security,session,authentication,nfc,smartcard , how changing master key or other keys can provide security ?how used session key to keep the further communication between DESFire and reader?


how changing master key or other keys can provide security ?how used session key to keep the further communication between DESFire and reader?

Question:

Tag: security,session,authentication,nfc,smartcard

I am working on the ticket electronik that tickets are DESFire cards.

I want communications be safe . i now trying change PICC key . Before changing DESFire master key Authenticate with master key is necessary.

In desfire sheet about Authenticate at page 31 was described:

"This procedure not only confirms that both entities can trust each other but also generates a session key which can be used to keep the further communication path secure. As the name “session key” implicitly indicates, each time a new authentication procedure is successfully completed a new key for further cryptographic operations is obtained."

i want know how changing master key or other keys can provide security ?I means is need changing keys or not? And how used session key to keep the further communication between DESFire and reader?


Answer:

I'm not sure, whether the points below answer your question, which I consider as not very clear and further blurred by your added comments.


Related:


after puttin php syntax, my website get stuck at preloader


php,twitter-bootstrap,session
I have this code on my php file for navbar: <?php if(!$session->is_logged_in()) { echo ' <a href="login.php" role="button" aria-expanded="false"> Login <span class="label"> login to system</span> </a> </li>';} else { echo ' <a href="#!" class="dropdown-toggle" role="button" aria-expanded="false"> ' . $session->user_name; . '<span class="badge bg-default">2</span> <span class="caret"></span> <span class="label">it is you</span> </a>';...

Force WWW when URL contains path using .htaccess


.htaccess,session,url,redirect
I'm having a problem with my URL and my sessions. I wish to have ALL website pages be forced to use www. As it looks like now, the website looks like this: www.example.com into www.example.com example.com into www.example.com www.example.com/example/ into www.example.com/example/ example.com/example into example.com/example (this is what's wrong) This is...

python-requests does not grab JSESSIONID and SessionData cookies


python,django,session,cookies,python-requests
I want to scrape a pdf file from http://www.jstor.org/stable/pdf/10.1086/512825.pdf but it wants me to accept Terms and Conditions. While downloading from browser I found out that JSTOR saves my acceptance in 2 cookies with names JSESSIONID and SessionData but python-requests does not grab these two cookie( It grab two other...

salt created by Java SecureRandom has different getBytes() value [duplicate]


java,security,salt
This question already has an answer here: how to convert byte array to string and vice versa 13 answers I use java SecureRandom to create salt to encrypt user. However, when I tried to match user with salt and password, they failed on different machine. The user is created...

Code fails for decrypting without salt or iv in Java


java,security,encryption,aes,password-encryption
I have a ciphertext and a 256-bit key to decrypt it, using AES. There is no salt or iv. I am using Java. I have implemented many of the solutions online, but they all use salts and input vectors. The following builds fine, but fails at runtime: "Salt not found."...

User process can't see global shared memory created by service


c++,windows,security,winapi,memory-mapped-files
I have a Windows service (running in the system process) and a desktop application that need to share a configuration structure. The data originates in the app, but the user process doesn't have permission to create a global memory object so I create it when the service starts using CreateFileMapping()...

OSX tmux configuration session open file in vim automatically


osx,session,vim,configuration-files,tmux
So I have tmux and vim running in iterm2 on OSX. I have a tmux.conf file that sources a session in ~/.tmux/ called 'left'. I have successfully loaded this session with three panes. Two panes in a left column and a single pane on the right. I have also managed...

Logging DateTime in SQL Table When Users Session Ends


c#,sql,session,datetime
I have written an application and with this application the user has to login. I have a table where I am keeping their login token for that session, datetime they logged in, datetime they logged out and the duration in which they were logged in. This functionality works great when...

Devise prevent auto sign-in after registration


ruby-on-rails,ajax,session,devise,registration
Here's my scenario : Users can register on my website by entering their university login. My app checks this login against the university LDAP, and if it exists, it will duplicate the university LDAP entry on my own LDAP + create a database entry for the user on the rails...

get information in database and insert into session codeigniter


php,database,codeigniter,session
i am new to codeigniter and using session. i am having a problem in inserting individual data in session. Model: function get_user_info() { $user_email = $this->input->post('signin-email'); $this->db->select('acct_id, acct_fname, acct_lname, acct_mname'); $this->db->where('email', $user_email); $query = $this->db->get('account'); return $query->result_array(); } Controller: public function LoginValidation(){ $this->load->library('form_validation'); $this->form_validation->set_rules('email', 'Email',...

Is it possible to share session between different PHP versions?


php,apache,symfony2,session,iis
I am starting an old app refactoring, I will rebuild some functionality from spaghetti code to MVC (Symfony). Plan was I will set up new IIS app, using subdomain. Now, old app is running PHP 5.3 which can't be upgraded. New app will be running on PHP 5.6. Only thing...

multiple SESSION cookies being set?


php,session,cookies
My site is sending two different session id cookies (PHPSESSID), one under "www.sitename.com" and the other "sitename.com". I read this answer here which says to specify the domain used in the 5th parameter, but what about SESSION cookies which are created automatically? I think the issue is that the facebook...

File security System in java? [on hold]


java,file,security,encryption
i'm new to java world.I have a idea about file secure system.When i add a file to the application it will encrypt and store a folder in the installation path.If i need to see the file ,i need to login with my username and password and the file will automatically...

How to share the same email session between all instances of the application?


java,session,java-ee,javamail
Maybe this question is already answered, but I couldn't find the proper answer. I have a web application based in JSF, and I want to share the same email session between all the instances of the application, yet I haven't found how to do that. My questions are: a) What...

Server side session in asp.net


asp.net,web-services,session
I want to set one value in server side session in client side and need to access that session in web service, so i tried below In client side : //Set the server side session like below var vr_="demo.png"; '<%Session["path"] = "' + vr_ + '"; %>'; //In alert,checked the...

How to include PHP $_SESSION values in a javascript file?


javascript,php,session
I use $_SESSION['siteRoot'] to store the root address of my website in (it's basically a framework so this can change depending on the URL used to access the site). I need to use this value in some of my javascript files... Up until now I've been including my js files...

Protect images download theory


javascript,html5,image,security
I am a full-time developer but am building a site for my photography hobby. I dont want people to download my images and besides the usual procedures (disable right click, block hotlinks to my images etc.) i was thinking about a solution which would work 99% of the time. The...

JQuery Add expiration to authentication token stored with HTML5 localStorage?


php,jquery,mysql,security,authentication
I am making a mobile game with JQuery Mobile, a multipage template (so all pages in 1 html file, which makes it usable with PhoneGap). Since it is HTML I am using JQuerys $.post function to send data to php scripts such as login.php, register.php, which add/update/delete data from the...

PHP: Secure a Rest Service with a Token mixed with Timestamp


php,rest,security,amazon-web-services,token
I have a rest service that my website calls it and I want to secure it from calling outside of my website as much as possible. I want to create a token mixed with timestamp, so the user can only call the service in 10 minutes (for example) with the...

Disconnect Session via Powershell [closed]


session,powershell,user,server,disconnect
Is there a command to disconnect a user from a session on a server via PowerShell? To logoff i use: Logoff /server:<Server> <SessionID> ...

How to restrict file copying shared using Content Provider in Android?


android,security
Is it possible to forbid making copies of files for third party applications (like adobe reader), that I am using to open pdf files stored in internal memory of my application?

Run Golang as www-data


security,go
When I run a Node HTTP server app I usually call a custom function function runAsWWW() { try { process.setgid('www-data'); process.setuid('www-data'); } catch (err) { console.error('Cowardly refusal to keep the process alive as root.'); process.exit(1); } } from server.listen(8080,'localhost',null,runAsWWW); so the server is actually running as the www-data user to...

Symfony2: ajax call redirection if session timedout


ajax,symfony2,session
I have a working dashboard with ajax request. I fire an ajax request on some events which will update a part of the dashboard. But if the session has expired, the part will be refreshed with the login page. How can i do a redirection after the ajax call if...

How to access application data in a session .jsp file


java,html,jsp,session,user
I am new to the javaservice page session environment, and I am executing the following loop to view all my session attributes: <% for (Enumeration e = session.getAttributeNames(); e.hasMoreElements(); ) { String attribName = (String) e.nextElement(); Object attribValue = session.getAttribute(attribName); %> <BR> <%= attribName %> - <%= attribValue %> Which...

Placing secure data in Java web application


java,security,tomcat
The question is about security in tomcat, but first consider the following example: Suppose you have apache web server. Then, under www folder, create folder named dist, and under folder dist create folder named bdf23b1c-ddd3-4d5b-8fdf-948693674011. Under this folder create some file with secure information. For example, some private picture you...

$_SERVER['HTTP_COOKIE'] return's two PHPSESSID


php,session,session-cookies
I am getting two PHPSESSID while printing $_SERVER['HTTP_COOKIE']. Actually I don't know how it is set twice, its only in my local system. When I check the SERVER cookie it like: echo $_SERVER['HTTP_COOKIE']; //result 'fe_toolbar=false; fe_toolbar=false; PHPSESSID=4tvbovcjk0msf9dvibeb31c2b7; langId=1; backendLangId=2; PHPSESSID=46aagg1hg7as2uh9bihjlpp8h7' When I check my cookie alone like : print_r($_COOKIE); //result...

Am I safe?? [trying to prevent sql injection] [duplicate]


php,mysql,security,laravel,pdo
This question already has an answer here: How can I prevent SQL-injection in PHP? 28 answers I was wondering if I'm safe from SQL injection if I have this in a script: < script> //some stuff var item = <?php echo json_oncode($PHPVAR) ?> item.replace(/"/,'&quot').replace(/'/,'&#39'); //do more script stuff with...

How to secure configuration file containing database username and password


php,security
Issue In order to connect my PHP code with MySQL database I use PDO way, creating variable, assigning it with new PDO object where arguments contain settings such as server, database, login and password. So in resulting code it could look like this: $DAcess=new PDO("mysql:host=server;dbname=database","login","password"); I don't feel comfortable having...

Meteor: Passing Session values from client to server


javascript,node.js,session,meteor
I am using the following code on the client side to set the Session variable: Template.download.events({ 'click button': function() { var clientid=Random.id(); UserSession.set("songsearcher", clientid); console.log(clientid + UserSession.get("songsearcher")); I am using the following pacakge: Meteor-User-session, which will explain the use of UserSession in place of Session. Now, this works fine. But...

Distributed session implementation detail


c#,asp.net,session,azure
With the reference to the structure of session module in ASP.NET below: As I understand, when the application uses distributed session provider (.e.g. Redis in Azure), the SessionStateModule will deserializes the user's session data into Session dictionary at the beginning of a request. What I'm wondering is whether the module...

Hide sensitive information from git changes


git,security
Is there a way to instruct git to hide my sensitive information. E.g. credentials.php (in local repository). Line1: $dbname = 'xyz'; Line2: $dbpassword = 'password'; credentials.php (in github repository and history). Line1: $dbname = 'xyz'; Line2: $dbpassword = 'xxxxxxxx'; So git automatically hides the information with 'x'. If not via...

how do i store these values into just one Session PHP


php,session
I have this variable that contains multiple values and I want to save all the values into a $_SESSION['gamecode']. It displays only the last value. $var=explode("|",$key); $gamecode=trim($var[0]); session_start(); $gc[]= trim($var[0]); $_SESSION['gamecode'][]=$gc; var_dump($_SESSION['gamecode']); EDITED foreach($_POST['gm'] as $key => $answer){ if($answer != ''){ $var=explode("|",$key); $gamecode=trim($var[0]); $_SESSION['gamecode'][]=$gc; var_dump($_SESSION['gamecode']); EDIT 2 foreach($_POST['gm'] as $key...

X509Certificate: what is the difference between getIssuerDN() and getSubjectDN() methods


java,security,authentication,x509
I'm using X509Certificate class in java, and when I want to get the subject name I try: x509certificate.getIssuerDN().getName(); and x509certificate.getSubjectDN().getName(); both methods have the same result. So what is the difference between them ??...

Get current session info using separate linked php file


php,html,mysql,session,echo
These are the only times Select shows up in the file. . . . function GetUserFromEmail($email,&$user_rec) { if(!$this->DBLogin()) { $this->HandleError("Database login failed!"); return false; } $email = $this->SanitizeForSQL($email); $result = mysql_query("Select * from $this->tablename where email='$email'",$this->connection); if(!$result || mysql_num_rows($result) <= 0) { $this->HandleError("There is no user with email: $email"); return...

Android encryption and decryption of text fails


android,security,encryption,encryption-symmetric
I try to encrypt some text (here it is named code) and decrypt it again. For this i use a 4 digit Pin which is salted. After this the text is encrypted, also again some Base64 decoding, so i can safely output the String again. As i understand i have...

Role concept in the authorization


java,security,authorization
I'm writing the following public interface SecurityService{ public Error tryLogin(String usr, String psw); public String getRoleCurrentUser(); //Attention here } and of course, there will be a couple implementations. For instance, now I have public SpringSecurityService{ @Autowired AuthenticationManager authenticationManager; public Error tryLogin(String usr, String psw){ //Implementation here } public String getRoleCurrentUser(){...

Authentication with OAuth and JWT but without OpenID Connect


session,authentication,oauth,authorization,openid-connect
I’m wondering if I really need OpenID Connect to provide authentication on top of OAuth2. It seems to me if I generate JWTs (JWE) as my access token and I store user claims, roles/permissions, etc. in the access token, then the OpenID Connect's id token isn't needed. Resource servers can...

How do you trigger session garbage collection in PHP < 5.4?


php,session,php-5.3
I need to force session garbage collection to trigger in PHP, and I'm using version 5.3.3. I see in PHP 5.4, you can call: SessionHandler::gc() What is the best method to get the same result given the PHP version I am using?...

PHP Session Information Not Being Stored


php,session
I am trying to make a very simple website, where you can go to the main page and log in, of which the code is here example.org/login/index.php: <?php session_start(); $warning = $_GET['warning']; $nolog = $_GET['nolog']; $username = "Welcome, please log in"; if ($warning) { $username = "Wrong Username/Password Combination"; }...

When a security update is applied as a patch, does the product name change?


security,patch
When a security update is applied as a patch, does the product name change? I.e. Windows Server 2008 If this server undergoes a patch and/or security update, does it still appear as Windows Server 2008, or does it have to undergo a name change - I.e Windows Server 2008 version...

codeigniter session object expired availability


php,codeigniter,session,session-state
This might be a silly question. Once a user has been logged in, if session expires I want to redirect him to a "lockscreen" instead to a "login" page. I want to send to the lockscreen some session data (like img-src and loginname) So, here's the question. Does session object...

Reverse ^ operator for decryption


c,algorithm,security,math,encryption
I'm trying to reverse the following code in order to provide a function which takes the buffer and decrypts it. void crypt_buffer(unsigned char *buffer, size_t size, char *key) { size_t i; int j; j = 0; for(i = 0; i < size; i++) { if(j >= KEY_SIZE) j = 0;...

Is client-side java intrinsically less secure than javascript?


java,javascript,security
Much has been made of a series of bugs and exploits on client side java, leading to the blacklisting of various versions by apple, mozilla, etc. Yet javascript is an even less controlled language without static typing. Today javascript allows for many of the same potential problems: local storage, accessing...

Is it possible for a user to modify site javascript in browser?


javascript,security
I don't know a lot about security, but I'm trying to figure out how to keep my site as safe as possible. I understand that as much stuff that I can handle on the backend the better, but for instances where I'd like to hold some variables on the client,...

Revert back to previous flask session variables when going back a page


python,session,flask
On a Flask website of mine, I have a session variable called 'thisQuestion' which put simply increments by 1 each time a page is loaded. Basically, the page returns questions from a database and the user can state whether they get the question right or wrong. The session variable increases...

What damage can a website do?


security,web
Now and then I (accidentally) come across websites that my anti-virus warns me about. Out of curiosity, what kind of damage can a website do? I've been working in web development for around 4 years now and can't think of any 'genuine' damage worth warning the user about. Maybe I'm...

session value in javascript cannot be set


javascript,function,session
I am quite new to javascript, I wonder why my session value in javascript wont be set to 1 even I tried. When call this function again, the value of the session will change again. My javascript code as below. <script type="text/javascript"> function Confirm() { alert(<%=Session["Once"]%> != 1); var value...

What are the techniques to manage “session” or invocation context for Stateless EJBs during Remote calls?


session,java-ee,ejb,rmi,java-ee-6
I am writing an application that uses RMI to invoke EJBs. The EJBs are Stateless; the business requirements do not require conversational state with the client. One of the parameters to the EJB method calls is a "User" object used to determine if the user associated with the call has...

Is it a good practise store the checkout steps fields in php $_SESSION?


php,session,e-commerce,checkout
I have my e-commerce site with three checkout steps, each button to continue is a POST action and redirect to the next step: if the user navigates by the checkout steps (click on the previous button for example), the form fields don´t show the data posted previously. This form fields...

RSA encryption in Android and Java


java,android,security,encryption,rsa
I would like to encrypt a String with RSA encryption. My public/private keys were generated and stored in DB. In android, I use this code: public static String encryptRSAToString(String text, String strPublicKey) { byte[] cipherText = null; String strEncryInfoData=""; try { KeyFactory keyFac = KeyFactory.getInstance("RSA"); KeySpec keySpec = new X509EncodedKeySpec(Base64.decode(strPublicKey.trim().getBytes(),...