RSA | RSA data encryption communication from front-end to back-end | iOS library

The way you're encrypting data makes no sense. Asymmetric encryption can only encrypt a small, fixed amount of data. Never use asymmetric encryption such as RSA-OAEP for anything other than a symmetric key, and use that symmetric key to encrypt the actual data. For the symmetric encryption, use a proper AEAD mode such as AES-GCM or ChaCha20-Poly1305. This is called hybrid encryption.

Other things that are wrong with your code:

• A 1024-bit RSA key is not enough for security: 2048-bit is a minimum, and you should prepare to move away from RSA because its key sizes don't scale well. (Feel free to use 1024-bit keys for testing and learning, just don't use anything less than 2048-bit for RSA in production.)
• The encryption is a binary format, but you join up lines as if they were text. Text or binary: pick one. Preferably use a well-known format such as ASN.1 (complex but well-supported) for binary data or JSON for text. If you need to encode binary data in a text format, use Base64.

If this is for real-world use, scrap this and use NaCl or libsodium. In Python, use a Python wrapper such as libnacl, PyNaCl, pysodium or csodium. Use a public-key box. The Python APIs are slightly different for each Python wrapper, but all include a way to export the keys.

If this is a learning exercise, read up on hybrid encryption. Look inside libsodium to see how to do it correctly. Key import and export is done with the methods import_key and export_key. Symmetric encryption starts with Crypto.Cipher.AES.new(key, Crypto.Cipher.AES.MODE_GCM) or Crypto.Cipher.ChaCha20_Poly1305.new(key) (Crypto.Cipher.AES.new(key, Crypto.Cipher.AES.MODE_GCM, nonce=nonce) or Crypto.Cipher.ChaCha20_Poly1305.new(key, nonce=nonce) for decryption).

First, make sure that https://github.com/mycomp/repo-pr does exist (meaning the case, uper or lower, of the URL is correct)

Second, check that you are correctly authenticated by GitHub through SSH:

You need the library https://phpseclib.com/ to get the following code to run (I'm using version 3).

Kindly note that there is no exception handling on the code.

This is an output:

You need to add scala-compiler configuration to your pom.xml. The problem is without that there is nothing to compile your SparkTrans.scala file into java classes.

Add:

To be able to connect with ssh, I had to add the following lines in the GITLAB_OMNIBUS_CONFIG environment variable :

I believe the optimal way for small to medium sized application is just to make jwt verification work as a middleware. Something like:

Could the reason be the signature at the end of the SSH key?

No, that part is ignored.
Do copy, to be sure, the public key as well as the private one.

Or, ideally, generate a new one dedicated to the second machine (since copying private keys is not the best practice)

• If a ssh -Tv git@github.com does show you the right private key is considered, check for a difference in environment variable (type set in a CMD). In particular, make sure you don't have GIT_SSH set to Windows 10 openSSH.
  Type where ssh to make sure Git is using the same openSSH on both machines.

• If a ssh -Tv git@github.com does show you the right private key is not considered, check if on your first machine you have a %USERPROFILE%\.ssh\config, which should then be replicated on the second one.

Even though the VCS root was created in the specific project, it somehow belongs to . Once I added the SSH key in the root project, it was available for selection in the dropdown above and connection test to bitbucket has passed.

1. JSON Web Key Set (JWKS aka JWK Set) is a list of JSON Web Keys (JWKs). Since JWK Set is simply a container, it contains no metadata such as an expiration date/time.

2. It does not expose this for at least two reasons:

• RFC 7517 is the specification that governs the behavior of JWKs and JWK Set. It does not mention or require the provider to publish an expiration date/time. Perhaps this is so due to reason #2:
• The provider should be able to remove keys for any reason at any time. Possible reason: key has been compromised. (For a private/public keypair, this would mean the private key has been compromised and the corresponding public key published via JWKS should be removed from circulation). This example is an outlier but it does happen and the provider would have to act immediately to fix it.

Emergencies notwithstanding, providers do rotate keys on a regular basis as a matter of good security hygiene. To handle key rotation (be it planned or emergency), your application should adhere to a simple algorithm. It should periodically fetch the keys from JWKS endpoint, build a local replica of all keys and add/remove keys from this replica based on the last fetch. Only keys found in the local replica should be used by your application to perform a cryptographic operation such as verifying a signature on a JWT.

Each JWK has a kid (key id) parameter and this parameter is used to match a specific key. RFC 7517 recommends using kid to choose among a set of keys within a JWK Set during key rollover. When your application does a fetch of keys from JWKS, you'll be comparing the set of keys coming from JWKs to the set of keys in your local replica. The comparison is based on kid. If a key with some kid is present in JWKS but not present in your local replica, you should add this key to your replica. Vice versa, if a key with some kid is present in your local replica but not present in JWKS, you should remove this key from your local replica.

How frequently should your application fetch the keys from JWKS? This is up to you, it depends on the risk tolerance of your app and/or your organization. Some apps fetch every minute, others do it hourly or daily.

Let's say your app never does this fetch, the key is hardcoded in your app. This will work until the key is removed by the provider. (We're assuming that we're talking about a public key here. A JWK could represent a private key...and that you will not want to embed into your app). Some providers don't rotate keys or do so once in a very long while. If you're dealing with a well-known (to you) provider and they guarantee to you that they won't rotate keys, your risk of embedding a key into your app is low.

In general, embedding a public key into the app is not a good idea. If you're going to be using a JWKS endpoint, implement a simple fetch + update solution as outlined above.