AES encryption (in Java) of different JSON strings always produce same encrypted string as result. Why?

I have a program written in Java which takes JSON string as argument, encrypts it using AES then encodes it using Base64.
JSON string is like:

{"a": "b"} or {"a": "n"} or {"a": "k"} 

I.e related object would have one property a. Value part is randomly generated.

Program outputs for above JSON inputs looks like

UBNvKoRoGqk0PTQQL5K4Sw==
bKwlToSND3HkceDExEDXSw==
u/yKJq1FdoifBM+AnadC3A==

i.e. they are unique.

Same goes for {"a":"gn"} — random string with length 2. Same for 3 and so on.

But starting from 7 program produces the same encoded string for different inputs. I mean following JSON strings taken as input:

{"a": "pzfovvs"}
{"a": "bqwuvck"}

produces same string as output:

Dwg0Xjkot8UBfn+vbcCfOS4KluXB6RCFQ932Y9ABtIg=

Same goes for length 8 and 9. Starting from 10 results became unique again.

What is the explanation of this strange phenomenon?

(I can post code if needed.)

Ok, here is the code:

import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;

public class JWTEncryptor {

private static String algorithm = "AES";
private static Key key;
private static KeyGenerator keyGenerator;
private static Cipher cipher;

public static String encrypt(String jwt) throws Exception {
    if (key == null || cipher == null) {
        setUp();
    }
    cipher.init(Cipher.ENCRYPT_MODE, key);
    return Base64.getEncoder().encodeToString(cipher.doFinal(jwt.getBytes("UTF-8")));
}

private static void setUp() {
    try {
        cipher = Cipher.getInstance(algorithm);
    } catch (Exception e1) {
        e1.printStackTrace();
    }
    if (keyGenerator != null) {
        key = keyGenerator.generateKey();
        return;
    }
    try {
        keyGenerator = KeyGenerator.getInstance(algorithm);
        key = keyGenerator.generateKey();
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    }
}

public static String decrypt(String encryptedJWT) throws Exception {
    cipher.init(Cipher.DECRYPT_MODE, key);
    return new 
   String(cipher.doFinal(Base64.getDecoder().decode(encryptedJWT)));
} 

}

ios – Encrypted iPhone Backup Over iTunes on Windows 10

I backed up my last iPhone a few months ago, before purchasing a new XR so I could move all of the info from my past phone on to the new one. At the Apple Store, I ended up just connecting the two phones together to do the data transfer, so I didn’t end up needing the iTunes backup from my PC after all.

Fast forward to last week, my iPhone stopped working, and since shelter in place is still in full effect in CA, I had to send my phone in and they sent me a new replacement today. Since it stopped working suddenly, I wasn’t able to get my current data back, but I fortunately still have the backup I made in February. Problem is, it is asking for a decryption pass code that I never created (at least not within the last 10 years).

I have called Apple Support, and they told me that they have no way of accessing or resetting this password, does anyone have any idea what it could have been? Could it have been a password that I entered when I first setup my Apple ID in 2008? Could it have been a password I set on another computer?

This backup contains years of photos of travelling, life events, and moments with those who have passed away. Any help would be graciously appreciated.

encryption – Mount the encrypted home using mount passphrase

Hello Ubuntu lovers 🙂

I need help I feel like I lost documents I worked on for 2 long years, it’s a huge problem to me even if it looks simple.
here is my issue :
when I enter my password trying to login, the screen becomes black for 5 seconds then comes up again with the login screen … login loop
so when I tried to access tty1
I found this message :

Signature not found in user keyring

Perhaps try the interactive ‘ecryptfs-mount-private’

I issued ‘ecryptfs-mount-private’, but it asks for the Login passphrase, I don’t remember it , it’s maybe one of my old password that I changed so many times but I still have the Passphrase, I mean the “mount passphrase”
the mount passphrase actually is the encryption key, wrapped (encoded) using login passphrase.
and I know my password I can access tty
I can’t remember the “Login passphrase”.
is there any way to mount the encrypted home directly using the mount passphrase, without the login passphrase ? or disable the encryption so I can access my home. if possible disable the encryption without deleting any file ???

From Zero to Encrypted With nginx and Let’s Encrypt

Let’s Encrypt is a free https certificate you can install on your cheap VPS for free, browser-validated https.  In this tutorial, we’ll walk through setting up Let’s Encrypt https on an nginx host running on Debian 10.

We’ll be installing nginx from scratch but not will not be getting into php-fpm and other extensions in this tutorial. I’ll be starting from a spanking new VPS on Vultr.

This tutorial assumes that you’ve already got your DNS records setup. In other words, if you’re setting up for www.example.com, then www.example.com already has an A record or CNAME that points to your VPS. Note that the certbot installer we’ll be using will query DNS, so this must be working properly.

Installing nginx in straightforward:

apt-get update && apt-get upgrade
apt-get install nginx

I’ll be setting up www.lowend.party and putting its web root in /web/www.lowend.party.

Let’s configure the web root and log directory:

mkdir -p /web/www.lowend.party
mkdir -p /var/log/nginx/www.lowend.party
chown www-data:adm /var/log/nginx/www.lowend.party

We want separate logs for each domain we host, and we want to rotate those logs. We can Debian’s log rotation system to accomplish this. We do this by placing the appropriate rules file in /etc/logrotate.d. Start with nginx’s basic log rotation rule:

cp /etc/logrotated.d/nginx /etc/logrotate.d/nginx_domain_logs

Now edit /etc/logrotate.d/nginx_domain_logs and modify as follows:

# change this: /var/log/nginx/*.log { 
# to this:
/var/log/nginx/*/*.log {

Before setting up https, we’ll setup http. I’ll place a place-holder index.html in /web/www.lowend.party:

<html>
<head>
<title>www.lowend.party test page</title>
</head>
<body>
<h1>www.lowend.party works!</h1>
</body>
</html>

Now take a look at /etc/nginx. /etc/nginx/sites-available should have a file for every single site we might host. Then we symlink into /etc/nginx/sites-enabled to turn on or off specific sites.

Let’s create a basic nginx config by creating /etc/nginx/sites-available/www.lowend.party:

server {
  server_name www.lowend.party;

  access_log /var/log/nginx/www.lowend.party/access.log;
  error_log /var/log/nginx/www.lowend.party/error.log;

  location / {
    root /web/www.lowend.party;
    index index.html;
  }
}

Now make it live by:

ln -s /etc/nginx/sites-available/www.lowend.party /etc/nginx/sites-enabled/www.lowend.party

Let’s syntax check that file:

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now restart nginx:

systemctl restart nginx

Then I visited http://www.lowend.party and successfully saw the HTML I created early.

Let’s start by installing certbot, the package that will setup https for us and keep our certificate fresh:

apt-get install certbot python-certbot-nginx

Now for the magic! Run this command:

certbot --authenticator webroot --installer nginx

And then follow along with the interactive install. My input is bolded:

# certbot --authenticator webroot --installer nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): raindog308@raindog308.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.lowend.party
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.lowend.party
Input the webroot for www.lowend.party: (Enter 'c' to cancel): /web/www.lowend.party
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/www.lowend.party

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number (1-2) then (enter) (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/www.lowend.party

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.lowend.party

(rest snipped)

Now take a look at /etc/nginx/sites-available/www.lowend.party:

server {
  server_name www.lowend.party;

  access_log /var/log/nginx/www.lowend.party/access.log;
  error_log /var/log/nginx/www.lowend.party/error.log;

  location / {
    root /web/www.lowend.party;
    index index.html;
  }

  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/www.lowend.party/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/www.lowend.party/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
  if ($host = www.lowend.party) {
    return 301 https://$host$request_uri;
  } # managed by Certbot

  server_name www.lowend.party;
  listen 80;
  return 404; # managed by Certbot
}

certbot has done the following:

  • provisioned an SSL certification for www.lowend.party
  • loaded the SSL configuration in /etc/letsencrypt
  • updated /etc/nginx/sites-available/www.lowend.party and put the proper nginx rules in place to serve HTTPS
  • also added an entry so that if you connect on http, it redirects to https

And going to http://www.lowend.party in my browser confirms everything is working correctly.

Here’s a cool part of the certbot system: this chore is already taken care of for you.

Take a peek in /etc/systemd/system/certbot.timer and you’ll see a job is setup to run twice a day to check renewal and renew if needed.

magento2 – Save custom encrypted config field, using defined backend model programatically

I would like to create a custom config field and save it programatically using defined backend-model.

Context

Field is meant to be encrypted.
Possibly validated via config
Will be set via extended magento api method
Config won’t be accessible from admin panel

I’ve tried to utilize configWriter, but it doesn’t consider backendModel:

<?php
namespace CompanyIntegrationModel;

use MagentoFrameworkAppConfigStorageWriterInterface;

class Setup {

    const API_KEY = 'paypal/wpp/api_signature';

    public function __construct(
        WriterInterface $configWriter
    ){
        $this->configWriter = $configWriter;
    }

    /**
     * {@inheritdoc}
     */
    public function setup($apiKey)
    {
        $this->configWriter->save(self::API_KEY, $apiKey);
    }
}

Result: The value is set in plain text, because it omits backend model logic

In above example, I’m saving paypal field, which is defined as encrypted. This is just a test scenario.

I was trying to trace back the way the config is saved via admin panel, but it seems too complex to reproduce.

Is there a proper way to do it, with accordance to backend model?

partitioning – How to install Ubuntu on an encrypted, error-correcting RAID 1 device with dm-crypt?

I would like to install Ubuntu on a two-disk RAID 1 with dm-integrity and LUKS2-encryption.

Unfortunately, neither Ubiquiti, nor the textmode-installer offer such a solution.

However, this seems simple enough to execute: Formatting both drives with “physical partitions for encryption” in gparted and then calling cryptsetup luksFormat --type luks2 --integrity sha256 <device> for either drive as a basis to create the RAID device, LVM and filesystem on top of in the manual installer.

Is there anything that needs to be considered with this approach? Does Ubuntu demand certain LUKS-parameters or is something particularly advisable to use for this purpose?

Do the devices need to be “opened” in any particular way before launching the installer and/or do they have to be added manually to a file to be decrypted at boot? Is the --integrity function used automatically?

Is this even the best approach or is there another way to accomplish this? (Excluding the usage of Btrfs/ZFS filesystems)

And, a related side-question, would the Btrfs-filesystem be of any additional value regarding data integrity in this scenario, rather than Ext4, even though its RAID-functions are not used?

ssd – How to access encrypted Linux user from Windows?

I’m trying to access my backup from an SSD with Linux Mint on it, but my user is password-protected and encrypted. I have tried numerous methods to try and input the password, but nothing has worked and neither has booting from a live USB. (I was using encryptfs on the USB.) Fiddling with BIOS settings is quite tedious, and not something I’d want to do.

Any good advice?

macos: can local encrypted Time Machines.backupdd and Sparsebundles backups be saved on the same drive?

I would like to keep local time machine backups for my Mac mini and network backups for my MacBook on a single partition USB drive connected to Mac mini. I know I can do this if the backups are not password protected. Can the local time machine backup database and sparsebundle database be password protected and still be on the same drive?
The drive was not previously encrypted (it was Journaled HFS +) but it is currently being encrypted by Mac mini when I selected it to secure Backups.backupdb with a password. Will this ruin the sparse package for the MacBook that is on the same partition?

encryption – can I find a private key for a known encrypted file?

Let's say I create a 100 KB file that only contains 1234567890, that is, a known value. This file would be in several folders as bait.

Once a Rasomware reaches the folder and encrypts this file (considering that all other forms of anti-rasomware protection failed), could it generate what is the private key that would decrypt that file and all other files, knowing the contents of the previous file?

Does it also help to have the captured public key in memory?

Does having a large known file help?

I know this goes against the asymmetric key theory but there is generally a difference between crypto theory and practice as hashes should be unique for each input but in practice there is always the possibility of collisions .

Encryption – What is the threat model for deciding between unencrypted EBS volumes and encrypted volumes?

Let me start by saying that I am not questioning the usefulness of encrypting EBS volumes, nor asking how it works.

I wonder what specifically encrypting EBS volumes is protecting against.

For my personal laptop, the reason for encrypting the hard drive is if it is ever stolen, while the thief could create a copy of my hard drive, the data is encrypted at rest and cannot be decrypted without logging into my laptop and / or provide the decryption key.

For unencrypted EBS volume connected to an EC2, I guess the data can only be accessed by the EC2 it is connected to. Or at least, nothing else can access data other than that EC2 without specifically allowing access to it. Is this assumption incorrect?

If this assumption is correct, then encrypt EBS volume protects against … what? The possibility of the hard drive being stolen from the Amazon data center? Or am I assuming someone could infiltrate your network and digitally copy data from hard drives, which would then be encrypted?

I'm just curious about the threat model.