Extract pre-master keys from memory

I want to get pre-master key from OpenSSL application (in order to decrypt traffic).
Details:

  • OpenSSL version: 1.0.2l, statically linked, no debug symbols
  • I’m able to debug the application (hit breakpoint inside SSL_connect(SSL *s) method)

Is there any way to get the pre-master key from there? I’m using x64dbg. Sorry if that sounds like a newbie question.

aes – Question regarding data encryption/decryption and sharing said keys with third party’s

At work we have a pretty complex problem(for me at least) and I have no idea what a fitting solution would be. To give a bit of context, the company I work for is a data processor/provider for big corporations that need sensitive user data such as; social security numbers, how much a person earns, all their past addresses where they have lived, if they have every collected welfare, etc.

The problem we are facing is that we have to encrypt the user data so if we ever get compromised the data of the end-users is safe. How we do this is, the end-users fills their data-vault(this vault contains all the data I gave as an example in the paragraph above), and we encrypt all the data en keep the key to decrypt the data in our system.

We however do not want this, we are looking for a fitting solution in where the end-user can fill their data-vault, we encrypt it and create hashes of their data(So our customers can verify if the data is actually valid after decrypting it) and at the end we throw away the key so our system no longer has it. Once our customer wants to access the data-vault of a certain end-user, the end-user has to exchange their key with said customer so in turn our customer can decrypt the data on their own system.

We looked into asymmetric encryption but the issue is we only want to encrypt the data-vault once so the end-user does not need to constantly re-encrypt their data. To make it a bit clear read examples below in where the data-vault is created and shared:

Creation:

End-user Bob want to share his personal information with Netflix and Facebook, Bob signs up at the site of my company. He fills his personal data-vault which we in turn encrypt and throw away the key used (bob still has this key).

Sharing:

Company A and Company B request data out of the data-vault of user Bob (Company A want his social security number and Company B wants to know if the user ever collected welfare), our system gives them that part of his vault, and we ask Bob to send the keys to Company A and Company B (using a webhook or something). Bob then sends both Company A and Company B his key, so they can decrypt his data.

Does anybody have an idea what I could use to do this? I looked into just using basic encryption and decryption (AES) and just sharing the key used to encrypt the data, but I am not sure how secure/smart this is.

encryption – is this a good practice for storing private keys?

I’m working on a centralized exchange for cryptocurrencies. the approach that I’m taking for some reasons is to create an account(private key) per user. now my problem is how to safely store private keys in server. since I’m using a VPS so it’s not possible to use HSM or any other hardware solutions.
now the approach I’m taking is this. for each user when he creates his account, I’m gonna generate a private key and encrypt that private key using his password. now if some user wants to transfer cryptocurrency from his inside platform account to his external account, in addition to his external account address, he also have to provide his password and I’m gonna use his password to decrypt his private key and sign the transaction using it.
now even if my database compromises, the attacker cant use private keys since they are encrypted and he cant use password to decrypt them since passwords are hashed.
now I wanna know that is there any problem with this approach that I dont see?
thanks in advance.

key management – Securing API keys for accessing Google APIs via Front End (UI)

This question is about how to secure API keys. Not sure if this is in the same category as Key management for Cryptography and should follow the same rules. See details below.

We currently have hybrid Mobile Apps. The apps are made using Angular and Ionic. Now, we have some functions where we would need to use some of Google’s APIs in order to implement the functions we want. No problem there.

The issue is how to securely store the API keys that we pass to Google APIs? It would seem not a good practice to hardcode it in the UI codes. Can anyone help us here and suggest a way to securely store the API keys? We already have thought of retrieving it from the back end but it would still expose it after we retrieve it from back end and pass to Google.

encryption – Are there intrinsically weaknesses in accessing a same payload encrypted with different keys?

Assume we use AES256 to encrypt the same payload 100 times, each with a different key.

An attacker gains access to the 100 encrypted payloads, and nothing else.

Is there some way the attacker can gain insight about the payload (or about the keys) based on those 100 encrypted payloads?

What about accessing 1 million encrypted payloads?

multi signature – Sign Multisignature Transaction with only 1 of the needed keys using BitcoinJ?

If I have an unsigned Raw Transaction whose inputs are from a multisignature wallet, can I sign the transaction with only of the N needed keys and having the output as raw transaction again using BitcoinJ and/or Java native cryptography libraries?

The case I want is the same as this page of Coinb.in: https://coinb.in/#sign So I have as input a raw transaction and a private key, and also the multisignature redeem script if needed, and i want in output the raw transaction with the signs that were before (if there were signs) + the sign from the private key i provided as input.

key generation – Why we are still required to move the mouse when generating the keys in VeraCrypt?

I think you need to look at the history of the codebase to understand why it’s there in the first place. VeraCrypt descended from TrueCrypt, which was built at a time when the CSPRNG in Windows used an unspecified method of generating data:

Because CryptGenRandom is the de facto standard CSPRNG in Win32 environments, its security is critical for Windows users.

The specifics of CryptGenRandom’s algorithm have not been officially published. As with any unpublished random number generation algorithm, it may be susceptible to theoretical weaknesses including the use of outdated algorithms, and a reliance for entropy gathering on several monotonically-increasing counters that might be estimated or controlled to an extent by an attacker with local access to the system.

As to whether it’s still necessary by today’s standards, well that is obviously a matter of taste. I managed to find a high-level statement about CSPRNG in .NET. I’ve been unable to uncover any sort of specification for the CSPRNG built into Windows, after about 10 minutes of searching through the Microsoft documentation.

Here’s a good discussion about CSPRNG for readers that have yet to consider this aspect of information security: Pornin 2010 https://stackoverflow.com/a/3532136

aes – Why we are still a monkey in generating the keys in VeraCrypt

During the setup of a new encrypted volume, the VeraCrypt requires a random mouse movement within the window. If someone looking from the outside can see that a monkey sitting in front of a computer playing with the mouse.

There are good solutions to generate cryptographically secure keys like the usual devrandom on Linux and CryptGenRandom on Windows. During the random key generations in TLS, nobody is asked to be a monkey. In OpenSSL openssl rand 128 handles key generation very fastly.

So, at this age, why we still need the mouse movement on VeraCrypt? Is there any specific reason that I miss it?

keyboard – Using fn+F1 and fn+F2 keys change brightness instead of being used as standard function keys

When I press fn+Function key, most keys are used as standard function keys. However, F1 and F2 still turn the brightness up and down instead of being normal function keys, even with fn being pressed. How can this be fixed? I’d still like my brightness keys to change the brightness, but only when fn is not pressed.