pfx file encryption algorithm

This seems like it should easily documented but I am unable to find.

My c# code does this to create a pfx file.

X509Certificate2 cert = store.Certificates.Find(X509FindType.FindByThumbprint, thumbPrint, false);                     File.WriteAllBytes("certFile.pfx", **cert.Export(X509ContentType.Pfx, password)**); 

The class X509Certificate2 is from System.Security.Cryptography.X509Certificates which appears to be a built-in .NET library.

I would like to know what encryption algorithm is being used to protect the pfx file. I want to confirm whether it is AES256 or not, but I can’t seem to find this information anywhere.

I tried running this OpenSSL command on my "certFile.pfx" file. I had trouble with password so I used "no password" command line. Does this mean that the pfx file is encrypted using TripleDES?!

enter image description here

StartTLS encryption – which TLS versions are supported?

I am looking to set a third party application to authenticate with our domain. The application supports LDAPv3 and we have opted to use the start StartTLS extension to encrypt the credentials from the source host application towards the domain server.

Having said this, I am at a loss as to what TLS version is used in StartTLS. Given the older versions are less acceptable, we would like to opt to allow only the later version (1.2, 1.3) of TLS be accepted.

My question therefore is;

What TLS version is used/supported for StartTLS?

Solving subset-sum encryption (Princeton Creative Assignment)

The question: https://www.cs.princeton.edu/courses/archive/spring03/cs226/assignments/password.html

Input files: ftp://ftp.cs.princeton.edu/pub/cs226/password/

The question asks to use a symbol table for faster decryption. The implementation of symbol table can be either using hash table or BST. I am pretty sure we have to use a hash table as each element in the table can contain linked lists for sums that can be obtained using every subset. There are 5c possible subsets (given in the txt file) and 2^(5c) possible ways of adding these subsets.

I am not sure if this is efficient enough. The linked lists will be extremely toward the top of table and get exponentially smaller (by power of 2) toward the bottom. Lookup time will definetely not be constant.

This question is part of the creative assignments released by Princeton from their COS226 course. The links are given above.

What encryption did Encrochat use, and how was it broken?

On 2nd July, the UK’s national news outlets broke the story of an "unprecedented" 4-year-long, Europe-wide investigation that, in the UK, resulted in the arrest of 746 criminals, including many high-profile "kingpins" of the criminal underworld as well as corrupt police officers. According to The Mirror:

NCA Director of Investigations Nikki Holland, said: “This is the broadest and deepest ever UK operation into serious organised crime. Together we’ve protected the public by arresting middle-tier criminals and the kingpins, the so-called iconic untouchables who have evaded law enforcement for years, and now we have the evidence to prosecute them.”

If these phones were employing a form of encryption, then it stands to reason that the French police and the UK’s National Crime Agency must have been able to break it in some way. Is there any further information on what encryption EncroChat phones were using, and how exactly it was broken?

Is there any encryption mechanism where i can ensure that the decryption can only happen within my data center?

I have a requirement where i need to store confidential data in an encrypted format in the url, i understand POST with body is better approach but it is not an option for me. I am thinking of using a pass phrase based AES 128 bit encryption for encrypting the query string parameter. The concern i have is that the url could get cached in different parts of the internet and if the pass phrase is exposed somehow then it could be used to decrypt these values.

Drawback of Multi Level Encryption

I am backing up my files to a RAID mirrored HDD, that has full disk encryption (FDE) in place with LUKS. Until now I did this with rsync, but I recently switched to a new backup program that does file level encryption as well.

So my question is: Is there any drawback of having multi levels of encryption, or is it actually an advantage? A drawback I can maybe think of would be managing two keys and forgetting one of them would potentially make my backup completely useless.

Encryption (not hashing) of credentials in a Python connection string

I would like to know how to encrypt a database connection string in Python – ideally Python 3 – and store it in a secure wallet. I am happy to use something from pip. Since the connection string needs to be passed to the database connection code verbatim, no hashing is possible. This is motivated by:

  • a desire to avoid hard-coding the database connection credentials in a Python source file (bad for security and configurability);
  • avoid leaving them plain-text in a configuration file (not much better due to security concerns).

In a different universe, I have seen an equivalent procedure done in .NET using built-in machineKey / EncryptedData set up by aspnet_regiis -pe, but that is not portable.

Though this problem arises from an example where an OP is connecting via pymysql to a MySQL database,

  • the current question is specific neither to pymysql nor MySql, and
  • the content from that example is not applicable as a minimum reproducible example here.

The minimum reproducible example is literally

#!/usr/bin/env python3  PASSWORD='foo' 

Searching for this on the internet is difficult because the results I get are about storing user passwords in a database, not storing connection passwords to a database in a separate wallet.

I would like to do better than a filesystem approach that relies on the user account of the service being the only user authorized to view what is otherwise a plain-text configuration file.

Related questions

  • Securing connection credentials on a web server – but that requires manual intervention on every service start, which I want to avoid
  • Security while connecting to a MySQL database using PDO – which is PHP-specific and does not discuss encryption