Category Archives: Cryptography

JWT Tokens

Below the basic operations to create and validate JWT tokens

using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Security.Cryptography;
using System.Text;

public class JwtGenerator
{
    public static string GenerateSecureKey()
    {
        using var randomNumberGenerator = RandomNumberGenerator.Create();
        var key = new byte[32]; // 256 bits
        randomNumberGenerator.GetBytes(key);
        return Convert.ToBase64String(key);
    }

    public static string GenerateToken(string secret)
    {
        JwtSecurityTokenHandler tokenHandler = new();
        byte[] key = Encoding.ASCII.GetBytes(secret);

        SecurityTokenDescriptor tokenDescriptor = new()
        {
            Subject = new ClaimsIdentity(new Claim[]
            {
                // Add any claims you need here
                new Claim(ClaimTypes.Name, "username"),
            }),
            Expires = DateTime.UtcNow.AddMinutes(60),
            SigningCredentials = 
                new SigningCredentials(
                        new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
        };

        SecurityToken token = tokenHandler.CreateToken(tokenDescriptor);
        return tokenHandler.WriteToken(token);
    }

    public static ClaimsPrincipal DecodeAndValidateToken(string token, string key)
    {
        var tokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuerSigningKey = true,
            IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(key)),
            ValidateIssuer = false,
            ValidateAudience = false,
            ClockSkew = TimeSpan.Zero
        };

        var tokenHandler = new JwtSecurityTokenHandler();

        try
        {
            var claimsPrincipal = tokenHandler.ValidateToken(token, tokenValidationParameters, out var validatedToken);
            return claimsPrincipal;
        }
        catch (SecurityTokenException)
        {
            Console.WriteLine("Invalid token.");
            return null;
        }
        catch (Exception ex)
        {
            Console.WriteLine($"An error occurred: {ex.Message}");
            return null;
        }
    }

    public static void Main()
    {
        string key = GenerateSecureKey();
        Console.WriteLine(key);

        Console.WriteLine();

        string token = GenerateToken(key);
        Console.WriteLine(token);

        var claimsPrincipal = DecodeAndValidateToken(token, key);
        foreach (var claim in claimsPrincipal.Claims)
        {
            Console.WriteLine($"Claim Type: {claim.Type}, Claim Value: {claim.Value}");
        }
    }
}

Share

Get certificate information with openssl

To display certificate information of a certificate issue the command below:

openssl x509 -in certificate -text

Information about the certificate is displayed. Some important items are:

Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA

The Issuer is a CA that signed this certificate.

Validity
            Not Before: Feb  6 00:00:00 2015 GMT
           Not After : Feb 26 23:59:59 2016 GMT

The validity period of the certificate. Remember to renew your certificate before it expires!

Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=www.bjdejong.nl

The subject for this certificate. This certificate can be used for a website for the given CN.

Share

OpenSSL encrypt and decrypt files

cryptoWith the help of OpenSSL you can easily encrypt and decrypt files. This method of encryption is of course  also compatible with the openssl binaries you can download for the Windows platform. Use base64 encoding for better multi-plaform exchange.

Encrypt

Encrypt files with (a password is asked for encrypting):

openssl enc -aes-256-cbc -base64 -in <file to encrypt> -out <encrypted file>

Decrypt

Decrypt files with (a password is asked for decrypting):

openssl enc -aes-256-cbc -base64 -d -in <encrypted file> -out <decrypted file>

The commands above use base64 encoding for storing the encrypted data.

Share

Public-key cryptography

cryptoYou give other people your public (encryption) key. Other people can encrypt data with your public key which you can only decrypt because you have the private (decryption) key for the public key that is used.

Generate a key pair (private / public) with 2048 bits length:

openssl genrsa 2048 > key.pem

Generate a password protected key pair (private / public) with 4096 bits length:

openssl genrsa -des3 -out key.pem 4096

Generate the public key from the private key:

openssl rsa -in key.pem -pubout > pub.key

Create a symmetric key (base 64 for convenience) and store in file:

openssl rand -base64 32 > symmetrickey.txt

Encrypt the symmetric key file with your public key:

openssl rsautl -in symmetrickey.txt -out symmetrickey.bin -pubin -inkey mypubkey.pem -encrypt

Decrypt the symmetric key with your private key:

openssl rsautl -in symmetrickey.bin -out symmetrickey.txt -inkey myprivkey.pem -decrypt

Public-key cryptography, also known as asymmetric cryptography, refers to a cryptographic algorithm which requires two separate keys, one of which is secret (or private) and one of which is public.

Although different, the two parts of this key pair are mathematically linked. The public key is used to encrypt plaintext or to verify a digital signature; whereas the private key is used to decrypt ciphertext or to create a digital signature.

The term “asymmetric” stems from the use of different keys to perform these opposite functions, each the inverse of the other – as contrasted with conventional (“symmetric”) cryptography which relies on the same key to perform both.

The strength lies in the fact that it is “impossible” (computationally unfeasible) for a properly generated private key to be determined from its corresponding public key.

Thus the public key may be published without compromising security, whereas the private key must not be revealed to anyone not authorized to read messages or perform digital signatures.

Public key algorithms, unlike symmetric key algorithms, do not require a secure initial exchange of one (or more) secret keys between the parties.

Each user has a pair of cryptographic keys – a public encryption key and a private decryption key. Similarly, a key pair used for digital signatures consists of a private signing key and a public verification key.

In symmetric-key encryption, each computer has a secret key (code) that it can use to encrypt a packet of information before it is sent over the network to another computer. Symmetric-key requires that you know which computers will be talking to each other so you can install the key on each one. Symmetric-key encryption is essentially the same as a secret code that each of the two computers must know in order to decode the information. The code provides the key to decoding the message.

The first major symmetric algorithm developed for computers in the United States was the Data Encryption Standard (DES), approved for use in the 1970s. The DES uses a 56-bit key.

DES has been replaced by the Advanced Encryption Standard (AES), which uses 128-, 192- or 256-bit keys. Most people believe that AES will be a sufficient encryption standard for a long time coming: A 128-bit key, for instance, can have more than 300,000,000,000,000,000,000,000,000,000,000,000 key combinations

Share

Cryptography notes, tips and tricks

Cryptography notes.

This article is about cryptography and asymmetric encryption / decyption.
Asymmetric (public / private key pair) and symmetric (one key to encrypt and decrypt).

– distribute your public key
– keep your private key secret and private 🙂

Ask people who want to send you a secret mail to encrypt it with the public key. Only you, the owner of the private key, are able to decrypt it.

Install openSSH from http://slproweb.com/products/Win32OpenSSL.html (Visual C++ 2008 Redistributables and Win32 OpenSSL v1.0.1c).

Add the installation folder to your path and adjust the environment variable OPENSSL_CONF to point to your configuration file.

Asymmetric encryption of a file:
1. Create a private key and public key pair:
> openssl genrsa -out private.pem 1024
1a. Encrypt you private key:
> openssl rsa -in private.pem -des3 -out private-enc-key.pem
2. Extract the public key from this file (the public.pem, created below, can be freely distributed):
> openssl rsa -in private.pem -out public.pem -outform PEM -pubout
3. Encrypt a file:
> openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out file_enc.txt
4. Decrypt the file with your private key:
> openssl rsautl -decrypt -inkey private.pem -in file_enc.txt -out decrypted.txt

Retrieve information about your private key (generated with genrsa command):
> openssl rsa -in privateKey.pem -text

NOTES

Privacy Enhanced Email (PEM)

http://users.dcc.uchile.cl/~pcamacho/tutorial/crypto/openssl/openssl_intro.html

 

Share

Display X509 certificatie information in C#

Display information about a X509 certificate with this little C# fragment:

using System;
using System.Security.Cryptography.X509Certificates;

class App
{
static void Main(string[] args)
{
if (args.Length == 0)
{
Console.WriteLine("Usage: Viewcert .cer");
return;
}

X509Certificate x509 = X509Certificate.CreateFromCertFile(args[0]);

Console.WriteLine(
"Issued to {0}nIssued by {1}nSerial# {2}n"
+ "From {3} To {4}nAlgo {5} Params {6}n"
+ "Format {7}n"
+ "Cert Hashn{8}nCert Datan{9}nPublic Keyn{10}",
x509.Subject, x509.Issuer, x509.GetSerialNumberString(),
x509.GetEffectiveDateString(), x509.GetExpirationDateString(),
x509.GetKeyAlgorithm(), x509.GetKeyAlgorithmParametersString(),
x509.GetFormat(), x509.GetCertHashString(), x509.GetRawCertDataString(),
x509.GetPublicKeyString());
}
}
Share

Check public key of MSI

For a project I have to test the signing of a MSI. The MSI has to be uploaded to a web server. The web server has to test the signing status of the MSI. The code below saves the MSI file (in the upload control) local. With help of the X509Certificate class a certificate object is instantiated. The SigningStatus is a enum.

internal static SigningStatus GetSigningStatus(FileUpload fileupload)
{
string fileName = Path.Combine(
Context.Server.MapPath(WebConfigurationManager.AppSettings["IprTempDir"]),
fileupload.FileName);

try
{
// Save file so it can be uses in constructor for the X509 certificate (constructor does
// not handle streams!)
fileupload.SaveAs(fileName);
13: X509Certificate2 x509msi = new X509Certificate2(fileName);
if (x509msi.GetHashCode() != 0)
{
X509Certificate2 key = new
X509Certificate2(StrToByteArray(WebConfigurationManager.AppSettings["PublicKey"]));

if (string.Compare(
x509msi.PublicKey.EncodedKeyValue.Format(false),
key.PublicKey.EncodedKeyValue.Format(false)) == 0)
{
// Public key web.config equal to public key of uploaded file =&gt; Company signed
return SigningStatus.CompanySigned;
}

// File is signed but not with the Company public key
return SigningStatus.Signed;
}
else
return SigningStatus.NotSigned;
}
catch (CryptographicException)
{
return SigningStatus.NotSigned;
}
finally
{
if (File.Exists(fileName))
{
File.Delete(fileName);
}
}
}
Share