complex and cryptography is not an easy topic. So many things can be implemented wrongly. You need strong encryption and the browser side encryption must be good.

You have to understand that breaking of this encryption is fatal and should not be able to happen. So don't use your homemade solution for real data!!

Business Management Student @ University St. Gallen (Switzerland)

HomeServer: i7 4930k - GTX 1070ti - ASUS Rampage IV Gene - 32Gb Ram

Laptop: MacBook Pro Retina 15" 2018

Operating Systems (Virtualised using VMware): Windows Pro 10, Cent OS 7

Occupation: Software Engineer

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
Just now, DXMember said:

ya but if you're securing the server with a user login that's not better

 

there's more stuff that can go wrong with your server tho'

Even more, you have a central place and when it get hacked every user looses all PASSWORDS! Should never ever be possible to happen!

Business Management Student @ University St. Gallen (Switzerland)

HomeServer: i7 4930k - GTX 1070ti - ASUS Rampage IV Gene - 32Gb Ram

Laptop: MacBook Pro Retina 15" 2018

Operating Systems (Virtualised using VMware): Windows Pro 10, Cent OS 7

Occupation: Software Engineer

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 minute ago, leodaniel said:

Even more, you have a central place and when it get hacked every user looses all PASSWORDS! Should never ever be possible to happen!

exactly!

#fappening

CPU: Intel i7 5820K @ 4.20 GHz | MotherboardMSI X99S SLI PLUS | RAM: Corsair LPX 16GB DDR4 @ 2666MHz | GPU: Sapphire R9 Fury (x2 CrossFire)
Storage: Samsung 950Pro 512GB // OCZ Vector150 240GB // Seagate 1TB | PSU: Seasonic 1050 Snow Silent | Case: NZXT H440 | Cooling: Nepton 240M
FireStrike // Extreme // Ultra // 8K // 16K

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
1 minute ago, DXMember said:

exactly!

#fappening

 

3 minutes ago, leodaniel said:

Even more, you have a central place and when it get hacked every user looses all PASSWORDS! Should never ever be possible to happen!

 

5 minutes ago, leodaniel said:

The server should never ever be able to read those passwords. Never. Or you have a big security issue in my eyes! For transmitting you use SSL of course!

This is a complex and cryptography is not an easy topic. So many things can be implemented wrongly. You need strong encryption and the browser side encryption must be good.

You have to understand that breaking of this encryption is fatal and should not be able to happen. So don't use your homemade solution for real data!!

Yea thats why I did not want to have the decryption key to the data, but I'll look into the client side way to do this now.

Back-end developer, electronics "hacker"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
Just now, Joveice said:

Yea thats why I did not want to have the decryption key to the data, but I'll look into the client side way to do this now.

There is much more than just AES to the story. Multiple iterations, key derivation, bruteforce protecting and so on! It's not easy and you should really only use it for self experimenting! ;)

Encryption was implemented 1000s of times wrongly ;)

Business Management Student @ University St. Gallen (Switzerland)

HomeServer: i7 4930k - GTX 1070ti - ASUS Rampage IV Gene - 32Gb Ram

Laptop: MacBook Pro Retina 15" 2018

Operating Systems (Virtualised using VMware): Windows Pro 10, Cent OS 7

Occupation: Software Engineer

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
3 minutes ago, Joveice said:

Yea thats why I did not want to have the decryption key to the data, but I'll look into the client side way to do this now.

does the user have to access the date between sessions?

just use a huge ass symmetrical key generated and maybe stored client side between sessions

CPU: Intel i7 5820K @ 4.20 GHz | MotherboardMSI X99S SLI PLUS | RAM: Corsair LPX 16GB DDR4 @ 2666MHz | GPU: Sapphire R9 Fury (x2 CrossFire)
Storage: Samsung 950Pro 512GB // OCZ Vector150 240GB // Seagate 1TB | PSU: Seasonic 1050 Snow Silent | Case: NZXT H440 | Cooling: Nepton 240M
FireStrike // Extreme // Ultra // 8K // 16K

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
Just now, leodaniel said:

There is much more than just AES to the story. Multiple iterations, key derivation, bruteforce protecting and so on! It's not easy and you should really only use it for self experimenting! ;)

Encryption was implemented 1000s of times wrongly ;)

It's gonna be used as a offline vault anyways so. But I still wanted it to be a bit safe. And I want the control of it :)

Back-end developer, electronics "hacker"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
1 minute ago, DXMember said:

does the user have to access the date between sessions?

just use a huge ass symmetrical key generated and maybe stored client side between sessions

Not sure what you mean by this?

Back-end developer, electronics "hacker"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
Just now, Joveice said:

Not sure what you mean by this?

 

1 minute ago, Joveice said:

It's gonna be used as a offline vault anyways so. But I still wanted it to be a bit safe. And I want the control of it :)

wait... it's offline? why are we talking about client and server side stuff? what the hell?

CPU: Intel i7 5820K @ 4.20 GHz | MotherboardMSI X99S SLI PLUS | RAM: Corsair LPX 16GB DDR4 @ 2666MHz | GPU: Sapphire R9 Fury (x2 CrossFire)
Storage: Samsung 950Pro 512GB // OCZ Vector150 240GB // Seagate 1TB | PSU: Seasonic 1050 Snow Silent | Case: NZXT H440 | Cooling: Nepton 240M
FireStrike // Extreme // Ultra // 8K // 16K

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
Just now, DXMember said:

 

wait... it's offline? why are we talking about client and server side stuff? what the hell?

Because it's still hosted on a server and accessed by a browser :P

Back-end developer, electronics "hacker"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 minute ago, Joveice said:

It's gonna be used as a offline vault anyways so. But I still wanted it to be a bit safe. And I want the control of it :)

I understand what you mean, but don't agree with it. I think it's better to trust a well documented transparent password manager, which has proven itself to your homemade solution in every aspect!

It's not just that you could get hacked, you could loose your data, ... it's better to be on the safe side with your passwords!

 

I strongly recommend you to only use it for testing and learning!

Business Management Student @ University St. Gallen (Switzerland)

HomeServer: i7 4930k - GTX 1070ti - ASUS Rampage IV Gene - 32Gb Ram

Laptop: MacBook Pro Retina 15" 2018

Operating Systems (Virtualised using VMware): Windows Pro 10, Cent OS 7

Occupation: Software Engineer

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
13 minutes ago, Joveice said:

Because it's still hosted on a server and accessed by a browser :P

why?

just use Windows Key store and "normal" desktop application?

CPU: Intel i7 5820K @ 4.20 GHz | MotherboardMSI X99S SLI PLUS | RAM: Corsair LPX 16GB DDR4 @ 2666MHz | GPU: Sapphire R9 Fury (x2 CrossFire)
Storage: Samsung 950Pro 512GB // OCZ Vector150 240GB // Seagate 1TB | PSU: Seasonic 1050 Snow Silent | Case: NZXT H440 | Cooling: Nepton 240M
FireStrike // Extreme // Ultra // 8K // 16K

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
Just now, DXMember said:

why?

just use Windows Key store and "normal" desktop application?

I only know some PHP and currently also learning c# for what I need it for.

Back-end developer, electronics "hacker"

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
Just now, Joveice said:

I only know some PHP and currently also learning c# for what I need it for.

perfect, do that in C# and .NET use System.Security.Cryptography

https://msdn.microsoft.com/en-us/library/system.security.cryptography(v=vs.110).aspx

CPU: Intel i7 5820K @ 4.20 GHz | MotherboardMSI X99S SLI PLUS | RAM: Corsair LPX 16GB DDR4 @ 2666MHz | GPU: Sapphire R9 Fury (x2 CrossFire)
Storage: Samsung 950Pro 512GB // OCZ Vector150 240GB // Seagate 1TB | PSU: Seasonic 1050 Snow Silent | Case: NZXT H440 | Cooling: Nepton 240M
FireStrike // Extreme // Ultra // 8K // 16K

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
10 hours ago, leodaniel said:

So don't use your homemade solution for real data!!

THIS +10000000

 

For production people should ALWAYS use, without any exceptions, proven and audited encryption libraries. Most of them are open source with permissive licenses and there is no excuse for not using them. Home made cryptography solutions are just invitation for black hats to get an unauthorized access to your website.

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Programming

×