Search Results

Search found 460 results on 19 pages for 'sha1'.

Page 12/19 | < Previous Page | 8 9 10 11 12 13 14 15 16 17 18 19 | Next Page >

call a class method from inside an instance method from a module mixin (rails)

- by sean

Curious how one would go about calling a class method from inside an instance method of a module which is included by an active record class. For example I want both user and client models to share the nuts and bolts of password encryption. # app/models class User < ActiveRecord::Base include Encrypt end class Client < ActiveRecord::Base include Encrypt end # app/models/shared/encrypt.rb module Encrypt def authenticate # I want to call the ClassMethods#encrypt_password method when @user.authenticate is run self.password_crypted == self.encrypt_password(self.password) end def self.included(base) base.extend ClassMethods end module ClassMethods def encrypt_password(password) Digest::SHA1.hexdigest(password) end end end However, this fails. Says that the class method cannot be found when the instance method calls it. I can call User.encrypt_password('password') but User.new.encrypt_password fails Any thoughts?

Read the article
How to digitally sign a message with M2Crypto using the keys within a DER format certificate

- by Pablo Santos

Hi everyone. I am working on a project to implement digital signatures of outgoing messages and decided to use M2Crypto for that. I have a certificate (in DER format) from which I extract the keys to sign the message. For some reason I keep getting an ugly segmentation fault error when I call the "sign_update" method. Given the previous examples I have read here, I am clearly missing something. Here is the example I am working on: from M2Crypto.X509 import * cert = load_cert( 'certificate.cer', format=0 ) Pub_key = cert.get_pubkey() Pub_key.reset_context(md='sha1') Pub_key.sign_init() Pub_key.sign_update( "This should be good." ) print Pub_key.sign_final() Thanks in advance for the help, Pablo

Read the article
How to use the md5 hash?

- by Ken

Okay, so I'm learning php, html, and mysql to learn website development (for fun). One thing I still don't get is how to use md5 of sha1 hashes. I know how to hash the plain text, but say I want to make a login page. Since the password is hashed and can't be reversed, how would mysql know that the user-inserted password matches the hashed password in the database? Here is what I mean: $password = md5($_POST['password']); $query = ("INSERT INTO `users`.`data` (`password`) VALUES ('$password')"); I know that this snippet of script hashes the password, but how would I use this piece of code and make a login page? Any working examples would be great.

Read the article
Email Verification plugin for rails?

- by Larry K

Hi, I'd like to verify a user's email address by sending them a verify-email-message. Do you know of a good Rails plugin that they've used or seen? Since I didn't see anything good via Google, at this point, my thought is: Add a verified boolean field to the user model. Default false. After user is added (unverified), combine email with a salt (a secret), and create the sha1 hash of the email/salt combo. The result is the verification. Send a welcoming / verification email to the user. Email includes a url that has the email address and verification as GET args to a verify action on my server. The verify action recomputes the verification using the supplied email and checks that the new verification matches the one in the url. If it does, then the User rec for the email is marked 'verified' Also will provide action to re-send the verification email. Any comments on the above? Thanks, Larry

Read the article
Why my VPN doesn't work anymore?

- by xx77aBs

I have openvpn server running on debian lenny. There is only one client - and it is running Windows 7 64-bit. This has worked for few months without any problems. And now, let's say for the last 7 days, it doesn't work at all. I connect successfully from client to the server, but I can't access anything through VPN. I have set it up so that all internet traffic is routed through VPN, and now when I connect with the client, the client can't do anything on the net (open any webpage, ping google, anything ...). Can you help me to figure out what's wrong ? I don't know where to start. I've also tried to connect to another openvpn server (I've installed and configured openvpn on another server, and when I try to connect to it result is the same). So I think there's something wrong with client ... Here is my connection log: Wed Apr 04 21:35:59 2012 OpenVPN 2.3-alpha1 Win32-MSVC++ [SSL (OpenSSL)] [LZO2] [PF_INET6] [IPv6 payload 20110522-1 (2.2.0)] built on Feb 21 2012 Enter Management Password: Wed Apr 04 21:35:59 2012 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.10:25340 Wed Apr 04 21:35:59 2012 Need hold release from management interface, waiting... Wed Apr 04 21:36:00 2012 MANAGEMENT: Client connected from [AF_INET]127.0.0.10:25340 Wed Apr 04 21:36:00 2012 MANAGEMENT: CMD 'state on' Wed Apr 04 21:36:00 2012 MANAGEMENT: CMD 'log all on' Wed Apr 04 21:36:00 2012 MANAGEMENT: CMD 'hold off' Wed Apr 04 21:36:00 2012 MANAGEMENT: CMD 'hold release' Wed Apr 04 21:36:00 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Wed Apr 04 21:36:00 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Wed Apr 04 21:36:00 2012 Socket Buffers: R=[8192->8192] S=[8192->8192] Wed Apr 04 21:36:00 2012 MANAGEMENT: >STATE:1333568160,RESOLVE,,, Wed Apr 04 21:36:00 2012 UDPv4 link local: [undef] Wed Apr 04 21:36:00 2012 UDPv4 link remote: [AF_INET]11.22.33.44:1234 Wed Apr 04 21:36:00 2012 MANAGEMENT: >STATE:1333568160,WAIT,,, Wed Apr 04 21:36:00 2012 MANAGEMENT: >STATE:1333568160,AUTH,,, Wed Apr 04 21:36:00 2012 TLS: Initial packet from [AF_INET]11.22.33.44:1234, sid=ee329574 f15e9e04 Wed Apr 04 21:36:00 2012 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=Fort-Funston CA, [email protected] Wed Apr 04 21:36:00 2012 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=server_key, [email protected] Wed Apr 04 21:36:01 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Wed Apr 04 21:36:01 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 04 21:36:01 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Wed Apr 04 21:36:01 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 04 21:36:01 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Wed Apr 04 21:36:01 2012 [server_key] Peer Connection Initiated with [AF_INET]11.22.33.44:1234 Wed Apr 04 21:36:02 2012 MANAGEMENT: >STATE:1333568162,GET_CONFIG,,, Wed Apr 04 21:36:03 2012 SENT CONTROL [server_key]: 'PUSH_REQUEST' (status=1) Wed Apr 04 21:36:03 2012 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route 172.16.100.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.100.6 172.16.100.5' Wed Apr 04 21:36:03 2012 OPTIONS IMPORT: timers and/or timeouts modified Wed Apr 04 21:36:03 2012 OPTIONS IMPORT: --ifconfig/up options modified Wed Apr 04 21:36:03 2012 OPTIONS IMPORT: route options modified Wed Apr 04 21:36:03 2012 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=15 HWADDR=00:1f:1f:3f:61:55 Wed Apr 04 21:36:03 2012 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Wed Apr 04 21:36:03 2012 MANAGEMENT: >STATE:1333568163,ASSIGN_IP,,172.16.100.6, Wed Apr 04 21:36:03 2012 open_tun, tt->ipv6=0 Wed Apr 04 21:36:03 2012 TAP-WIN32 device [VPN] opened: \\.\Global\{E28FD52B-F6C3-4094-A36A-30CB02FAC7E8}.tap Wed Apr 04 21:36:03 2012 TAP-Win32 Driver Version 9.9 Wed Apr 04 21:36:03 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.16.100.6/255.255.255.252 on interface {E28FD52B-F6C3-4094-A36A-30CB02FAC7E8} [DHCP-serv: 172.16.100.5, lease-time: 31536000] Wed Apr 04 21:36:03 2012 Successful ARP Flush on interface [31] {E28FD52B-F6C3-4094-A36A-30CB02FAC7E8} Wed Apr 04 21:36:08 2012 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up Wed Apr 04 21:36:08 2012 C:\Windows\system32\route.exe ADD 11.22.33.44 MASK 255.255.255.255 192.168.1.1 Wed Apr 04 21:36:08 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4 Wed Apr 04 21:36:08 2012 Route addition via IPAPI succeeded [adaptive] Wed Apr 04 21:36:08 2012 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 172.16.100.5 Wed Apr 04 21:36:08 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4 Wed Apr 04 21:36:08 2012 Route addition via IPAPI succeeded [adaptive] Wed Apr 04 21:36:08 2012 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 172.16.100.5 Wed Apr 04 21:36:08 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4 Wed Apr 04 21:36:08 2012 Route addition via IPAPI succeeded [adaptive] Wed Apr 04 21:36:08 2012 MANAGEMENT: >STATE:1333568168,ADD_ROUTES,,, Wed Apr 04 21:36:08 2012 C:\Windows\system32\route.exe ADD 172.16.100.1 MASK 255.255.255.255 172.16.100.5 Wed Apr 04 21:36:08 2012 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4 Wed Apr 04 21:36:08 2012 Route addition via IPAPI succeeded [adaptive] Wed Apr 04 21:36:08 2012 Initialization Sequence Completed Wed Apr 04 21:36:08 2012 MANAGEMENT: >STATE:1333568168,CONNECTED,SUCCESS,172.16.100.6,11.22.33.44 Client's route table after connection with OpenVPN: IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.41 281 0.0.0.0 128.0.0.0 172.16.100.1 172.16.100.6 31 94.23.53.45 255.255.255.255 192.168.1.1 192.168.1.41 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 128.0.0.0 128.0.0.0 172.16.100.1 172.16.100.6 31 172.16.100.4 255.255.255.252 On-link 172.16.100.6 286 172.16.100.6 255.255.255.255 On-link 172.16.100.6 286 172.16.100.7 255.255.255.255 On-link 172.16.100.6 286 192.168.1.0 255.255.255.0 On-link 192.168.1.41 281 192.168.1.41 255.255.255.255 On-link 192.168.1.41 281 192.168.1.255 255.255.255.255 On-link 192.168.1.41 281 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.1.41 281 224.0.0.0 240.0.0.0 On-link 172.16.100.6 286 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.1.41 281 255.255.255.255 255.255.255.255 On-link 172.16.100.6 286 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 0.0.0.0 0.0.0.0 192.168.1.1 Default =========================================================================== IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 13 58 ::/0 On-link 1 306 ::1/128 On-link 13 58 2001::/32 On-link 13 306 2001:0:5ef5:79fd:3cc3:6b9:ac7c:14db/128 On-link 15 281 fe80::/64 On-link 31 286 fe80::/64 On-link 13 306 fe80::/64 On-link 13 306 fe80::3cc3:6b9:ac7c:14db/128 On-link 31 286 fe80::7d72:9515:7213:35e3/128 On-link 15 281 fe80::9cec:ce3f:89de:a123/128 On-link 1 306 ff00::/8 On-link 13 306 ff00::/8 On-link 15 281 ff00::/8 On-link 31 286 ff00::/8 On-link =========================================================================== Persistent Routes: None

Read the article
Tracking unique versions of files with hashes

- by rwmnau

I'm going to be tracking different versions of potentially millions of different files, and my intent is to hash them to determine I've already seen that particular version of the file. Currently, I'm only using MD5 (the product is still in development, so it's never dealt with millions of files yet), which is clearly not long enough to avoid collisions. However, here's my question - Am I more likely to avoid collisions if I hash the file using two different methods and store both hashes (say, SHA1 and MD5), or if I pick a single, longer hash (like SHA256) and rely on that alone? I know option 1 has 288 hash bits and option 2 has only 256, but assume my two choices are the same total hash length. Since I'm dealing with potentially millions of files (and multiple versions of those files over time), I'd like to do what I can to avoid collisions. However, CPU time isn't (completely) free, so I'm interested in how the community feels about the tradeoff - is adding more bits to my hash proportionally more expensive to compute, and are there any advantages to multiple different hashes as opposed to a single, longer hash, given an equal number of bits in both solutions?

Read the article
Server removes all custom HTTP header fields

- by MartinMoizard

Hello, I've been trying to receive HTTP requests with custom fields in the headers but it seems like my server removes them... I printed the headers of the request when I arrive on my page.php. I see that : body uri http://url.com/oauth.php/request_token parameters headers Array ....*/* ....gzip, deflate ....en-us ....keep-alive ....s320650601.onlinehome.fr ....DearStranger/1.0 CFNetwork/485.12.7 Darwin/10.6.0 method POST when I should be seeing that (it is working on a local version) body uri http://localhost:8888/oauth.php/request_token parameters headers Array ....*/* ....gzip, deflate ....en-us ....OAuth realm="", oauth_consumer_key="582d95bd45d455fa2e5819f88fc0c5a104d2c7ff3", oauth_signature_method="HMAC-SHA1", oauth_signature="7mKKzEw0Clv237nBHFzcTcA3SCE%3D", oauth_timestamp="1295267612", oauth_nonce="C546644E-8918-4FA3-A2A0-DAADCF7D1E5A", oauth_version="1.0" ....keep-alive ....0 ....localhost:8888 ....DearStranger/1.0 CFNetwork/485.12.7 Darwin/10.6.0 method POST I am using php 5.2.17 on the server. Do you have any idea to help my fix that issue? Thanks!

Read the article
Create signed urls for CloudFront with Ruby

- by wiseleyb

History: I created a key and pem file on Amazon. I created a private bucket I created a public distribution and used origin id to connect to the private bucket: works I created a private distribution and connected it the same as #3 - now I get access denied: expected I'm having a really hard time generating a url that will work. I've been trying to follow the directions described here: http://docs.amazonwebservices.com/AmazonCloudFront/latest/DeveloperGuide/index.html?PrivateContent.html This is what I've got so far... doesn't work though - still getting access denied: def url_safe(s) s.gsub('+','-').gsub('=','_').gsub('/','~').gsub(/\n/,'').gsub(' ','') end def policy_for_resource(resource, expires = Time.now + 1.hour) %({"Statement":[{"Resource":"#{resource}","Condition":{"DateLessThan":{"AWS:EpochTime":#{expires.to_i}}}}]}) end def signature_for_resource(resource, key_id, private_key_file_name, expires = Time.now + 1.hour) policy = url_safe(policy_for_resource(resource, expires)) key = OpenSSL::PKey::RSA.new(File.readlines(private_key_file_name).join("")) url_safe(Base64.encode64(key.sign(OpenSSL::Digest::SHA1.new, (policy)))) end def expiring_url_for_private_resource(resource, key_id, private_key_file_name, expires = Time.now + 1.hour) sig = signature_for_resource(resource, key_id, private_key_file_name, expires) "#{resource}?Expires=#{expires.to_i}&Signature=#{sig}&Key-Pair-Id=#{key_id}" end resource = "http://d27ss180g8tp83.cloudfront.net/iwantu.jpeg" key_id = "APKAIS6OBYQ253QOURZA" pk_file = "doc/pk-APKAIS6OBYQ253QOURZA.pem" puts expiring_url_for_private_resource(resource, key_id, pk_file) Can anyone tell me what I'm doing wrong here?

Read the article
How do I exclude the sources jar in mvn deploy?

- by Richard

When I run "mvn deploy:deploy", maven deploys 4 jar files to my internal remote repository. They are: [module-name]-1.jar [module-name]-1.pom [module-name]-1-sources.jar [module-name]-1-tests.jar There are actually more files, such as md5 and sha1 files, being deployed. But for simplicity, I just skip these files here. Is there any way to exclude [module-name]-1-sources.jar from the deployment process? One way I can think of is to use "mvn deploy:deploy-file", which allows me to pinpoint which jar to deploy. But since I have a few dozen modules to deploy, it'll be nice if I can configure the deployment file exclusion in pom.xml. Otherwise, I'll have to write a script to deploy. Thanks, Richard

Read the article
oAuth provider with Django-piston

- by Martin Eve

Hi, I'm working with django-piston to attempt to create an API that supports oAuth. I started out using the tutorial at: http://blog.carduner.net/2010/01/26/django-piston-and-oauth/ I added a consumer to piston's admin interface with key and secret both set to "abcd" for test purposes. The urls are successfully wired-up and the oAuth provider is called. However, running my get request token tests with tripit (python get_request_token.py "http://127.0.0.1:8000/api" abcd abcd), I receive the following error: Invalid signature. Expected signature base string: GET&http%3A%2F%2F127.0.0.1%3A8000%2Fapi%2Foauth%2Frequest_token%2F&oauth_consumer_key%3Dabcd%26oauth_nonce%3D0c0bdded5b1afb8eddf94f7ccc672658%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1275135410%26oauth_version%3D1.0 The problem seems to lie inside the _check_signature method of Piston's oauth.py, where valid_sig = signature_method.check_signature(oauth_request, consumer, token, signature) is returning false. I can't, however, work out how to get the signature validated. Any ideas?

Read the article
good __eq__, __lt__, ..., __hash__ methods for image class?

- by Marten Bauer

I create the following class: class Image(object): def __init__(self, extension, data, urls=None, user_data=None): self._extension = extension self._data = data self._urls = urls self._user_data = user_data self._hex_digest = hashlib.sha1(self._data).hexDigest() Images should be equal when all values are equal. Therefore I wrote: def __eq__(self, other): if isinstance(other, Image) and self.__dict__ == other.__dict__: return True return False def __ne__(self, other): return not self.__eq__(other) def __lt__(self, other): return self.__dict__ < other.__dict__ ... But how should the __hash__ method look like? Equal Images should return equal hashes... def __hash__(self): # won't work !?! return hash(self.__dict__) Is the way I try to use __eq__, __ne__, __lt__, __hash__, ... recommend?

Read the article
CryptographicException: Padding is invalid and cannot be removed and Validation of viewstate MAC fai

- by Chris Marisic

Monitoring my global exception logs this error seems to be impossible to remove no matter what I do, I thought I finally got rid of it but it's back again. You can see a strack trace of the error on a similar post here. Notes about the environment: IIS 6.0, .NET 3.5 SP1 single server ASP.NET application Steps already taken: <system.web> <machineKey validationKey="big encryption key" decryptionKey="big decryption key" validation="SHA1" decryption="AES" /> In my Page Base for all of my pages protected override void OnInit(EventArgs e) { const string viewStateKey = "big key value"; Page.ViewStateUserKey = viewStateKey; } Also in the source of the page I can see that all of the ASP.NET generated hidden fields are correctly at the top of the page.

Read the article
net/http.rb:560:in `initialize': getaddrinfo: Name or service not known (SocketError)

- by Sid

` @@timestamp = nil def generate_oauth_url @@timestamp = timestamp url = CONNECT_URL + REQUEST_TOKEN_PATH + "&oauth_callback=#{OAUTH_CALLBACK}&oauth_consumer_key=#{OAUTH_CONSUMER_KEY}&oauth_nonce=#{NONCE} &oauth_signature_method=#{OAUTH_SIGNATURE_METHOD}&oauth_timestamp=#{@@timestamp}&oauth_version=#{OAUTH_VERSION}" puts url url end def sign(url) Base64.encode64(HMAC::SHA1.digest((NONCE + url), OAUTH_CONSUMER_SECRET)).strip end def get_request_token url = generate_oauth_url signed_url = sign(url) request = Net::HTTP.new((CONNECT_URL + REQUEST_TOKEN_PATH),80) puts request.inspect headers = { "Authorization" => "Authorization: OAuth oauth_nonce = #{NONCE}, oauth_callback = #{OAUTH_CALLBACK}, oauth_signature_meth od = #{OAUTH_SIGNATURE_METHOD}, oauth_timestamp=#{@@timestamp}, oauth_consumer_key = #{OAUTH_CONSUMER_KEY}, oauth_signature = #{signed_url}, oauth_versio n = #{OAUTH_VERSION}" } request.post(url, nil,headers) end def timestamp Time.now.to_i end ` I am trying to do what oauth does in an attempt to understand how to use the Authorization headers. I am also getting the following error. I am trying to connect to the linkedin API. /usr/lib/ruby/1.8/net/http.rb:560:in 'initialize': getaddrinfo: Name or service not known (SocketError) I would really appreciate it if someone could nudge me in the right direction.

Read the article
Users being forced to re-login randomly, before session and auth ticket timeout values are reached

- by Don

I'm having reports and complaints from my user that they will be using a screen and get kicked back to the login screen immediately on their next request. It doesn't happen all the time but randomly. After looking at the Web server the error that shows up in the application event log is: Event code: 4005 Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired. Everything that I read starts out with people asking about web gardens or load balancing. We are not using either of those. We're a single Windows 2003 (32-bit OS, 64-bit hardware) Server with IIS6. This is the only website on this server too. This behavior does not generate any application exceptions or visible issues to the user. They just get booted back to the login screen and are forced to login. As you can imagine this is extremely annoying and counter-productive for our users. Here's what I have set in my web.config for the application in the root: <authentication mode="Forms"> <forms name=".TcaNet" protection="All" timeout="40" loginUrl="~/Login.aspx" defaultUrl="~/MyHome.aspx" path="/" slidingExpiration="true" requireSSL="false" /> </authentication> I have also read that if you have some locations setup that no longer exist or are bogus you could have issues. My path attributes are all valid directories so that shouldn't be the problem: <location path="js"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="images"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="anon"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="App_Themes"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="NonSSL"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> The only thing I'm not clear on is if my timeout value in the forms property for the auth ticket has to be the same as my session timeout value (defined in the app's configuration in IIS). I've read some things that say you should have the authentication timeout shorter (40) than the session timeout (45) to avoid possible complications. Either way we have users that get kicked to the login screen a minute or two after their last action. So the session definitely should not be expiring. Update 2/23/09: I've since set the session timeout and authentication ticket timeout values to both be 45 and the problem still seems to be happening. The only other web.config in the application is in 1 virtual directory that hosts Community Server. That web.config's authentication settings are as follows: <authentication mode="Forms"> <forms name=".TcaNet" protection="All" timeout="40" loginUrl="~/Login.aspx" defaultUrl="~/MyHome.aspx" path="/" slidingExpiration="true" requireSSL="true" /> </authentication> And while I don't believe it applies unless you're in a web garden, I have both of the machine key values set in both web.config files to be the same (removed for convenience): <machineKey validationKey="<MYVALIDATIONKEYHERE>" decryptionKey="<MYDECRYPTIONKEYHERE>" validation="SHA1" /> <machineKey validationKey="<MYVALIDATIONKEYHERE>" decryptionKey="<MYDECRYPTIONKEYHERE>" validation="SHA1"/> Any help with this would be greatly appreciated. This seems to be one of those problems that yields a ton of Google results, none of which seem to be fitting into my situation so far.

Read the article
Loading and storing encryption keys from a config source

- by Hassan Syed

I am writing an application which has an authenticity mechanism, using HMAC-sha1, plus a CBC-blowfish pass over the data for good measure. This requires 2 keys and one ivec. I have looked at Crypto++ but the documentation is very poor (for example the HMAC documentation). So I am going oldschool and use Openssl. Whats the best way to generate and load these keys using library functions and tools ? I don't require a secure-socket therefore a x.509 certificate probably does not make sense, unless, of-course, I am missing something. So, do I need to write my own config file, or is there any infrastructure in openssl for this ? If so, could you direct me to some documentation or examples for this.

Read the article
checking crc32 of a file

- by agent154

This is not really a "how to" question. Is there a "standard" file structure that applications use to store the checksums of files in a folder? I'm developing a tool to check various things like crc32, md5, sha1, sha256, etc... I'd like to have my program store the various hashes in files in the folder of what I'm checking. I know that there is a file commonly used called 'md5sums' or 'sha1sums'. But what about CRC? I haven't noticed any around. And if there is, what's the structure of it? Thanks.

Read the article
Why does Git display certain new folders when checking out old revisions?

- by ConnorG

Hey all - I'm still learning the ropes of Git (love it!) but the other day I noticed some behavior I just do not understand. We have, in essence, three folders that got moved into the repository at different times (one immediately after we created the repo, one a little while later, and one just recently). Recently, I had to get some code out of an old revision. I used git checkout <old SHA1 hash> to pull up one of our first checkins, when I noticed Git showed the old folder (as it should), as well as the newest folder (which got added to the repo long after the checked out commit was made). But it did not show the second folder. What would cause Git to display the newest folder with the old revision?

Read the article
"Invalid signature": oAuth provider with Django-piston

- by Martin Eve

Hi, I'm working with django-piston to attempt to create an API that supports oAuth. I started out using the tutorial at: http://blog.carduner.net/2010/01/26/django-piston-and-oauth/ I added a consumer to piston's admin interface with key and secret both set to "abcd" for test purposes. The urls are successfully wired-up and the oAuth provider is called. However, running my get request token tests with tripit (python get_request_token.py "http://127.0.0.1:8000/api" abcd abcd), I receive the following error: Invalid signature. Expected signature base string: GET&http%3A%2F%2F127.0.0.1%3A8000%2Fapi%2Foauth%2Frequest_token%2F&oauth_consumer_key%3Dabcd%26oauth_nonce%3D0c0bdded5b1afb8eddf94f7ccc672658%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1275135410%26oauth_version%3D1.0 The problem seems to lie inside the _check_signature method of Piston's oauth.py, where valid_sig = signature_method.check_signature(oauth_request, consumer, token, signature) is returning false. I can't, however, work out how to get the signature validated. Any ideas? -----Update----- If I remove the test consumer from piston's backend, the response returned is correctly set to "Invalid consumer", so this lookup appears to be working.

Read the article
Prevent query string manipulation by adding a hash?

- by saille

To protect a web application from query string manipulation, I was considering adding a query string parameter to every url which stores a SHA1 hash of all the other query string parameters & values, then validating against the hash on every request. Does this method provide strong protection against user manipulation of query string values? Are there any other downsides/side-effects to doing this? I am not particularly concerned about the 'ugly' urls for this private web application. Url's will still be 'bookmarkable' as the hash will always be the same for the same query string arguments. This is an ASP.NET application.

Read the article
Generating short license keys with OpenSSL

- by Marc Charbonneau

I'm working on a new licensing scheme for my software, based on OpenSSL public / private key encryption. My past approach, based on this article, was to use a large private key size and encrypt an SHA1 hashed string, which I sent to the customer as a license file (the base64 encoded hash is about a paragraph in length). I know someone could still easily crack my application, but it prevented someone from making a key generator, which I think would hurt more in the long run. For various reasons I want to move away from license files and simply email a 16 character base32 string the customer can type into the application. Even using small private keys (which I understand are trivial to crack), it's hard to get the encrypted hash this small. Would there be any benefit to using the same strategy to generated an encrypted hash, but simply using the first 16 characters as a license key? If not, is there a better alternative that will create keys in the format I want?

Read the article
How to verify a signature using M2Crypto 0.16

- by Daniel Mccain

After some goggling I found some usual answers for this question, like: http://stackoverflow.com/questions/595114/how-to-load-an-rsa-key-from-a-pem-file-and-use-it-in-python-crypto some code: x509 = X509.load_cert_string(certificate) pubkey = x509.get_pubkey() pubkey.reset_context(md=sha1) pubkey.verify_init() pubkey.verify_update(content) decoded_signature = signature.decode('base64') if pubkey.verify_final(decoded_signature)==0: print 'error' sys.exit(1) and the code presented above works fine in M2Crypto 0.20. But I need to do exactly the same think using the M2Crypto 0.16 (the official package in RHEL5), and I have problems using the pubkey.verify_final method because in this particular version the signature parameter doesn't exist. So how can I do it? using the M2Crypto 0.16 Thanks.

Read the article
[Sql-Server]what data type to use for password salt and hash values and what length?

- by Pandiya Chendur

I am generating salt and hash values from my passwords by using, string salt = CreateSalt(TxtPassword.Text.Length); string hash = CreatePasswordHash(TxtPassword.Text, salt); private static string CreateSalt(int size) { //Generate a cryptographic random number. RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(); byte[] buff = new byte[size]; rng.GetBytes(buff); // Return a Base64 string representation of the random number. return Convert.ToBase64String(buff); } private static string CreatePasswordHash(string pwd, string salt) { string saltAndPwd = String.Concat(pwd, salt); string hashedPwd = FormsAuthentication.HashPasswordForStoringInConfigFile( saltAndPwd, "sha1"); return hashedPwd; } What datatype you would suggest for storing these values in sql server? Any suggestion... Salt:9GsPWpFD Hash:E778AF0DC5F2953A00B35B35D80F6262CDBB8567

Read the article
Is it okay to truncate a SHA256 hash to 128 bits?

- by Sunny Hirai

MD5 and SHA-1 hashes have weaknesses against collision attacks. SHA256 does not but it outputs 256 bits. Can I safely take the first or last 128 bits and use that as the hash? I know it will be weaker (because it has less bits) but otherwise will it work? Basically I want to use this to uniquely identify files in a file system that might one day contain a trillion files. I'm aware of the birthday problem and a 128 bit hash should yield about a 1 in a trillion chance on a trillion files that there would be two different files with the same hash. I can live with those odds. What I can't live with is if somebody could easily, deliberately, insert a new file with the same hash and the same beginning characters of the file. I believe in MD5 and SHA1 this is possible.

Read the article
Killing the mysqld process

- by Josh K

I have a table with ~800k rows. I ran an update users set hash = SHA1(CONCAT({about eight fields})) where 1; Now I have a hung Sequel Pro process and I'm not sure about the mysqld process. This is two questions: What harm can possibly come from killing these programs? I'm working on a separate database, so no damage should come to other databases on the system, right? Assume you had to update a table like this. What would be a quicker / more reliable method of updating without writing a separate script. I just checked with phpMyAdmin and it appears as though the query is complete. I still have Sequel Pro using 100% of both my cores though...

Read the article
hash password in SQL Server (asp.net)

- by ile

Is this how hashed password stored in SQL Server should look like? This is function I use to hash password (I found it in some tutorial) public string EncryptPassword(string password) { //we use codepage 1252 because that is what sql server uses byte[] pwdBytes = Encoding.GetEncoding(1252).GetBytes(password); byte[] hashBytes = System.Security.Cryptography.MD5.Create().ComputeHash(pwdBytes); return Encoding.GetEncoding(1252).GetString(hashBytes); } EDIT I tried to use sha-1 and now strings seem to look like as they are suppose to: public string EncryptPassword(string password) { return FormsAuthentication.HashPasswordForStoringInConfigFile(password, "sha1"); } // example output: 39A43BDB7827112409EFED3473F804E9E01DB4A8 Result from the image above looks like broken string, but this sha-1 looks normal.... Will this be secure enough?

Read the article

< Previous Page | 8 9 10 11 12 13 14 15 16 17 18 19 | Next Page >