Re: [Pharo-users] Data Encryption

[Ben Coman]

This is speculation without knowing your scope and architecture,
but perhaps part of the puzzle is two factor authentication
via a $20 Yubico FIDO U2F Security Key.
https://www.yubico.com/store/
https://www.yubico.com/about/background/fido/
https://www.yubico.com/2016/02/use-of-fido-u2f-security-keys-focus-of-2-year-google-study/

BSD licensed C library for server-side..
https://developers.yubico.com/libu2f-server/
https://developers.yubico.com/U2F/Libraries/Using_a_library.html

cheers -ben


P.S. It might be cool to link the yubico client-side libraries (LGPL)
into the VM for Iceberg to authenticate via U2F to github.
https://github.com/blog/2071-github-supports-universal-2nd-factor-authentication
https://www.yubico.com/why-yubico/for-individuals/github/
https://github.com/Yubico/libu2f-host



On Thu, Feb 23, 2017 at 9:31 PM, sergio ruiz  wrote:

> Now that i think about it.. this will contain a list of passwords for
> servers, etc.. each user will need to access about a dozen company
> passwords.. trying to thing about how to keep this buttoned down..
>
>
> On February 22, 2017 at 9:19:05 AM, Alexandre Bergel (
> alexandre.ber...@me.com) wrote:
>
> If it help I’m using NaCl to do secure the passwords. You should not store
> the passwords of your users, not even encrypted.
>
> 
> peace,
> sergio
> photographer, journalist, visionary
>
>

Re: [Pharo-users] Data Encryption

[sergio ruiz]

Now that i think about it.. this will contain a list of passwords for servers, 
etc.. each user will need to access about a dozen company passwords.. trying to 
thing about how to keep this buttoned down..


On February 22, 2017 at 9:19:05 AM, Alexandre Bergel (alexandre.ber...@me.com) 
wrote:

If it help I’m using NaCl to do secure the passwords. You should not store the 
passwords of your users, not even encrypted.

peace,
sergio
photographer, journalist, visionary

Public Key: http://bit.ly/29z9fG0
#BitMessage BM-NBaswViL21xqgg9STRJjaJaUoyiNe2dV
http://www.Village-Buzz.com
http://www.ThoseOptimizeGuys.com
http://www.coffee-black.com
http://www.painlessfrugality.com
http://www.twitter.com/sergio_101
http://www.facebook.com/sergio101

signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [Pharo-users] Data Encryption

[sergio ruiz]

Hi, Alejandro..

yes, they are looking to encrypt the entire database.. you’re right, i think 
securing the OS and running over SSL is sufficient..

BUT..

i do appreciate you writeup on NaCl..

I am DEFINITELY using this on my next project..

Thanks!


On February 22, 2017 at 9:19:05 AM, Alexandre Bergel (alexandre.ber...@me.com) 
wrote:

Hi!
If it help I’m using NaCl to do secure the passwords. You should not store the 
passwords of your users, not even encrypted.

peace,
sergio
photographer, journalist, visionary

Public Key: http://bit.ly/29z9fG0
#BitMessage BM-NBaswViL21xqgg9STRJjaJaUoyiNe2dV
http://www.Village-Buzz.com
http://www.ThoseOptimizeGuys.com
http://www.coffee-black.com
http://www.painlessfrugality.com
http://www.twitter.com/sergio_101
http://www.facebook.com/sergio101

signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [Pharo-users] Data Encryption

[sergio ruiz]

OH! 

Sorry.. they don’t want to do the crypto stuff on our own..

just the CRUD stuff of managing the passwords..

but those were some really good links!


On February 22, 2017 at 9:19:05 AM, Alexandre Bergel (alexandre.ber...@me.com) 
wrote:

are they aware of Schneier's Law...
* https://www.schneier.com/blog/archives/2011/04/schneiers_law.html
* https://www.schneier.com/essays/archives/1999/03/cryptography_the_imp.html

peace,
sergio
photographer, journalist, visionary

Public Key: http://bit.ly/29z9fG0
#BitMessage BM-NBaswViL21xqgg9STRJjaJaUoyiNe2dV
http://www.Village-Buzz.com
http://www.ThoseOptimizeGuys.com
http://www.coffee-black.com
http://www.painlessfrugality.com
http://www.twitter.com/sergio_101
http://www.facebook.com/sergio101

signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [Pharo-users] Data Encryption

[Alexandre Bergel]

This is impressive Alejandro! Thanks for the explanation

Alexandre  

> Le 22 févr. 2017 à 01:17, Alejandro Infante  a 
> écrit :
> 
> Hi!
> If it help I’m using NaCl to do secure the passwords. You should not store 
> the passwords of your users, not even encrypted.
> 
> For securing the passwords I use Sha-512 over the salted password.
>  
> User>>initialize
>   super initialize.
>   salt := (Nacl randomBytes: 16)
> 
> User>>setPassword: aPassword
>   hashedPassword := Nacl hash: (salt , aPassword asByteArray)
> 
> User>>validatePassword: aPassword
>   ^ hashedPassword asByteArray = (Nacl hash: salt asByteArray , aPassword 
> asByteArray)
> 
> 
> Notice that:
>   1) I have a different salt for each password, if a bad guy want the 
> passwords he is going to need a different rainbow table for each user.
>   2) I do not store the password. I do not even store the hash of the 
> plain password.
>   3) Still I’m able to validate the password.
>   
>   * Note that I’m using Nacl>>randomBytes: to generate a 
> cryptographically safe random value. Here is not really necessary, BUT you 
> should use it if you are creating Session-IDs or Tokens.
> 
> Encrypting the database is *tricky*. You not only have to encrypt the 
> database, but also secure the key. First you need to know how much security 
> you want:
>   1) Be secure if someone hack into the user running pharo.
>   3) Be secure if someone steal the server.
>   4) Be secure if someone has physical access to the running server. (All 
> your keys are in RAM)
>   2) Be secure if someone hack root. (I doubt anything is going to save 
> you here)
> 
> For most projects/business (unless working with really sensitive data, such 
> as medical data) securing the OS (users and root) and encrypting the 
> hard-disk should be enough. Also do not forget to encrypt the connections. If 
> everything is on the same server just use https. But you may need more if you 
> use Load Balancers, multiple servers and databases.
> 
> Cheers,
> Alejandro
> 
>> On Feb 21, 2017, at 9:11 AM, Mariano Martinez Peck  
>> wrote:
>> 
>> As for single username/pass encryption (not the whole DB), and assuming you 
>> want two-way encrypt (that you want to decrypt), I have used both, Rijndael 
>> and Blowfish, both in combination with SpsSplitPasswordStore.
>> 
>> Cheers,
>> 
>>> On Tue, Feb 21, 2017 at 8:20 AM, Pierce Ng  wrote:
>>> On Mon, Feb 20, 2017 at 05:34:41AM -0800, sergio ruiz wrote:
>>> > I have been tasked with throwing together a small web app that will hold
>>> > the passwords to different projects for my company.
>>> 
>>> Here is a collection for reference. If one of these is suitable you can 
>>> skip the
>>> implementation and just deploy.
>>> 
>>>   http://opensourcepasswordmanager.com/
>>> 
>>> > - encrypt the entire database, so that if the machine was compromised
>>> > physically, the data would be useless.
>>> 
>>> The NativeBoost version of my SQLite library supports SQLcipher which adds
>>> transparent full database encryption to SQLite. It is not in the UFFI 
>>> version
>>> yet though.
>>> 
>>>   http://sqlcipher.net
>>> 
>>> > - encrypt the username and password fields to facilitate the above, also.
>>> 
>>> If you are already familiar with using crypto API like OpenSSL or NaCl then
>>> Pharo's FFI is easy to get this done too.
>>> 
>>> Pierce
>>> 
>>> 
>> 
>> 
>> 
>> -- 
>> Mariano
>> http://marianopeck.wordpress.com
> 

Re: [Pharo-users] Data Encryption

[Ben Coman]

On Wed, Feb 22, 2017 at 9:21 PM, sergio ruiz  wrote:
>
> for whatever reason, they want something written from scratch.. in house..

are they aware of Schneier's Law...
* https://www.schneier.com/blog/archives/2011/04/schneiers_law.html
* https://www.schneier.com/essays/archives/1999/03/cryptography_the_imp.html

cheers -ben

Re: [Pharo-users] Data Encryption

[Pierce Ng]

On Wed, Feb 22, 2017 at 01:17:35AM -0300, Alejandro Infante wrote:
>   salt := (Nacl randomBytes: 16)
>
> User>>setPassword: aPassword
>   hashedPassword := Nacl hash: (salt , aPassword asByteArray)

Hi Alejandro,

Coincidentally, I've just updated my SHA256/512 password hashing library, which
wraps a C library of the same. The salt is variable length between 8 and 16
octets long, and the output is in the informally standard md5crypt format
"$id$salt$passwordhash".

Words:
  http://www.samadhiweb.com/blog/2017.02.18.shacrypt.html
  http://www.samadhiweb.com/blog/2013.11.17.shacrypt.html
  https://www.akkadia.org/drepper/sha-crypt.html

Code:
  https://github.com/PierceNg/PasswordCrypt

Pierce

Re: [Pharo-users] Data Encryption

[sergio ruiz]

Right.. we’re looking to encrypt the entire database AFTER doing the business 
as usual password encryption..


On February 21, 2017 at 11:15:55 PM, Alejandro Infante 
(alejandroinfant...@gmail.com) wrote:

Hi!
If it help I’m using NaCl to do secure the passwords. You should not store the 
passwords of your users, not even encrypted.

peace,
sergio
photographer, journalist, visionary

Public Key: http://bit.ly/29z9fG0
#BitMessage BM-NBaswViL21xqgg9STRJjaJaUoyiNe2dV
http://www.Village-Buzz.com
http://www.ThoseOptimizeGuys.com
http://www.coffee-black.com
http://www.painlessfrugality.com
http://www.twitter.com/sergio_101
http://www.facebook.com/sergio101

signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [Pharo-users] Data Encryption

[sergio ruiz]

We are looking to encrypt the entire database..

On February 21, 2017 at 11:15:55 PM, Alejandro Infante 
(alejandroinfant...@gmail.com) wrote:

As for single username/pass encryption (not the whole DB), and assuming you 
want two-way encrypt (that you want to decrypt), I have used both, Rijndael and 
Blowfish, both in combination with SpsSplitPasswordStore.

peace,
sergio
photographer, journalist, visionary

Public Key: http://bit.ly/29z9fG0
#BitMessage BM-NBaswViL21xqgg9STRJjaJaUoyiNe2dV
http://www.Village-Buzz.com
http://www.ThoseOptimizeGuys.com
http://www.coffee-black.com
http://www.painlessfrugality.com
http://www.twitter.com/sergio_101
http://www.facebook.com/sergio101

signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [Pharo-users] Data Encryption

[sergio ruiz]

Gotcha! thanks!

for whatever reason, they want something written from scratch.. in house..

On February 21, 2017 at 11:15:55 PM, Alejandro Infante 
(alejandroinfant...@gmail.com) wrote:


Here is a collection for reference. If one of these is suitable you can skip 
the 
implementation and just deploy. 

http://opensourcepasswordmanager.com/ 

peace,
sergio
photographer, journalist, visionary

Public Key: http://bit.ly/29z9fG0
#BitMessage BM-NBaswViL21xqgg9STRJjaJaUoyiNe2dV
http://www.Village-Buzz.com
http://www.ThoseOptimizeGuys.com
http://www.coffee-black.com
http://www.painlessfrugality.com
http://www.twitter.com/sergio_101
http://www.facebook.com/sergio101

signature.asc
Description: Message signed with OpenPGP using AMPGpg

Re: [Pharo-users] Data Encryption

[Alejandro Infante]

Hi!
If it help I’m using NaCl to do secure the passwords. You should not store the 
passwords of your users, not even encrypted.

For securing the passwords I use Sha-512 over the salted password.
 
User>>initialize
super initialize.
salt := (Nacl randomBytes: 16)

User>>setPassword: aPassword
hashedPassword := Nacl hash: (salt , aPassword asByteArray)

User>>validatePassword: aPassword
^ hashedPassword asByteArray = (Nacl hash: salt asByteArray , aPassword 
asByteArray)


Notice that:
1) I have a different salt for each password, if a bad guy want the 
passwords he is going to need a different rainbow table for each user.
2) I do not store the password. I do not even store the hash of the 
plain password.
3) Still I’m able to validate the password.

* Note that I’m using Nacl>>randomBytes: to generate a 
cryptographically safe random value. Here is not really necessary, BUT you 
should use it if you are creating Session-IDs or Tokens.

Encrypting the database is *tricky*. You not only have to encrypt the database, 
but also secure the key. First you need to know how much security you want:
1) Be secure if someone hack into the user running pharo.
3) Be secure if someone steal the server.
4) Be secure if someone has physical access to the running server. (All 
your keys are in RAM)
2) Be secure if someone hack root. (I doubt anything is going to save 
you here)

For most projects/business (unless working with really sensitive data, such as 
medical data) securing the OS (users and root) and encrypting the hard-disk 
should be enough. Also do not forget to encrypt the connections. If everything 
is on the same server just use https. But you may need more if you use Load 
Balancers, multiple servers and databases.

Cheers,
Alejandro

> On Feb 21, 2017, at 9:11 AM, Mariano Martinez Peck  
> wrote:
> 
> As for single username/pass encryption (not the whole DB), and assuming you 
> want two-way encrypt (that you want to decrypt), I have used both, Rijndael 
> and Blowfish, both in combination with SpsSplitPasswordStore.
> 
> Cheers,
> 
> On Tue, Feb 21, 2017 at 8:20 AM, Pierce Ng  > wrote:
> On Mon, Feb 20, 2017 at 05:34:41AM -0800, sergio ruiz wrote:
> > I have been tasked with throwing together a small web app that will hold
> > the passwords to different projects for my company.
> 
> Here is a collection for reference. If one of these is suitable you can skip 
> the
> implementation and just deploy.
> 
>   http://opensourcepasswordmanager.com/ 
> 
> 
> > - encrypt the entire database, so that if the machine was compromised
> > physically, the data would be useless.
> 
> The NativeBoost version of my SQLite library supports SQLcipher which adds
> transparent full database encryption to SQLite. It is not in the UFFI version
> yet though.
> 
>   http://sqlcipher.net 
> 
> > - encrypt the username and password fields to facilitate the above, also.
> 
> If you are already familiar with using crypto API like OpenSSL or NaCl then
> Pharo's FFI is easy to get this done too.
> 
> Pierce
> 
> 
> 
> 
> 
> -- 
> Mariano
> http://marianopeck.wordpress.com 

Re: [Pharo-users] Data Encryption

[Mariano Martinez Peck]

As for single username/pass encryption (not the whole DB), and assuming you
want two-way encrypt (that you want to decrypt), I have used both, Rijndael
and Blowfish, both in combination with SpsSplitPasswordStore.

Cheers,

On Tue, Feb 21, 2017 at 8:20 AM, Pierce Ng  wrote:

> On Mon, Feb 20, 2017 at 05:34:41AM -0800, sergio ruiz wrote:
> > I have been tasked with throwing together a small web app that will hold
> > the passwords to different projects for my company.
>
> Here is a collection for reference. If one of these is suitable you can
> skip the
> implementation and just deploy.
>
>   http://opensourcepasswordmanager.com/
>
> > - encrypt the entire database, so that if the machine was compromised
> > physically, the data would be useless.
>
> The NativeBoost version of my SQLite library supports SQLcipher which adds
> transparent full database encryption to SQLite. It is not in the UFFI
> version
> yet though.
>
>   http://sqlcipher.net
>
> > - encrypt the username and password fields to facilitate the above, also.
>
> If you are already familiar with using crypto API like OpenSSL or NaCl then
> Pharo's FFI is easy to get this done too.
>
> Pierce
>
>
>


-- 
Mariano
http://marianopeck.wordpress.com

Re: [Pharo-users] Data Encryption

[Pierce Ng]

On Mon, Feb 20, 2017 at 05:34:41AM -0800, sergio ruiz wrote:
> I have been tasked with throwing together a small web app that will hold
> the passwords to different projects for my company.

Here is a collection for reference. If one of these is suitable you can skip 
the 
implementation and just deploy.

  http://opensourcepasswordmanager.com/

> - encrypt the entire database, so that if the machine was compromised
> physically, the data would be useless.

The NativeBoost version of my SQLite library supports SQLcipher which adds
transparent full database encryption to SQLite. It is not in the UFFI version
yet though.

  http://sqlcipher.net

> - encrypt the username and password fields to facilitate the above, also.

If you are already familiar with using crypto API like OpenSSL or NaCl then
Pharo's FFI is easy to get this done too.

Pierce

Re: [Pharo-users] Data Encryption

[p...@highoctane.be]

Works marvels indeed.

I have made some more Seaside integrations for this one.

But Pharo3. Need to upgrade to latest Seaside and Pharo.

Phil



On Mon, Feb 20, 2017 at 3:06 PM, Hernán Morales Durand <
hernan.mora...@gmail.com> wrote:

> Hi Sergio,
>
> Have a look at the ApplicationSecurity package:
>
> http://80738163270632.blogspot.com/2014/03/application-security-
> presentation.html
> http://80738163270632.blogspot.com/2014/10/application-security-2-
> checkpoint.html
> http://80738163270632.blogspot.com/2015/02/application-security-3-
> setting-your.html
>
> Cheers,
>
> Hernán
>
>
>
> 2017-02-20 10:34 GMT-03:00 sergio ruiz :
>
>>
>> I have been tasked with throwing together a small web app that will hold
>> the passwords to different projects for my company.
>>
>> I would like to use seaside to do this, but the biggest requirement is
>> that we need to be able to either:
>>
>> - encrypt the entire database, so that if the machine was compromised
>> physically, the data would be useless.
>>
>> or..
>>
>> - encrypt the username and password fields to facilitate the above, also.
>>
>> i am thinking that the first option might be easiest to implement.
>>
>> any ideas on how i would pull this off with pharo?
>>
>> Thanks!
>>
>>
>> 
>> peace,
>> sergio
>> photographer, journalist, visionary
>>
>> Public Key: http://bit.ly/29z9fG0
>> #BitMessage BM-NBaswViL21xqgg9STRJjaJaUoyiNe2dV
>> http://www.Village-Buzz.com
>> http://www.ThoseOptimizeGuys.com
>> http://www.coffee-black.com
>> http://www.painlessfrugality.com
>> http://www.twitter.com/sergio_101
>> http://www.facebook.com/sergio101
>>
>
>

Re: [Pharo-users] Data Encryption

[Hernán Morales Durand]

Hi Sergio,

Have a look at the ApplicationSecurity package:

http://80738163270632.blogspot.com/2014/03/application-security-presentation.html
http://80738163270632.blogspot.com/2014/10/application-security-2-checkpoint.html
http://80738163270632.blogspot.com/2015/02/application-security-3-setting-your.html

Cheers,

Hernán



2017-02-20 10:34 GMT-03:00 sergio ruiz :

>
> I have been tasked with throwing together a small web app that will hold
> the passwords to different projects for my company.
>
> I would like to use seaside to do this, but the biggest requirement is
> that we need to be able to either:
>
> - encrypt the entire database, so that if the machine was compromised
> physically, the data would be useless.
>
> or..
>
> - encrypt the username and password fields to facilitate the above, also.
>
> i am thinking that the first option might be easiest to implement.
>
> any ideas on how i would pull this off with pharo?
>
> Thanks!
>
>
> 
> peace,
> sergio
> photographer, journalist, visionary
>
> Public Key: http://bit.ly/29z9fG0
> #BitMessage BM-NBaswViL21xqgg9STRJjaJaUoyiNe2dV
> http://www.Village-Buzz.com
> http://www.ThoseOptimizeGuys.com
> http://www.coffee-black.com
> http://www.painlessfrugality.com
> http://www.twitter.com/sergio_101
> http://www.facebook.com/sergio101
>

[Pharo-users] Data Encryption

[sergio ruiz]

I have been tasked with throwing together a small web app that will hold
the passwords to different projects for my company.

I would like to use seaside to do this, but the biggest requirement is that
we need to be able to either:

- encrypt the entire database, so that if the machine was compromised
physically, the data would be useless.

or..

- encrypt the username and password fields to facilitate the above, also.

i am thinking that the first option might be easiest to implement.

any ideas on how i would pull this off with pharo?

Thanks!



peace,
sergio
photographer, journalist, visionary

Public Key: http://bit.ly/29z9fG0
#BitMessage BM-NBaswViL21xqgg9STRJjaJaUoyiNe2dV
http://www.Village-Buzz.com
http://www.ThoseOptimizeGuys.com
http://www.coffee-black.com
http://www.painlessfrugality.com
http://www.twitter.com/sergio_101
http://www.facebook.com/sergio101