RSA cryptography with NOPAD

Can anyone provide me with pseudo code/algorithm, that will give the steps to encrypt and decrypt a message using the RSA/NOPAD combination. I will implement using cryptix 3.2.
If any documentation is available regarding RSA/NOPAD, please provide the link(s) or mail it to my id.
I also need verified test data to test the implementation. I looked in rsalabs but was unable to find any.
Thanks to all.
Regards.
Arnab.

sabre150 >Of course there are! The mathematics says that if your planetext converted to number is bigger than the modulus then you will loose information.
Arnab> Missed this point before. Thank you.
sabre150 >Also, if your planetext converted to a number is small such that m^e is less than the modulus ............... published by Wiley.
Arnab> Thanks again.
sabre150 >I don't understand what you are trying to do? If you are doing it all yourself (as you imply) then YOU will have to split the planetext into blocks and YOU will have to provide any padding.
Arnab>I am splitting the plain text to proper block, based on the key length. For PKCS#1 implementation I am providing a 11 byte header and padding if necessary.
For NoPad, I guess I can leave the byte and header out, and just split the message into blocks of size equal to modulus.
If by "doing it all yourself ", you mean that "am I writing the code to do the splitting and padding" then yes.
sabre150 >Your search does not seem to have been very thorough because the fifth entry that Google came up with is.......
Arnab> Thank you for the link. However the test vectors contain data for RSAES-OAEP and RSA-PSS algorithms.
Cipher text generated using RSAES-PKCS1 or NOPAD obviously will not validate against the test data which are meant for RSAES-OAEP.
Did I miss anything here?
Thank you again for your patience and time. Please let me know if you see that I am wrong somewhere.
Regards.
Arnab.

Similar Messages

Rsa securid with remote access dial-in service problem

Hello,
I tried to setting rsa secured with remote access dial-in service on cisco 2600 box. Everything works well except when token in new pin or next token mode. The dial-up client can not enter second passcode, do not have second pop-up window, so all authentications was fail. My dial-up client is windows 2000 or xp.
Please suggest me too.
Thanks,
Nitass

While I agree with you that the terminal window solution is more complex and less user friendly than the standard Windows DialUp window/authentication, the terminal window does provide a solution to the new pin or next token issue which the standard Windows does not.
I work with a customer who uses RSA token to authenticate dial in users. We have found the solution to the issue you are dealing with to be either the terminal window where the user can deal with their problem or to have someone take administrative action on the RSA server to reset/resync the users token.
So as I see it you have a choice to make: either present terminal window as an alternative setup on the user PC or when they can not login on dial up have them call the Help Desk and have someone deal with it for them. One solution is somewhat less user friendly but does allow the user to deal with their own problem, and the other solution is more user firendly and puts more load on the Network Support staff.
I would also wonder why you have so many users in new pin and next token mode? Perhaps if you can figure how to minimize the frequency of these modes you can minimize the problem of difficulty authenticating for your users.
HTH
Rick

RSA authentication with LDAP group mapping

Greetings,
I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
The problem I'm having is that my users are in multiple OU's on our AD tree. When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error. If I add an OU in front of it, then it will work fine.
As far as I know, you can only use one LDAP configuration with RSA.
Any thoughts on this?

@Tarik
I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen. I have resorted to creating a Radius profile on the RSA appliance for each access group I need. Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
Thankfully, I have a small group of users that I am attempting to map. I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create. Likewise, our Account Admin will have to determine who gets assigned a particular access group.
I would still prefer to do this dynamically.
Scott

Using Google Play Developer License RSA code with Air for Android App?

What is the procedure for using Google Play Developer's provided license code (Base64-encoded RSA public key to include in your binary) for an Air for Android app in Flash?
I see the need to load a p12 file and have gone through the process of creating one for Air for iOS with OpenSSL but the Google provided key is in a different format. To start with it is delivered by copy/paste off a webpage.
I am using Flash CS5.5. I could switch to CS6 if neccesary.
Thanks

Follow this link, see post number 12.
http://forums.adobe.com/thread/1115438

Cryptography with SAPCRYPTOLIB

Hi Folks,
Anyone have experience with SAPCRYPTOLIB?
The point is, my client have a XI that receives messages via HTTPS from a Web Service. The XML payload has some elements encrypted and I want unencrypted!!!
Anyone knows how to work with this library?
Thanks in advance,
Ricardo.

Hi James,
Forget the XI, the idea is: My client receive messages in XML format, some of the fields are encrypted with algorithm Triple-DES. This information is stored into a Z table of a SAP ERP 2005. The idea is develop an ABAP report that reads this table and decrypt the encrypted fields.
I know that algorithm Triple-DES is a symmetric algorithm and the same key is used to encrypt and decrypt. All information that I read in SAP help about SSF programming is about public key technology I think that I dont need to implement the Public Key Infrastructure, but only a simple private key infrastructure.
I would like to use SSF programming to develop this report and I just read the SSF programming guide. I dont know if I need to use all the functions that it has because the encryption process is already done (the infrastructure is also defined) and all I need to do is the inverse process (decrypt).
I have some questions:
In which place is safe to save the private key? On a table, file, into WAS?
Which extra configurations I need to do to start my ABAP report?
Which functions of a SSFG function group I need to use? Like I said before I think that I only need to decrypt the encrypted data, so it means only a SSF_DEVELOPE function is necessary?
Thanks a lot for your help.
Regards,
Ricardo.

Cryptography with J2ME / J2EE

cheers to you all,
i have to develop an application in which there is encrypted message exchange between a client (Mobile phone) and a server.
i wil use AES , RSA, HMAC-SHA (for digest) and i don't know where can i find the convenient sources / API since i will use J2ME for the client and J2EE for the server
help me please
thanks

Hi!
I have to connect an J2ME client to the J2EE server
and I want to know if is it possible using JNDI/LDAP.
but I want to realize the connection using JNDI/LDAP.Sounds like you've misunderstood what JNDI/LDAP is.
You should read up what these two technologies are (and what they are for).
For what particular reason did you 'want to realize the connection using JNDI/LDAP'?

RSA token with Pix

I have a Pix 525 running 7.02 OS using the 5.0 VPN client. I'm trying to configure this to use RSA tokens to authenticate. I added the following lines to my Pix config:
aaa-server <group name> protocol sdi
reactivation-mode timed
aaa-server <group name> host 172.16.180.X
retry-interval 3
timeout 13
aaa-server <group name> protocol sdi
reactivation-mode timed
aaa-server <group name> host 172.16.180.105
retry-interval 3
timeout 13
Where do I put in the shared secret that the RSA server uses? I know we put one in there, it's actually a version of RADIUS but I don't know where to put it for the Pix.
Thanks

If you're doing it via SDI the two devices will negotiate the shared secret. Only if you're doing Radius do you need to create one manually, based on RSA documents.

Using Java to encrypt files with RSA

Hi
I thinking of creating a javaprogram that encrypts my
files with RSA Cryptography.
Does anyone have some hints on what methods that
can come in handy?
I saw in the API that there are som methods relating this
like the interface RSAPublicKey, RSAPrivateKey from
the superinterface RSAKeyBut I could not find anything about some method to encrypt with
the keys...
help me please :(

Is your Google broken? Just a few seconds of searching revealed...
Java's Cryptography Forum
Encryption by Example: Simple Java Programs
Java 2 Cryptography Extension
Fundamentals of Java Security
Reference: Java Cryptography

RSA SecurID and Cisco ACS integration for user(s) with enable mode

I thought I had this problem figured out but I guess not.
I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
I use tacacs+ authentication for logging into the Cisco router
such as telnet and ssh. In the ACS I use "external user databases"
for authentication which proxy the request from the ACS over
to the RSA SecurID Server. I installed RSA Agents with
sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
to be "RSA_SecurID" group. In the "External user databases" and
"database configurations" I assign SecurID to this "RSA_SecurID"
group.
Everything is working fine. In the "User Setup" I can see dynamic
user test1, test2,...testn listed in there as "dynamic users". In
other words, I can telnet into the router with my two-factor
SecurID.
The problem is that if test1 wants to go into "enable" mode with
SecurID login, I have to go into "test1" user setting and select
"TACACS+Enable Password" and choose "Use external database password".
After that, test1 can go into enable mode with his/her SecurID
credential.
Well, this works fine if I have a few users. The problem is that
I have about 100 users that I need to do this. The solution is
clearly not scalable. Is there a setting from group level that
I can do this?
Any ACS "experts" want to help me out here? Thanks.

That is not what I want. I want user "test1" to be able to do this:
C
Username: test1
Enter PASSCODE:
C2960>en
Enter PASSCODE:
C2960#
In other words, test1 user has to type in his/her RSA token password to get
into exec mode. After that, he/she has to use the RSA token password to
get into enable mode. Each user can get into "enable" mode with his/her
RSA token mode.
The way you descripbed, it seemed like anyone in this group can go directly
into enable mode without password. This is not what I have in mind.
Any other ideas? Thanks.

PEAP with RSA question

I am getting ready to install a wireless network with WLC4404, ACSSE and about 100 AP's. The current network is a Novel network and every user has an RSA token. We want to be able to have the users use their RSA token with connecting to the wireless.
I have found all the documents from here on how to configure ACS including getting the certificate and adding in the RSA server. I also know how to add the information to the RSA server for the ACS.
What I am not sure about is the setup of the windows XP SP2 machine for RSA security.
From what I have read, it seems that I just need to select WPA2, AES, then select PEAP, and under PEAP options choose Smart Card. Is this all?
When I looked at the RSA sites documents, their screen shots show the ability to choose a hardware or software token.
Seth

I have been doing some research into this.
If I have this correct, I cannot use the RSA token directly with Window's without using a supplicant like Funk Odyssey or Cisco.
Is this correct?
Seth

IPsec Site-to-Site with RSA sign stuck on MM_KEY_EXCH

I am currently studying for CCNA Security, and i would like to be able to configure a Site-to-Site VPN with RSA sig with a windows server 2012 acting as AD and CA. I already have enable scep on windows server 2012 and disable the enrollement challenge password.
Since two days, i am completly stuck on MM_KEY_EXCH error.
Here is my lab:
http://i59.tinypic.com/2502h76.png
I have 3 router 3600 ios 12.4(16) - C3640-JK9S-M.
On the left is my Active Directory/CA with a static nat from 192.168.2.254 to 1.1.1.3, so it can be joined from outside by R2.
On the right, just an outside client.
I am trying to authenticate R1 and R2 with RSA sign from my AD/CA.
I have already tried NAT-T...
The clock on both routers is matching the clock of AD/CA
Some configuration:
R1 (1.1.1.2)
ip domain name cisco.ca
crypto pki trustpoint cisco-WIN-2EV0KQDK78U-CA
enrollment mode ra
enrollment url http://192.168.2.254:80/certsrv/mscep/mscep.dll
fqdn R1.cisco.ca
subject-name cn=R1.cisco.ca
revocation-check none
crypto isakmp policy 1
encr aes 256
hash md5
group 5
lifetime 3600
crypto ipsec transform-set SET esp-aes 256 esp-sha-hmac
crypto map MYMAP 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set SET
set pfs group2
match address VPN
R1#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number: 640000001B0C9BE947CCC8FB2B00000000001B
Certificate Usage: General Purpose
Issuer:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Subject:
Name: R1.cisco.ca
cn=R1.cisco.ca
hostname=R1.cisco.ca
CRL Distribution Points:
ldap:///CN=cisco-WIN-2EV0KQDK78U-CA-2,CN=WIN-2EV0KQDK78U,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN= Configuration,DC=cisco,DC=ca?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 21:15:11 UTC Oct 26 2014
end date: 21:15:11 UTC Oct 25 2016
Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
CA Certificate
Status: Available
Certificate Serial Number: 69B4A894E00EC58A47DA9812076DEF2D
Certificate Usage: Signature
Issuer:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Subject:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Validity Date:
start date: 00:27:45 UTC Oct 26 2014
end date: 00:37:45 UTC Oct 26 2019
Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
R2 (2.2.2.2)
ip domain name cisco.ca
crypto pki trustpoint cisco-WIN-2EV0KQDK78U-CA
enrollment mode ra
enrollment url http://1.1.1.3:80/certsrv/mscep/mscep.dll
fqdn R2.cisco.ca
subject-name cn=R2.cisco.ca
revocation-check none
crypto isakmp policy 1
encr aes 256
hash md5
group 5
lifetime 3600
crypto ipsec transform-set SET esp-aes 256 esp-sha-hmac
crypto map MYMAP 1 ipsec-isakmp
set peer 1.1.1.2
set transform-set SET
set pfs group2
match address VPN
R2(config)#end
R2#sh c
Oct 26 19:27:28.007: %SYS-5-CONFIG_I: Configured from console by consoler
R2#sh cryp
R2#sh crypto pk
R2#sh crypto pki cer
R2#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number: 640000001CDFE423EBA20E45EE00000000001C
Certificate Usage: General Purpose
Issuer:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Subject:
Name: R2.cisco.ca
cn=R2.cisco.ca
hostname=R2.cisco.ca
CRL Distribution Points:
ldap:///CN=cisco-WIN-2EV0KQDK78U-CA-2,CN=WIN-2EV0KQDK78U,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN= Configuration,DC=cisco,DC=ca?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 21:18:03 UTC Oct 26 2014
end date: 21:18:03 UTC Oct 25 2016
Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
CA Certificate
Status: Available
Certificate Serial Number: 69B4A894E00EC58A47DA9812076DEF2D
Certificate Usage: Signature
Issuer:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Subject:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Validity Date:
start date: 00:27:45 UTC Oct 26 2014
end date: 00:37:45 UTC Oct 26 2019
Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
Here are some error that i get:
Oct 26 18:29:50.219: ISAKMP:(0:2:SW:1): processing CERT payload. message ID = 0
Oct 26 18:29:50.223: ISAKMP:(0:2:SW:1): processing a CT_X509_SIGNATURE cert
Oct 26 18:29:50.223: ISAKMP:(0:2:SW:1): peer's pubkey isn't cached
Oct 26 18:29:50.255: ISAKMP:(0:2:SW:1): Unable to get DN from certificate!
Oct 26 18:29:50.255: ISAKMP:(0:2:SW:1): Cert presented by peer contains no OU field.
Oct 26 18:29:50.271: ISAKMP:(0:2:SW:1): processing SIG payload. message ID = 0
Oct 26 18:29:50.271: ISAKMP (134217730): sa->peer.name = , sa->peer_id.id.id_fqdn.fqdn = R2.cisco.ca
Oct 26 18:29:50.271: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
Oct 26 18:29:50.271: ISAKMP (0:134217730): process_rsa_sig: Querying key pair failed.
Oct 26 18:29:50.271: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 26 18:29:50.271: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
Oct 26 18:35:22.175: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed. The certificate (SN: 640000001CDFE423EBA20E45EE00000000001C) is not yet valid   Validity period starts on 21:18:03 UTC Oct 26 2014
Output of show crypto isakmp sa:
R1#sh crypto isakmp sa
dst             src             state          conn-id slot status
1.1.1.2         2.2.2.2         MM_KEY_EXCH         42    0 ACTIVE
1.1.1.2         2.2.2.2         MM_KEY_EXCH         41    0 ACTIVE
1.1.1.2         2.2.2.2         MM_NO_STATE         40    0 ACTIVE (deleted)
1.1.1.2         2.2.2.2         MM_NO_STATE         39    0 ACTIVE (deleted)
I would appreciate if someone can help me on this.
Thanks

Sorry, Config attached here.

ACS 4.2 with multiple RSA secure ID token servers

Hi all,
I have a question which I couldn't find an answer to so far. Below is a very brief explaination of what I have and what I need to do.
What I have:
1- An ACS 4.2 server installed on win 2003 with RSA agent installed.
2- A RSA Secure ID Token Authentication manger 7.1
The problem:
Due to lost RSA master password I am unable to back the DB up and upgrade RSA AM 7.1 to 7.1 SP4.
So far all the solution I have found and been told to do by RSA support have not enabled me to recover the lost password.
What I want to do:
I want to install a fresh copy of RSA AM 7.1 SP4 on Win 2008 R2
Since I can't make a DB backup from the running RSA, once I install the fresh copy I will migrate users one by one
My question:
This is a very busy production environment and users can't tolorate down time at all.
I need to keep everything running, I need to know if it is possible to have 2 RSA data sotres setup within ACS 4.2 or not?
And if so, will migrated users to the new RSA installation be still able to authenticate or not?
Can ACS send multiple authentication request simultaneously or not? And what happenes if a user is present in both instances of RSA, old and new?
Thanks,
Khash

I have this setup and working. Set up an external database connection on the ACS for a RADIUS server (not RSA) and setup your RSA server with the RADIUS shared secret. Check IP connectivity between both,and make sure that the RSA server is the first database to be queried. Here you are just using Radius to pass through the auth from the ACS to the RSA server.

ADCS certificate enrollment error with RPC

I'm attempting to enroll in a computer certificate that works for a windows clients (W7), but not for the Apple (OS 10.9.4) clients. I've been using the following document, with no success (http://support.apple.com/kb/HT5357). The enrollment is being attempted from a mobileconfig generated from an OS X server. The payload is limited to only ADCertificatePayload to limit how much to troubleshoot. We are also limiting the enrollment to a single Issuing CA to limit where to look for communication. I greatly appreciate any assistance you can provide.
This is the ManagedClient.log from /Library/Logs:
+||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Sep 3 13:44:20[562:1]:+|||||||||||||| Calling installPayload on plugin: ADCertificatePayloadPlugin ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Sep 3 13:44:20[562:1]:+|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Sep 3 13:44:20[562:1]:+ADCertificatePayloadPlugin.pdp_pluginInstallPayload
Sep 3 13:44:20[562:1]:+ADCertificatePayloadPlugin scheme overrides HTML to use RPC; scheme = (null)
Sep 3 13:44:20[562:1]:+ADCertificatePayloadPlugin using RPC = YES
Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.boundADInformationWithError dict =
    computerID = AppleWorkID;
    domainName = "FQDN.com";
    name = domainname;
    subject = "/CN=AppleWorkID.FQDN.com";
Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.credentialsForDomain domainname = domainname; username = AppleWorkID$
Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.getCertificateFromServer
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer credentials username = AppleWorkID$
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer gss_aapl_initial_cred status = 0
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer running as euid = 0
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer ca_name = IssuingCA
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer servername = IssuingCA.FQDN.com
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer cert_template = AppleWorkstation
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer csr length = 624
Sep 3 13:44:21[562:1]:+Using RPC authn_level: 6
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer partial_string_binding = ncacn_ip_tcp:IssuingCA.FQDN.com[]
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer using principal name: host/IssuingCA.FQDN.com
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer dwFlags is ff
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer Calling CertServerRequest...
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer CertServerRequest return pdwRequestId = 0
Sep 3 13:44:21[562:1]:+:::::::::::::::: GetCertificateFromCAServer ERROR: CertServerRequest exception name :
Sep 3 13:44:21[562:1]:+:::::::::::::::: GetCertificateFromCAServer ERROR: CertServerRequest -2147024809
Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.getCertificateFromServer server returned cert = FAILED
Sep 3 13:44:21[562:1]:+**************** AD certificate getCertificateFromServer failed
Sep 3 13:44:21[562:1]:+:::::::::::::::: ADCertificatePayloadPlugin.pdp_pluginInstallPayload returning = -319
Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.pdp_pluginInstallPayload returning = fail
Sep 3 13:44:21[562:1]:+**************** Error: Error Domain=ConfigProfilePluginDomain Code=-319 "The 'Active Directory Certificate' payload could not be installed. The certificate request failed." UserInfo=0x7fbd4157b540 {NSLocalizedDescription=The 'Active Directory Certificate' payload could not be installed. The certificate request failed.} from: InstallPayload in ADCertificatePayloadPlugin
The template, 'AppleWorkstation' template seems to have all the settings set correctly, but I'll go through them all.
General: Both display name and template name = "AppleWorkstation"
Compatability-> CA: Windows Server 2008 R2
Compatability->Certificate recipient: Windows 7 / Server 2008r2
Request Handling->Purpose:Signature and Encryption
Cryptography->Algorthim name:RSA
Cryptography->Minimum key size:2048
Cryptography->Request hash:SHA256
Security: Both the windows and mac domain computer objects have (read,enroll, autoenroll).
Subject Name->Build from this Active Directory information: Subject name format: common name
Subject Name: Only UPN is checked
The schema version of the template is 3 and the version of the template is 100.43
Both computers are joined to the Active Directory 2008 r2 domain. Certificate services exist within the site on their own dedicated servers. The CA's are as follows: 1x 2012r2 for offline root and 2 x Issuing CA's.

Hi Alexander,
But by group should work by desing or did I get something wrong
I am not sure that I understand this query correctly, I’ll just put it this way, feel free to correct me if I misunderstood:
Access control assignment on a group will grant corresponding permissions to all members within it, it’s called inherited permissions.
If there is a direct access control entry which assigns permissions to
single security principle belonging to the group, then the direct permissions take precedence, it’s called explicit permissions.
Well, if a security principle belongs to two/multiple groups, and each group gets conflicting permissions, then the more
restricted (deny or not allow) ones take precedence. This rule goes the same with explicit permissions, more restricted ones have higher precedence.
In addition, here are some scripting forums below for you if there are any scripting requirements:
The Official Scripting Guys Forum
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG
Windows PowerShell Forum
https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverpowershell&filter=alltypes&sort=lastpostdesc
MSDN Forums
https://social.msdn.microsoft.com/Forums/en-US/home
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]

How to sign the data with DHPrivateKey

I am testing DH key exchange protocol. When I run the following code, it works.
import java.io.*;
import java.math.BigInteger;
public class DH2 {
    private DH2() {}
    public static void main(String argv[]) {
        try {
            String mode = "USE_SKIP_DH_PARAMS";
            DH2 keyAgree = new DH2();
            if (argv.length > 1) {
                keyAgree.usage();
                throw new Exception("Wrong number of command options");
            } else if (argv.length == 1) {
                if (!(argv[0].equals("-gen"))) {
                    keyAgree.usage();
                    throw new Exception("Unrecognized flag: " + argv[0]);
                mode = "GENERATE_DH_PARAMS";
            keyAgree.run(mode);
        } catch (Exception e) {
            System.err.println("Error: " + e);
            System.exit(1);
    private void run(String mode) throws Exception {
        DHParameterSpec dhSkipParamSpec;
        if (mode.equals("GENERATE_DH_PARAMS")) {
            // Some central authority creates new DH parameters
            System.out.println
                ("Creating Diffie-Hellman parameters (takes VERY long) ...");
            AlgorithmParameterGenerator paramGen
                = AlgorithmParameterGenerator.getInstance("DH");
            paramGen.init(512);
            AlgorithmParameters params = paramGen.generateParameters();
            dhSkipParamSpec = (DHParameterSpec)params.getParameterSpec
                (DHParameterSpec.class);
        } else {
            // use some pre-generated, default DH parameters
            System.out.println("Using SKIP Diffie-Hellman parameters");
            dhSkipParamSpec = new DHParameterSpec(skip1024Modulus,
                                                  skip1024Base);
        System.out.println("ALICE: Generate DH keypair ...");
        KeyPairGenerator aliceKpairGen = KeyPairGenerator.getInstance("DH");
        aliceKpairGen.initialize(dhSkipParamSpec);
        KeyPair aliceKpair = aliceKpairGen.generateKeyPair();
        System.out.println("ALICE: Initialization ...");
        KeyAgreement aliceKeyAgree = KeyAgreement.getInstance("DH");
        aliceKeyAgree.init(aliceKpair.getPrivate());
        byte[] alicePubKeyEnc = aliceKpair.getPublic().getEncoded();
        KeyFactory bobKeyFac = KeyFactory.getInstance("DH");
        X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec
            (alicePubKeyEnc);
        PublicKey alicePubKey = bobKeyFac.generatePublic(x509KeySpec);
        DHParameterSpec dhParamSpec = ((DHPublicKey)alicePubKey).getParams();
        System.out.println("BOB: Generate DH keypair ...");
        KeyPairGenerator bobKpairGen = KeyPairGenerator.getInstance("DH");
        bobKpairGen.initialize(dhParamSpec);
        KeyPair bobKpair = bobKpairGen.generateKeyPair();
        System.out.println("BOB: Initialization ...");
        KeyAgreement bobKeyAgree = KeyAgreement.getInstance("DH");
        bobKeyAgree.init(bobKpair.getPrivate());
        byte[] bobPubKeyEnc = bobKpair.getPublic().getEncoded();
        KeyFactory aliceKeyFac = KeyFactory.getInstance("DH");
        x509KeySpec = new X509EncodedKeySpec(bobPubKeyEnc);
        PublicKey bobPubKey = aliceKeyFac.generatePublic(x509KeySpec);
        System.out.println("ALICE: Execute PHASE1 ...");
        aliceKeyAgree.doPhase(bobPubKey, true);
        System.out.println("BOB: Execute PHASE1 ...");
        bobKeyAgree.doPhase(alicePubKey, true);
        byte[] aliceSharedSecret = aliceKeyAgree.generateSecret();
        int aliceLen = aliceSharedSecret.length;
        byte[] bobSharedSecret = new byte[aliceLen];
        int bobLen;
        try {
            bobLen = bobKeyAgree.generateSecret(bobSharedSecret, 1);
        } catch (ShortBufferException e) {
            System.out.println(e.getMessage());
        bobLen = bobKeyAgree.generateSecret(bobSharedSecret, 0);
        System.out.println("Alice secret: " +
          toHexString(aliceSharedSecret));
        System.out.println("Bob secret: " +
          toHexString(bobSharedSecret));
        if (!java.util.Arrays.equals(aliceSharedSecret, bobSharedSecret))
            throw new Exception("Shared secrets differ");
        System.out.println("Shared secrets are the same");
        System.out.println("Return shared secret as SecretKey object ...");
        bobKeyAgree.doPhase(alicePubKey, true);
        SecretKey bobDesKey = bobKeyAgree.generateSecret("DES");
        aliceKeyAgree.doPhase(bobPubKey, true);
        SecretKey aliceDesKey = aliceKeyAgree.generateSecret("DES");
        Cipher bobCipher = Cipher.getInstance("DES/ECB/PKCS5Padding");
        bobCipher.init(Cipher.ENCRYPT_MODE, bobDesKey);
        byte[] cleartext = "This is just an example".getBytes();
//        Signature signature = Signature.getInstance("SHA1withDSA");
//        signature.initSign(bobKpair.getPrivate());
//        signature.update(cleartext);
//        byte[] data = signature.sign();
        byte[] ciphertext = bobCipher.doFinal(cleartext);
        Cipher aliceCipher = Cipher.getInstance("DES/ECB/PKCS5Padding");
        aliceCipher.init(Cipher.DECRYPT_MODE, aliceDesKey);
        byte[] recovered = aliceCipher.doFinal(ciphertext);
        if (!java.util.Arrays.equals(cleartext, recovered))
            throw new Exception("DES in CBC mode recovered text is " +
              "different from cleartext");
        System.out.println("DES in ECB mode recovered text is " +
            "same as cleartext");
        bobCipher = Cipher.getInstance("DES/CBC/PKCS5Padding");
        bobCipher.init(Cipher.ENCRYPT_MODE, bobDesKey);
        cleartext = "This is just an example".getBytes();
        ciphertext = bobCipher.doFinal(cleartext);
        byte[] encodedParams = bobCipher.getParameters().getEncoded();
        AlgorithmParameters params = AlgorithmParameters.getInstance("DES");
        params.init(encodedParams);
        aliceCipher = Cipher.getInstance("DES/CBC/PKCS5Padding");
        aliceCipher.init(Cipher.DECRYPT_MODE, aliceDesKey, params);
        recovered = aliceCipher.doFinal(ciphertext);
        if (!java.util.Arrays.equals(cleartext, recovered))
            throw new Exception("DES in CBC mode recovered text is " +
              "different from cleartext");
        System.out.println("DES in CBC mode recovered text is " +
            "same as cleartext");
}I want to sign the data with Signature,So i add the following code to the sample.
        byte[] cleartext = "This is just an example".getBytes();
     Signature signature = Signature.getInstance("SHA1withDSA");
        signature.initSign(bobKpair.getPrivate());
        signature.update(cleartext);
        byte[] data = signature.sign();
        byte[] ciphertext = bobCipher.doFinal(cleartext);Run the code again, the output is
Error: java.security.InvalidKeyException: No installed provider supports this key: com.sun.crypto.provider.DHPrivateKey
What's wrong with the code, It seems that the bob's private key is not instance of DSAPrivateKey but DHPrivateKey.
what's your comment? thanks a lot.

slamdunkming wrote:
thank sabre150 for your reply. But the key pair is generated when I use DH to exchange the secret key. Yes! It is a DH key pair and cannot be used for signing. The DH key pair can only be used for secret sharing.
If I can not use this private key to sign the data, what can i do?Do I have to generate another key pair for signature? In that way, I will have two key pair. Yep. You can generate a DSA or an RSA key pair to be used for signing.
Because I use http protocol to exchange the key to get the shared secret key, Yep.
If I generate another key pair, how can i send the public key to server? Since public keys are 'public' then you can send them in the open to anyone you like. In fact, if you don't publish your public keys then they are pretty much a waste of time. The biggest problem one has with public key is proving 'ownership' - if someone sends me a public key how do I know that the sender is actually who they say they are?.
I am confused.Some reading might help. A pretty good starting point is "Beginning Cryptography with Java" by David Hook published by Wrox.

Problem with Configuring Tomcat for running jsp web applications..Plz HELP

I am using Tomcat 5.5 and Jdk 1.5.0_12 and Oracle 10g. I am using jdbc-odbc bridge connection
to connect to the database. I have placed my project folder called
tdm under the webapps folder in Tomcat. This 'tdm' folder consists of
a collection of html pages,jsp pages and images of my project. Also I created a
WEB-INF folderand in that I have lib folder which contains catalina-root.jar
, classes12.jar and nls_charset.jar files. And also in the WEB-INF folder I have the web.xml
file which looks like this
<?xml version="1.0" encoding="ISO-8859-1"?>

<web-app>
<resource-ref>
<description>Oracle Datasource example</description>
<res-ref-name>jdbc/gdn</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
</web-app>
My Server.xml file in Tomcat\conf folder is as follows



<Server port="8005" shutdown="SHUTDOWN">

<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />

<GlobalNamingResources>

<Environment name="simpleValue" type="java.lang.Integer" value="30"/>

<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
<Resource name="jdbc/gdn" auth="Container"
type="javax.sql.DataSource" driverClassName="sun.jdbc.odbc.JdbcOdbcDriver"
url="jdbc:odbc:gdn"
username="system" password="tiger" maxActive="20" maxIdle="10"
maxWait="-1"/>
</GlobalNamingResources>


<Service name="Catalina">


<Connector
port="5050" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />

     



<Connector port="8009"
enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />






<Engine name="Catalina" defaultHost="localhost">




<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>







<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">









<Context path="/tdm" docBase="tdm" debug="0" reloadable="true" />
</Host>
</Engine>
</Service>
</Server>
I have set the context path to /tdm in the server.xml file. Should this be placed in context.xml?
My first page in the project is called Homepage.html. To start my project I give http://localhost:5050/tdm/homepage.html
in a browser. Here I accept a username and password from the user and then do the validation in
a valid.jsp file, where I connect to the database and check and use jsp:forward to go to next pages
accordingly. However when I enter the username and password and click Go in the homepage, nothing is
displayed on the next page. The URL in the browser says valid.jsp but a blank screen appears.
WHY DOES IT HAPPEN SO? DOES IT MEAN THAT TOMCAT IS NOT RECOGNIZING JAVA IN MY SYSTEM OR IS IT A PROBLEM
WITH THE DATABASE CONNECTION OR SOMETHING ELSE? I FEEL THAT TOMCAT IS NOT EXECUTING JSP COMMANDS?
IS IT POSSIBLE?WHY WILL THIS HAPPEN?
I set the JAVA_HOME and CATALINA_HOME environment to the jdk and tomcat folders resp.
Is there any other thing that I need to set in classpath? Should I have my project as a
WAR file in the webapps of TOMCAT or just a folder i.e. directory structure will fine?

I am using Tomcat 5.5 and Jdk 1.5.0_12 and Oracle 10g. I am using jdbc-odbc bridge connection
to connect to the database. I have placed my project folder called
tdm under the webapps folder in Tomcat. This 'tdm' folder consists of
a collection of html pages,jsp pages and images of my project. Also I created a
WEB-INF folderand in that I have lib folder which contains catalina-root.jar
, classes12.jar and nls_charset.jar files. And also in the WEB-INF folder I have the web.xml
file which looks like this
<?xml version="1.0" encoding="ISO-8859-1"?>

<web-app>
<resource-ref>
<description>Oracle Datasource example</description>
<res-ref-name>jdbc/gdn</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
</web-app>
My Server.xml file in Tomcat\conf folder is as follows



<Server port="8005" shutdown="SHUTDOWN">

<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />

<GlobalNamingResources>

<Environment name="simpleValue" type="java.lang.Integer" value="30"/>

<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
<Resource name="jdbc/gdn" auth="Container"
type="javax.sql.DataSource" driverClassName="sun.jdbc.odbc.JdbcOdbcDriver"
url="jdbc:odbc:gdn"
username="system" password="tiger" maxActive="20" maxIdle="10"
maxWait="-1"/>
</GlobalNamingResources>


<Service name="Catalina">


<Connector
port="5050" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />

     



<Connector port="8009"
enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />






<Engine name="Catalina" defaultHost="localhost">




<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>







<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">









<Context path="/tdm" docBase="tdm" debug="0" reloadable="true" />
</Host>
</Engine>
</Service>
</Server>
I have set the context path to /tdm in the server.xml file. Should this be placed in context.xml?
My first page in the project is called Homepage.html. To start my project I give http://localhost:5050/tdm/homepage.html
in a browser. Here I accept a username and password from the user and then do the validation in
a valid.jsp file, where I connect to the database and check and use jsp:forward to go to next pages
accordingly. However when I enter the username and password and click Go in the homepage, nothing is
displayed on the next page. The URL in the browser says valid.jsp but a blank screen appears.
WHY DOES IT HAPPEN SO? DOES IT MEAN THAT TOMCAT IS NOT RECOGNIZING JAVA IN MY SYSTEM OR IS IT A PROBLEM
WITH THE DATABASE CONNECTION OR SOMETHING ELSE? I FEEL THAT TOMCAT IS NOT EXECUTING JSP COMMANDS?
IS IT POSSIBLE?WHY WILL THIS HAPPEN?
I set the JAVA_HOME and CATALINA_HOME environment to the jdk and tomcat folders resp.
Is there any other thing that I need to set in classpath? Should I have my project as a
WAR file in the webapps of TOMCAT or just a folder i.e. directory structure will fine?

RSA cryptography with NOPAD

Similar Messages

Maybe you are looking for