#StackBounty: #postgresql #query-performance #postgresql-performance #encryption #cpu Postgres SQL CPU and RAM optimisation to improve …

Bounty: 50

I am currently working on an application that requires column-based decryption for a few thousand of rows on a regular basis. The queries are decrypted using pgp_sym_decrypt, where several columns are decrypted for each select.

For a few thousand records, the queries are unfortunately quite slow and I found out that the CPU and the RAM were not quite used. top gives 6.6% CPU usage and 14 GB RAM available out of 16 GB. Therefore, a "standard query" takes around 30s to proceed, while an acceptable performance would be rather around 5 seconds.

I tried changing a few parameters in postgres.conf, but I didn’t get any performance improvement. The version of Postgres is 10.6.

Is there a possibility to increase the hardware usage of Postgres to make the decryption faster?


Get this bounty!!!

#StackBounty: #query-performance #postgresql-performance #encryption #psql #cpu Postgres SQL CPU and RAM optimisation to improve decryp…

Bounty: 50

I am currently working on an application that requires column-based decryption for a few thousand of rows on a regular basis. The queries are decrypted using pgp_sym_decrypt, where several columns are decrypted for each select.

For a few thousand records, the queries are unfortunately quite slow and I found out that the CPU and the RAM were not quite used. top gives 6.6% CPU usage and 14 GB RAM available out of 16 GB. Therefore, a "standard query" takes around 30s to proceed, while an acceptable performance would be rather around 5 seconds.

I tried changing a few parameters in postgres.conf, but I didn’t get any performance improvement. The version of Postgres is 10.6.

Is there a possibility to increase the hardware usage of Postgres to make the decryption faster?


Get this bounty!!!

#StackBounty: #java #encryption How do I protect my Java AES encryption key

Bounty: 50

I am implementing a program to encrypt string using AES encryption and would like to save my “secret key” in a file instead of hardcoding it in the source code.

But, it creates a problem for me, is how do I protect this secret key from viewed by others?

If I were to encrypt this “keyFile” again, I would have to deal with the same problem again.

How do I deal with such issues?

String keyFile = ...;
byte[] keyb = Files.readAllBytes(Paths.get(keyFile));
SecretKeySpec skey = new SecretKeySpec(keyb, "AES");



import java.util.Arrays;
import javax.crypto.*;
import javax.crypto.spec.*;
import java.security.*;

class Msc61 {
    public static SecretKey generateKey() {
        try {
            KeyGenerator kgen = KeyGenerator.getInstance("AES");
            kgen.init(128);
            return kgen.generateKey();
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException(e.toString());
        }
    }

    public static byte[] encrypt_cbc(SecretKey skey, String plaintext) {
        /* Precond: skey is valid; otherwise IllegalStateException will be thrown. */
        try {
            byte[] ciphertext = null;
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");           
            final int blockSize = cipher.getBlockSize();
            byte[] initVector = new byte[blockSize];
            (new SecureRandom()).nextBytes(initVector);
            IvParameterSpec ivSpec = new IvParameterSpec(initVector);
            cipher.init(Cipher.ENCRYPT_MODE, skey, ivSpec);
            byte[] encoded = plaintext.getBytes(java.nio.charset.StandardCharsets.UTF_8);
            ciphertext = new byte[initVector.length + cipher.getOutputSize(encoded.length)];
            for (int i=0; i < initVector.length; i++) {
                ciphertext[i] = initVector[i];
            }
            // Perform encryption
            cipher.doFinal(encoded, 0, encoded.length, ciphertext, initVector.length);
            return ciphertext;
        } catch (NoSuchPaddingException | InvalidAlgorithmParameterException | ShortBufferException |
            BadPaddingException | IllegalBlockSizeException | InvalidKeyException | NoSuchAlgorithmException e)
        {
            /* None of these exceptions should be possible if precond is met. */
            throw new IllegalStateException(e.toString());
        }
    }

    public static String decrypt_cbc(SecretKey skey, byte[] ciphertext)
        throws BadPaddingException, IllegalBlockSizeException /* these indicate corrupt or malicious ciphertext */
    {
        try {
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");           
            final int blockSize = cipher.getBlockSize();
            byte[] initVector = Arrays.copyOfRange(ciphertext, 0, blockSize);
            IvParameterSpec ivSpec = new IvParameterSpec(initVector);
            cipher.init(Cipher.DECRYPT_MODE, skey, ivSpec);
            byte[] plaintext = cipher.doFinal(ciphertext, blockSize, ciphertext.length - blockSize);
            return new String(plaintext);
        } catch (NoSuchPaddingException | InvalidAlgorithmParameterException |
            InvalidKeyException | NoSuchAlgorithmException e)
        {
            /* None of these exceptions should be possible if precond is met. */
            throw new IllegalStateException(e.toString());
        }
    }
}

Ref: https://wiki.sei.cmu.edu/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms


Get this bounty!!!

#StackBounty: #encryption #swap #hibernate Failure when recovering from hibernation with encrypted drive on Ubuntu 20.04. Swapfile prio…

Bounty: 50

I used to hibernate on my laptop whose disk is encrypted, under ubuntu 20.04, following the instruction given here and here (except that I didn’t manage to make it work before ubuntu 20.04 because of nvidia drivers issues…).

But for some times, it does not work anymore: at recovering, after I type my encryption password, it hangs forever…

I first problem that I have is that I don’t really know how to "debug" this issue…

Then I wonder if the problem could come from swap priority. When I compare to here, my priorities are in wrong order.

root@is241395:~# swapon 
NAME      TYPE      SIZE USED PRIO
/swapfile file       40G   0B   -3
/dev/dm-2 partition 980M   0B   -2

Can my problem comes from this. How to update these priorities (I am not sure to understand the relation with the fstab)?

Thanks!


Get this bounty!!!

#StackBounty: #encryption #protocol-analysis #transport-security #noise Does using Noise asynchronously weaken its security properties?

Bounty: 100

Can Noise be used asynchronously without weakening its security properties?

Specifically, there are two users, A and B, who communicate asynchronously by leaving messages for each other on an untrusted server, but they may never be online at the same time. They know each other’s public static keys in advance, so the KK pattern seems appropriate:

KK:
  -> s
  <- s
  ...
  -> e, es, ss
  <- e, ee, se

It seems to me that this pattern could be used asynchronously without weakening it.

A and B both initially upload a bunch of ephemeral public keys to the server, and top up the supply when they connect at later times.

Now A wants to send a message to B:

  1. Download one of B’s ephemeral keys from the server, and run the first handshake step.
  2. Run the second handshake step, generating an encrypted public ephemeral key (so handshake is done).
  3. Run Noise again with the plain-text as a payload, generating an encrypted transport message.
  4. Upload a concatenation of B’s plain-text ephemeral key, A’s encrypted ephemeral key, and the encrypted message.

When B comes online and downloads the message, they:

  1. Discard the message if the plain-text ephemeral key is not on their list of unused keys.
  2. Run the two steps of the handshake.
  3. Decrypt the encrypted message.

(So in this scenario, B is the initiator and A is the responder.)

I hope this is not off-topic. I thought it was OK because I’m asking more about how to use an existing protocol rather than asking for cryptanalysis of my own design.


Get this bounty!!!

#StackBounty: #encryption What is the Digests section in cryptsetup

Bounty: 50

If you run the command cryptsetup luksDump /dev/sda5 (change device to whatever LUKS encrypted device), you will get an output, and at the end there is a section “Digests” which contains something like this:

Digests:
  0: pbkdf2
    Hash:       sha256
    Iterations: 104492

What does this section represent? Why does it show sha256 here and argon2i in the Keyslots section?

The Keyslots section shows the password hash used as argon2i:

Keyslots:
  0: luks2
    Key:        512 bits
    Priority:   normal
    Cipher:     aes-xts-plain64
    Cipher key: 512 bits
    PBKDF:      argon2i


Get this bounty!!!

#StackBounty: #windows-10 #security #encryption Why is "Reasons for failed automatic device encryption: Hardware Security Test Int…

Bounty: 100

The full message is:

Reasons for failed automatic device encryption: Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected

It is shown under the Device encryption support field in msinfo32.exe.

What does this mean? How can I enable "automatic device encryption"?

Security features in my PC:

  1. Secure Boot: Enabled
  2. Core Isolation: Enabled
  3. Memory Integrity: Enabled
  4. BitLocker: Disabled
  5. TPM is present in my PC


Get this bounty!!!

#StackBounty: #boot #20.04 #encryption #fstab #cryptsetup cryptsetup: waiting for encrypted source device /swapfile, fstab empty

Bounty: 50

On the bootscreen I get the message:

cryptsetup: waiting for encrypted source device /swapfile...

which then leaves me hanging for about 2 minutes followed by

Initramfs unpacking failed: Decoding failed.

I then get dropped to Initramfs.

This is on Ubuntu 20.04 with an encrypted home folder. I got the error after switching back to the nouveau driver in order to install cuda-10 (it was complaining about nvidia driver already being in use)

Other suggestions involve doing something with /etc/crypttab, but that file doesn’t exist on my system. cat /etc/fstab also shows an empty file. Some reading suggests that in that case it would be using default settings but if so how does it know what disk should be used as a swapspace? Or is there something I can do with a live usb?


Get this bounty!!!