How dangerous is a leaked private key from outside the infrastructure in context of: "Azure Active Directory keyCredential property Disclosure?"

Microsoft published the Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs which describes how to check if an Azure AD is possibly affected by the private key di… Continue reading How dangerous is a leaked private key from outside the infrastructure in context of: "Azure Active Directory keyCredential property Disclosure?"

Encryption Algorithm With Separate One-Way (Hashing) And Two-Way (Decryption) Keys

In cryptography, generally we have two ways of handling sensitive information.
We can use one-way encryption such as hashing. This is useful when we never need to retrieve it again. In this case, we can know if we found the right password,… Continue reading Encryption Algorithm With Separate One-Way (Hashing) And Two-Way (Decryption) Keys

Is it safe to use a Digital Signature created with a PKI certificate’s private key as a password

I’m trying to create application-layer encryption for user data in my database, using password derivation function. But there is a problem, that there must be an admin user, who can access all user’s encryption keys, for password reset functionality and some other things. I don’t like the fact that all encryption system security can be broken with just one admin password. I’ve asked for an advice here How can I improve the application administrator’s encryption keys security inside database

I was advised to compile an admin encryption key not from a password but from another source (admin computer system information, for example), so it can’t be brute-forced, and then pass it to the database server.

It is a good approach, however, this complicates admin mobility and system recovery in an event of key loss, and these requirements are mandatory to accomplish.

So, I come up with this idea:

  1. Give my admin PKI certificate (RSA 2048 bit for example)
  2. Get some static string (“password” for example)
  3. Make a digital sign out of this static string using the certificate’s private key
  4. Send this digital signature to the database server, and use it there as an encryption key.

At first glance, I don’t see any great flaws with this approach, but I couldn’t find that someone has done anything similar before, so I want to ask you to help me to validate my vision.

Continue reading Is it safe to use a Digital Signature created with a PKI certificate’s private key as a password