Key Generation – How do I program a function to generate a secure encryption key for block ciphers?

I am currently studying the most popular encryption algorithms and methods. For practical reasons, I am currently pursuing a project in which I simply implement everything from ECB to RSA as a kind of C crypto library.
I wanted to ask how I would generate a more or less secure key in a C program (I know that writing a crypto library alone is not at all secure, but I just want to learn the basic principles from key generation to key exchange encryption mechanisms).
How could I approach the problem of implementing a secure key generation algorithm? Which main problems need to be considered in order to achieve at least mediocre key security?

Does knowledge of the data structure interfere with AES encryption?

I am considering encrypting a number of TAR archives with AES. I am concerned that the TAR format is quite predictable in terms of field content and block size:

Each file object contains any file data and a 512-byte prefix
Header. The file data is written unchanged, with the exception that it is
The length is rounded up to a multiple of 512 bytes. The original tar
The implementation did not care about the contents of the filler bytes.
and left the buffer data unchanged but most advanced tar
Implementations fill the extra space with zeroes.

Should an attacker have a large archive of hundreds of files, is AES encryption compromised?

amazon web services – AWS Lambda to verify Dynamodb kms encryption

I want to write a lambda function to catch a table in DynamoDb that does not use KMS encryption. I plan the following:
1. Create an SNS topic
2. Write a lambda function
3. Trigger the Lambda function from the Cloudwatch event: CreateTable

My question is: If KMS is not used in the JSON document, the following lines are not included in the event details

"sSEDescription": {
"sSEType": "KMS",
"kMSMasterKeyArn": "",
"status": "ACTIVATED"

So I should check my Python code sSEDescription is zero or is there a better way?

Appreciate every input to make my code better.

Thank you very much

Encryption – Is it possible to encrypt portions of a file for upload, so you do not have to encrypt the entire file first?

Yes. Your main problem would be that you need a client that allows you to receive the file from a stream instead of a single file.

For example, if you were to copy the file using ssh, you would normally do something like that

scp myfile.txt remotehost:

This assumes, however, that the previous file exists. However, this happens to be equivalent to:

Cat myfile.txt | ssh remotehost> cat> myfile.txt & # 39;

In this form, you can now easily insert an encryption filter

Cat myfile.txt | gpg -e -r AA00BB00CC00DD | ssh remotehost -> cat> myfile.txt.gpg & # 39;

In case you do not want to get any further

Another alternative would be to use a virtual file system that displays the files as encrypted but performs encryption on access. This would make the encryption layer transparent to the programs that are performing the upload.

An example of this is the utility encfs, which uses a FUSE file system. The man page itself shows an example of how to use it --reverse flag to create an encrypted view for copying the files.

In case you do not want to get any further

Finally, one last method, to avoid the duplicate storage space, would be to encrypt the file over plain text. So use a program that encrypts the first 10 MB of the file and replaced the first 10 MB of the original file with the encrypted. Then the second part of 10 MB and so on.

However, there is a risk that you will receive a half-encrypted file if the process fails halfway (for example, due to a power outage). And if you want to decrypt the file, you'll need to do a second inline pass after uploading to decrypt the file. I would only recommend it if you want to keep the local file encrypted but have no space to handle it differently. It still solves your problem

In case you do not want to get any further

I would use the most common CLI commands as & # 39; consider scp. sftp and rsync, everyone presents the same topic.

² For normal files, metadata is not taken into account

³ Or any other block size

Encryption – Storage of SSL private key in Load Balancer VS HSM

I have a setup that stops the SSL certificates on the load balancer (ie Load Balancer to the web server is in plain text). To perform the SSL termination, the private key is stored in the load balancer itself. I have an HSM in a data center.

Security people told me that the best course of action is to store the private key in an HSM.

I read Should SSL be terminated on a load balancer? and I understand that there's nothing wrong with stopping the SSL encryption on the Load Balancer.

However, must the private keys be self-paced (for security reasons)? Are there any technical issues with saving private SSL keys in a centralized HSM?

E-mail Encryption Recommendations (Egress, O365 and Forcepoint)

Could anyone give some advantages / disadvantages of e-mail encryption approaches for the three mentioned platforms? I have researched this in detail, but am aware that many of the reports I read have some bias in their results (eg, most of the information appears to come from one of these companies). I am very interested in hearing the opinions of users on this site.

C ++ – Is this method safe? Botan encryption

I have to build something that is not very complicated, but efficient. I do not have much time to debug.

I do not know if this method is strong enough to encrypt data that should be displayed in a Qr code.

It is compiled in Qt.


    using namespace std;
    using namespace Botan;

    // .....

    bool BotanWrapper::EncryptFile(QString Source, QString Destination)
    //Setup the key derive functions
    PKCS5_PBKDF2 pbkdf2(new HMAC(new SHA_160));
    const u32bit PBKDF2_ITERATIONS = 8192;

    //Create the KEY and IV
    KDF* kdf = get_kdf("KDF2(SHA-1)");

    //Create the master key
    SecureVector mMaster = pbkdf2.derive_key(48, mPassword.toStdString(), &mSalt(0), mSalt.size(),PBKDF2_ITERATIONS).bits_of();
    SymmetricKey mKey = kdf->derive_key(32, mMaster, "salt1");
    InitializationVector mIV = kdf->derive_key(16, mMaster, "salt2");

    string inFilename = Source.toStdString();
    string outFilename = Destination.toStdString();
    std::ifstream in(inFilename.c_str(),std::ios::binary);
    std::ofstream out(outFilename.c_str(),std::ios::binary);

    Pipe pipe(get_cipher("AES-256/CBC/PKCS7", mKey, mIV,ENCRYPTION),new DataSink_Stream(out));
    in >> pipe;


    return true;
    return false;

Key Management – When gpg encrypt is invoked from the command line, how is a key selected for encryption?

Using a tip from (found by looking for "GPG duplicate key"), you can specify keys by ID wherever You specify them at all (like gpg -sear 104763A0that signs the recipient, encrypts and encodes base64, whose public key ID matches 104763A0). I tested that on my machine and it worked well.

I do not know what happens when you try to specify an ambiguous key. Probable options are the first key in the keyring (which is what the person said at the link above), the key farthest from the expiration, the key that you trust the most, or some other type (which in turn first key "could affect in the key chain" thing).