Common Encryption types with keys stored in Base64

I am a noob 🙂

I am attempting to recover a password from a piece of software. The software has a XML file contains three fields that appear important to this process: Password Value, EncryptionKey Value, and PasswordEncoding Value. PasswordEncoding Value is set to 12000 (in case that helps).

The other two fields appear to be base64 strings that, when decoded, seem to be nonprintable characters.

I want to use Python to try to find the type of enc used in hopes of decrypting the Password Value field. What are common types of Encryption that would store data in base64 in a xml file? This is from a Windows app.

Thank you

recompiled kernel with luks full-disk encryption?

I need to remove xhci_hcd from my kernel. It should be a module so that I can blacklist it.

I cloned git://kernel.ubuntu.com/ubuntu/ubuntu-disco.git, and I was able to successfully run fakeroot debian/rules binary. I then installed the resulting .deb files. My grub menus were updated, the local1 suffix was correctly added to all files and menu items, everything looks good.

I needed to modify the xhci and ehci entries in the ‘annotations’ file, which seems like a guardrail to be sure that no unexpected changes were made – this was reassuring.

I have full-disk encryption configured by the installer, and if I boot with my new kernel, entering my key does not unlock my disk. Standard english keyboard layout.

I have searched google, and grepped my disk and the docs. I am certain that it’s a one-liner that I’m just missing? Some grub or initramfs configuration that is so obvious nobody talks about it.

Any clues, any clues at all, will almost certainly help me.

Migrate SharePoint Column Encryption / Decryption using RSA Machine-Level Crypto

I’m actively trying to find the best way to migrate machine-level encryption to a new server that will be running SharePoint 2019.

We use the RSACryptoService.cs to encrypt data being stored in a SharePoint column.

https://gist.github.com/malinxiao/07c922ec29263b136045d36cd84f80df

We haven’t made any changes to the web.config in relation to this. I’m also not able to find the key container using aspnet_regiis, so I’m assuming the crypto service creates it dynamically.

The only solution I can think that will work at the moment is to decrypt all of the data, move it to the new server, and then encrypt it on the new server.

Are there any other better options?

Looking for a specific quote about keys and transparent encryption implementation

I’m struggling to find a quote advising that we should be comfortable in sharing details of encryption methods and implementation with would-be attackers and the system still remain secure. The idea is that the keys are what we should be protecting as opposed to some obscurity in our code and approach.

Does anybody have the quote I’m talking about?

Zero server knowledge encryption for media server

I’m making a little media server, just for fun, but I want to know if what I’m thinking makes sense.

The idea is that the files will be stored on the server, encrypted. The file encryption key (henceforth FEK) will also be stored on the server, but it too will be encrypted using a 2nd key, derived from the user’s password (henceforth PDK).

It will work like this:

  1. There will be a 2-stage login. First, the user enters their username.
  2. If the user exists, the server will send back two fixed, per-user salts and a # of iterations.
  3. The client will use the first salt to hash their password with 1 iteration of sha256. They will send this to the server.
  4. The server takes this hashed password and rehashes with a 3rd salt and many iterations (PBKDF2) and uses this to authenticate the user.
  5. Meanwhile, the client uses the 2nd salt and # of iterations that the server previously sent, also with PBKDF2, to create the PDK.
  6. If the user is successfully authenticated, the server sends back the encrypted key (FEK).
  7. The client uses the PDK to decrypt the FEK.
  8. The decrypted FEK is used to encrypt and decrypt all files client-side.

Rationale: The password will be sent over HTTPS, but supposing my server is completely compromised (attacker has SSH access), then they could just wait for someone to login and get the plain-text password. One iteration of sha256 doesn’t provide a lot of protection, but this is a sort of worst-case scenario, and I don’t want to double the amount of time we’re waiting for PBKDF2 (once on client, again on server).

It still has to be rehashed on the server in case the attacker manages to download the database, but maybe doesn’t have full/persistent access. This would prevent them from cracking passwords too quickly.

I sent the 2nd salt and # of iterations to the client before they authenticate so that we can do (4) and (5) in parallel. Salt and # iterations don’t really need to be secret, do they?

Since the server never sees the plain-text password, it can never decrypt the FEK, which is the most important.

We use different salts to basically get 2 different keys out of 1 password. One is the hashed password for authentication, and the other is the PDK.

I also want to do file-deduplication using hashes. I realize this also exposes some information, so I plan on using the FEK for the file hashes too. Then I can only do per-user file deduplication, but that’s good enough.

If the user changes their password, I simply re-encrypt the FEK and send it back to the server for safe-keeping. No need to re-encrypt the files.

Does this all make sense? Any problems in my plan?

Oh, also I’m thinking aes-256-cbc with per-file IVs for the encryption, HMAC-SHA256 for the file hashes, PBKDF2 w/ sha256 and half a second worth of iterations for both the password hash and the PDK.