Solved

Suggest Encrypt Algorithm

Posted on 2006-07-20
9
625 Views
Last Modified: 2010-04-11
Hi Experts,

We have a little situation here where some security is required and I dont know much about it.
Actually we are developing a product which integrates with another product.
To log into the another product we are given a username and password
Currently in our beta release we store without encryption in a text file. Before we release the product we need to encrypt the password for security.
This password is made available to us during the installation (installshield)

Now we want to encrypt, store this password in a file and decrypt it while logging to the other product. (this we do through c++ application)
I know that since we require to decrypt it again, the security will not be tight, but its ok since we have to stick to the architecture.

Can you experts suggest me how do I do this? Which algorithm to use? And whether any third party (open source) tools are available.
I want to do some hard thinking before I finialise, so If you could provide me with some links to increase my knowledge in this area, that will be great.

Thanks and Regards,
KP
0
Comment
Question by:kingpukky
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 8

Expert Comment

by:jako
ID: 17146243
Give the user of your product a password he/she has to remember and use that to encrypt the password your product uses to log into another using a fairly strong symmetric algorithms.

Or better yet, give the user a password protected certificate with a key pair and use the users cert and a master cert of your helpdesk people to encrypt the data needing to be protected with an asymmetric algorithm. That way you'll be able to recover whatever data was lost due to the user error.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17150198
I'm no programmer, but this site, and this book will be more helpful to a programmer.
http://www.woodmann.com/crackz/
http://www.oreilly.com/catalog/1886411794/
http://www.woodmann.com/crackz/Tutorials/Protect.htm#pavolcerven

If the password is stored in the machine code, it would be viewable with a simple disassembler or debugger, IDA Pro, SoftIce etc... Perhaps the book and links will give you some better ideas on how to store the data.
-rich
0
 
LVL 3

Author Comment

by:kingpukky
ID: 17153944
jakopriit : I am not quite clear of your solution. We have c++ applications which pick up the password from the file and decrypt it and login, how do we handle that?

richrumble: I am going thru the sites for info....
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Accepted Solution

by:
jako earned 300 total points
ID: 17155056
I should have been more verbose, I know. My first option implies that before your application stores the login/password pair to a file, it asks the user for the password of his/her own (and a confirmation to rule out the typos), it then uses this password to encrypt symmetrically the login/password pair of another product and stores it somewhere, be it a file, a database field, anything. Then, when it is time to do the logging in procedure to the other/integrated product, you might ask for the password again or trust the session isn't compromised and use that newly asked or remembered password to decrypt the file, the database field and use that decrypted data. Symmetric-key algorithms include: Blowfish, Twofish, AES (a.k.a. Rijndael), RC4, TripleDES, IDEA.

the second option is just a bit more complicated but it won't leave the login/password pair uncoverable if the user of your product decides to change the password and forget. it is the beauty of asymmetric encryption that you can later decrypt the data using several different private keys one of which may be in the possession of your own helpdesk people. Most often used asymmetric-key algorithms are: Diffie-Hellmann, RSA, El-Gamal and some elliptic curve techniques.

C++ as a programming language doesn't necessarily play a role here - you could accomplish it in almost any language. What it does mean that using a popular language as C++, makes you probably able to purchase and use ready made objects for actual encryption routines (I know Delphi components are wildly popular merchandise).

You're probably not gonna get by just by slapping something together there. It's gonna be lots and lots of reading for you guys ;)
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 17166076
I would certainly suggest going with a 3rd party encryption method/module. Designing your own, especially when your not completely comfortable with the subject, has a very strong chance of ending up in an insecure implementation. Even commercial products from respected vendors have vulnerabilities, if you don't know exactly what you're doing it's much safer to use a tried and tested product. Just make sure that the implementation you're going for uses a well-known and tested algorithm, if they use a proprietary algorithm and its secureness is based on it being secret (security by obscurity), stay away. jakopriit provided a good list of well known algorithms,  they all have their pros and cons.
0
 
LVL 3

Author Comment

by:kingpukky
ID: 17167740
jakopriit : Thnx for the in brief explaination.
I understood ur options. Have got some queries in it.
1. When you say that you ask the user his own password and use it for symmetric encryption, do u mean that i should use his password as a encryption key or just for authentication for the process.
2. Also the thing is that we get the password of the intergrated product and store it in the file. And after this there is no user interaction, our c++ application read the username/password to login to the product. So your statement "you might ask for the password again" cannot be used.
Also, once the password is stored in the file, our product can be stopped / started anytime, so "trust the session isn't compromised" is not valid too. So does it means that my key has to be hard-coded in my program?

CoccoBill: You are right, this is not going to be so easy. I have started reading basics of cryptology and will especifically concentrate on the algos specified by jakopriit.
0
 
LVL 8

Expert Comment

by:jako
ID: 17168420
1. good point. not the password itself. I should have mentioned that too. It would be better to use something _computed_ from the password, as a key. Maybe a one way hash with enough possible values to make rainbow tables unpractical -- you can preach users whatever you want to but they still reuse passwords. Without user interaction that is of little consequence anyway - on to the second point.

2. oh. the lack of interactiveness complicates matters greatly. on the other hand it makes it easier -- depending on what you'll have to prevent. hard-coding encryption keys is a bad habit, anyhow ;) What I would do to prevent hardcoding these, is to rely somewhat on filesystem ACL and have a SUID encryption handling component that has proper file access to the private key, it's access password and the encrypted file. That would leave you the option of replacing them, when necessary.

Please remember that the security of your app ought to be proportional to the one that is being guarded. For example, if you're gonna use a XML web service over the plain HTTP, as the other application, it would be overkill to guard the login/passwd as well as we (experts) would like.
0
 
LVL 3

Author Comment

by:kingpukky
ID: 17182840
Yeah, well looks the security on filesystem is going to be a key point here...
I got ur point on the "computed from password"
can u please explain or redirect me to some link about "one way hash and rainbow tables"??
Thanks a lot for ur comments...
i think now its upto our research here....
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17183795
Heres the article on rainbow tables, basically, you precompute every possible password hash and it's plain-text counter part
https://www.isc2.org/cgi-bin/content.cgi?page=738
pass1234 = MD5            B4AF804009CB036A4CCDC33431EF9AC9
pass1235= MD5            B7E3715214F9EE9B589197D1E6912469
pass1236= MD5            7826842F8E10191865318AA3468C8375
pass1237= MD5            11E3ABF4FDA721E9C26B616159D738C7

etc... the storage is much more compressed than the examples above. For instance, the LM passwords for windows using Rainbow Crack's tables are around 64gig's, for 99.9% accuracy of all possible character combinations. OphCrack has a better storage/table search so it's smaller, however the passwords take just as long to find, so no overall benefit.

-rich
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question