Thursday, July 13, 2017

http://iase.disa.mil/pki-pke/Pages/sha-256.aspx

SHA-256 Coordination

*PKI = DoD PKI Certificate Required
DoD PKI SHA-256 CAs have been released. Enrollment pages for these CAs are available at:

https://ee-id-sw-ca-37.csd.disa.mil
https://ee-id-sw-ca-38.csd.disa.mil

To find your RA Operations office or your CC/S/A PKI help desk, please visit our Contact Us page. For further assistance, contact the DOD PKE help desk at dodpke@mail.mil

On October 14, 2010, the DoD CIO released a memo directing all Combatant Command, Service and Agency (CC/S/A) CIOs to begin evaluation of their system portfolios in anticipation of the federal mandate to transition to using the SHA-256 hashing algorithm. This page provides additional information to support CC/S/As' evaluation efforts.

SHA-256 Downloads

DoD CIO Memo on Migration to Stronger Cryptographic Algorithms *PKI
This DoD CIO memo, dated 14 October 2010, directs all Combatant Command, Service and Agency (CC/S/A) CIOs to begin evaluation of their system portfolios in anticipation of the federal mandate to transition to using the SHA-256 hashing algorithm. (PDF Download) Date: 10/14/2010 | Size: 836 KB
DoD SHA-256 Assessment and Test Process *PKI
This document serves as the testing strategy document referenced in the Attachment to the DoD CIO Memo regarding DoD's Migration to Use of Stronger Crytographic Algorithms, dated October 14 2010. It provides additional detail regarding how the evaluation efforts will be conducted and coordinated. (PDF Download) Date: 11/18/2010 | Size: 213 KB
SHA-256 Assessment Period System Data Aggregation Form *PKI
This is the form referenced in the SHA-256 Assessment and Test Process document which should be used to report SHA-impacted system information to the DoD CIO coordination cell. Details as to what content should be included in each field are contained in Appendix B of the Assessment and Test Process document. (XLS Download) Date: 11/18/2010 | Size: 30 KB
SHA-256 Compatible Products List *PKI
This document lists SHA-256 compatibility information for common products used throughout DoD. This information was consolidated by the DoD CIO SHA-256 coordination cell and will be updated on a periodic basis. (PDF Download) Date: 10/16/2011 | Size: 233 KB
The DoD and SHA-256 *PKI
This slick sheet provides some helpful facts about the DoD and SHA-256. (PDF Download) Date: 01/02/2014 | Size: 329 KB
USCYBERCOM GENADMIN 16-0073 *PKI
This message provides a revised schedule and additional details on the migration. (PDF Download)

I'm not saying is military grade...but I'm almost certain its the NSA phones


This plugin will allow you to encrypt data with RSA algorythm in an Ajax request (client side) and decrypt in PHP (server side).
IMPORTANT: Unfortunately, this plugin does not provide a foolproof method against hacks
ONLINE DEMONSTRATION


How to use it ?

Downloads

Here are 3 downloads necessary to use AJAXRSA with Construct 2 :

RSA Keys Generator

Download and dezip the folder.
Execute the «index.exe».
(size: 18 Mo)
DownloadRSA Keys Generator

Plugin Construct 2

Download, dezip and put the folder called «ajaxrsa».
in the Construct 2 Plugin folder.
(size: 10 Ko)
DownloadPlugin Construct 2

PHP Library and Demo

Download and dezip the folder.
You will obtain 2 folders et 1 example script.
(size: 143 Ko)
DownloadPHP Library & Demo

RSA Keys

In first, you will need two keys : Public Key and Private Key
Launch the RSA Keys Generator (search an executable called «index.exe»).
You get this :

Construct 2 Plugin

Make sure your folder «ajaxrsa» is present in the Construct 2 Plugins folder.
C:/Program Files/Construct 2/exporters/html5/plugins/ajaxrsa/
Launch Construct 2, create a new project, add new object : AJAX-RSA.
Now, open your Event Sheet to add the following Events/Actions :

PHP Library & Demo

On server side, make sure your folders «Crypt» and «Math» are in the same folder.
Below, the demo script to process the data server side:

// Use it for local preview (localhost:50000)
// See : https://www.scirra.com/manual/107/ajax
//header('Access-Control-Allow-Origin: * '); 

ini_set("display_errors", 0);

session_start(); // Need session to store Token

require_once('Crypt/RSA.php'); // Math folders must be the same level as the folder Crypt

// IMPORTANT : Keep the complete syntax and the jump lines for Private Key
define("KEY_PRIVATE", "-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAMrXPEVu4LxhOUvV2mreOoHIchPlJYgvRdpqkBd6t2sD7SM02DqP
n89eSj+oqG1ZR+l7Yj1SMCZMrav6257UivMCAwEAAQJAHHwerKl7dI46sO72iJdt
+UJ1iAcKlECp5e2dD+Rd1EXYNfIH26AyprDRXNTRoTYidiVaUH1Z8NxifWagf36j
gQIhAOKOTxjSwgDIWQxoMxw2AL8AAGF3g4uWXgRZKp4f9QghAiEA5TPn1H/j7AQW
NTW7WmM6PjV/Xdl0YI4y2OUTdw2E4JMCIQCvYFJCeQPM70pfnFnUQMmbETk6OfYO
nDvzScL/3OUlgQIgZop6RU+SIJ0Tcmq/jwilnf9BJDONJUV46iBSPQkHUZECIAnE
byHHtgYokdOrheh+O1FWUtq5q/xq28TR+tHUFa1i
-----END RSA PRIVATE KEY-----");

// Function to decrypt data
function decrypt($data) {
 $rsa = new Crypt_RSA();
 $rsa->setEncryptionMode(CRYPT_RSA_ENCRYPTION_PKCS1);
 $rsa->loadKey(KEY_PRIVATE, CRYPT_RSA_PRIVATE_FORMAT_PKCS1);
 $s = new Math_BigInteger($data, 16);
 return $rsa->decrypt($s->toBytes());
}

$arr_data = array(); // Array where we will store our data

// Check if the Ajax Request come from the game folder
// example : http://www.domain.com/folderGame/ or http://www.domain.com/folderGame/index.html
if(isset($_SERVER['HTTP_REFERER']) 
 && ($_SERVER['HTTP_REFERER']=="http://www.payondev.fr/projet/ajaxrsa/demonstration/" 
 || $_SERVER['HTTP_REFERER']=="http://www.payondev.fr/projet/ajaxrsa/demonstration/index.html"))
{

 // If "Post to URL"
 if(isset($HTTP_POST_VARS[d])) $data = $HTTP_POST_VARS[d];
 // If "Request URL"
 if(isset($HTTP_GET_VARS[d])) $data = $HTTP_GET_VARS[d];

 if(trim($data, " \t\n\r")!="")
 {
  // Decrypt Data
  $decrypted_data = utf8_decode(decrypt($data));
  parse_str($decrypted_data, $arr_data);

  // Check if there is a data called "token"
  if(isset($arr_data['token']) && trim($arr_data['token'], " \t\n\r")!="")
  {
   // Check if token exist (get key if exist)
   if( ($k = array_search($arr_data['token'], $_SESSION['token'])) !== FALSE )
   {
    // Remove current token (expired or not)
    unset($_SESSION['token'][$k]);

    $expiration = explode("_", $arr_data['token']); 
    $delayToken = time() - $expiration[1];
    if($delayToken<=2)
    {

     // *******************************************************************
     // ************************ YOUR CODE HERE ***************************
     // *******************************************************************
     
     // EX : www.domain.com/index.php?player=Vincent&score=150&token=123abc...
     // $arr_data["player"]  =  "Vincent";
     // $arr_data["score"]  =  "150";
     // $arr_data["token"]  =  "123abc...";
     foreach($arr_data as $key => $value) echo $key .": ". $value."   ";

    }else{ echo "Error : Token Expired"; }
   }else{ echo "Error : Invalid Token"; }
  }else{ echo "Error : Token missing"; }
 }else{
  // If no data in URL, generate Token and return it
  $token = md5(rand(1000, 999999));
  echo $_SESSION['token'][] = $token."_".time();
 }
}else{ echo "Error : It's not a call from the game"; }


Of course, the use of Tokens (either side Construct 2 or PHP) is not mandatory but recommended for browser games.

Man in the Rain