Whatsapp is change the message db to .crypt 7, and now my little app that written in c# not working now (i have a little app for myself for viewing my history chats) because it written for old crypt db of whatsapp.
Now, i see that whatsapp is useing new crypt - .crypt7 - what is it? and how i can convert it? i see also have there local key for decrypt? how i can use it with my little c# for decrypt and read it?
Thanks!
You have to get encryption key. if you have root, you can copy /data/data/com.whatsapp/files/key here. As far as i know whatsapp using "aes" for encryption.
Related
I have a USB token (Epass-Capricorn) and my requirement is to sign text/flat files using the same.
PS: I believe I have to get the "START-SIGNATURE", "START-CERTIFICATE" and "SIGNER-VERSION" data from the code and append at the end of the file, attached a screenshot of same.
Can someone guide me how can I achieve the same using C#?
I've read several posts but I've yet to find something that helps me.
I've got a simple C# winforms application that connects to a SQL DB. What I want to do is to encrpyt this string and decryt it on the fly. I've found this thread which does what I want - Encrypting & Decrypting a String in C#
but .... where to I then store the key/saltkey? Any help would be great!
You have to put your connection string in app.config, then you should encrypt your config file, please refer to this article to find more details
I am making a custom ftp client that logs onto a single ftp site and goes to a specific folder to avoid users' putting files in the wrong place.
I'm not super concerned about it, but the password is just a string to initiate the new ftp object.
FtpClient ftp = new FtpClient("www.markonsolutions.com", "user", "password");
What is the best way to keep this password from prying eyes?
FTP supports only plain text authentication - if you want to hide the password from attackers you have to use FTPS (FTP over SSL).
UPDATE
Don't care about hiding and obfuscating the password in your source code as a first step - your application will have to decrypt it and send it over the wire in plain text. Everyone can just start WireShark or any other packet sniffer and get the password back in plain text. First make sure that you don't send the password in plain text over a network, then start thinking about obfuscating it in your code.
UPDATE
Obfuscating the password in your code yields no security at all while you are sending it in plain text, but you can do so. Just encrypting the string adds one level of indirection. Without obfuscation I have to finde the password in your application and that's a matter of minutes with Reflector, with obfuscation I have to find the key, the encrypted password, and the encryption method. This will probably still take only minutes.
Using an obfuscator to prevent me from decompiling you application (into readable code) might stop me for a few hours until I find the relevant call into a system library function (but I wouldn't try, but only read the password from the wire ;).
So I suggest not to try to hard to obfuscate the password - the average user is probably unable to find a plain text password in a executable and people willing to find the password cannot be stopped by obfuscation. In this case the only way would be not to include the password in your application in the first place.
You can use this to protect your plain text string from reflector like programs.
See this SO post about how to encrypt and decrypt a string, in this case your password.
You should also consider obfuscating your code to make it difficult for people with appropriate tools to get the password by debugging your code.
Make your passwords and connection URLs configuration parameters, in a protected file. I uses INI files, and they are placed in a directory that is protected by the web server such that a browser can't open nor see the file/directory.
I have a bit of code that needs to run with elevated privileges (more that I want the rest of my code running at).
I have my code that sets up the Impersonation working, but it requires a username, domain and password. As my code is in C#.net I know that the password can be found by anyone determined enough.
Is there a way to encrypt the password in my code? Or otherwise secure this password and still be able to pass it in?
Here is the code I am calling:
using (new Impersonator("UserNameGoesHere", "DomainNameGoesGere", "Password Goes Here"))
{
uint output;
NetUserAdd(AUTHENTICATION_SERVER, 1, ref userinfo, out output);
return output;
}
I would love an example that shows how to fix this to not show my password in plain text.
I am using Visual Studio 2008, .NET 3.5 SP1, and running on Windows Server 2003.
Vaccano,
I would recommend investigating the data protection API (DPAPI) for what you're attempting to achieve. It is considered part of the solution in many best practice approaches to reversibly storing passwords needed by applications.
A good article discussing the DPAPI (and other techniques + concerns) can be found here:
http://msdn.microsoft.com/en-us/magazine/cc164054.aspx
With C# 2.0, P/Invoking isn't even required; managed wrappers exist:
http://blogs.freshlogicstudios.com/Posts/View.aspx?Id=41ca5a99-ddc0-4d0a-9919-2ce10bf50c7e
I hope this helps!
You have multiple options here.
You can hash the password the very first time and store the hash to a file. Now the next time, you want to execute the code with elevated privileges, you need to accept/retype the password and re-compute the hash and match it with the stored hash. Only if it matches will you execute your code in elevation modes. You could hash using SHA. Please look at System.Crytography namespace for examples on hashing.
Second option is to encrypt the password using algorithms like AES. However you will need to have a key to do this and you will have to worry about securing this key.
Third option is to use DPAPI and encrypt the password but not worry about securing the keys - much easier option than 2.
I would recommend 1 if you do not mind re-entering the password every time the application starts. If that is not a possibility, I would suggest going with 3 and use DPAPI.
Here are some links to get you started.
1.http://www.obviex.com/samples/dpapi.aspx
2. http://www.obviex.com/samples/Encryption.aspx
You can use safe-config nuget package. Internally it uses data protection api to encrypt and decrypt data.
//Save some configuration data at folder data\temp\
var configManager = new ConfigManager()
.WithOptions(DataProtectionScope.CurrentUser)
.Set("password", "my-massword")
.AtFolder(#"data\temp\")
.Save();
...
//Load configuration data
var loadedValue = new ConfigManager()
.AtFolder(#"data\temp\")
.Load()
.Get<string>("password");
We need to PGP encrypt files and send them over FTP to a third party. The files are encrypted with the DH/DSS public key of the third party and signed with our private key.
The third party have our public key and their own private key. The encryption/decryption works, but the third party are getting warnings when they try to verify our signature.
When we try to decrypt and verify similarly encrypted files using PGP Desktop the files verify without warning.
The third party are using "McAfee E-Business Server"
The exact warning is:
WARNING: Bad signature, doesn't match file contents!
Bad signature from user "users name"
The code is a little involved, but I posted it on my blog. I can post it here instead of a link if that is more appropriate.
Any insight as to how to solve this issue is appreciated.
While I can't give a thorough explanation as to the details of the problem, here is a solution that works.
First of all it seems that the different PGP implementations are very sensitive to which program was used to genereate the keys in use.
The failing scenario:
Create keys in PGP Desktop (RSA v4, 2048/2048)
Encrypt in BouncyCastle (DH/DSS, Elgamal)
Sign in BouncyCastle (With the RSA key)
Decryption and signature verification success in PGP Desktop.
Decryption success but signature verification fails in McAfee Business Server.
In order to make McAfee Business Server succeed in verifying the keys either create the keys in BouncyCastle using the code from the BouncyCastle source code.(Org.BouncyCastle.Bcpg.OpenPgp.Examples.RsaKeyRingGenerator)
This code can be changed if you need specific key properties.
Another alternative is to use McAfee Business Server to generate the keys. For that you need access to the software. I did my tests with a trial version. (Which by the way was a pain in the neck to get up and running)
Update: I did all my tests on E-Business Server 8.5.3 (trial). I reached the point where I could encrypt and sign in Bounty and decrypt and verify in E-Business Server. Turns out the third party are using E-Business Server 7.0 which refused to verify the signature.
In order to get everything working we needed to create V3 signatures.
We changed from:
PgpSignatureGenerator pgpSignatureGenerator = new PgpSignatureGenerator(m_encryptionKeys.SecretKey.PublicKey.Algorithm, HashAlgorithmTag.Sha1);
to
PgpV3SignatureGenerator pgpV3SignatureGenerator = new PgpV3SignatureGenerator(m_encryptionKeys.SecretKey.PublicKey.Algorithm, HashAlgorithmTag.Sha1);