Small encryption script

mellin has asked for the wisdom of the Perl Monks concerning the following question:

What do you think about a script that has two options; encrypt and view encrypted file? I created the script below to view my password file (normal text file) encrypted with Crypt::RC4 while on the road. I simply go to the terminal and type "./passwords.pl view <passwordfile> <password>" to see my passwords, in case i forgot them while away from home.

i know some operating systems store command history effectively caching my password as well, but i will change that in the future so that the script itself asks the password to use.

#!/usr/bin/perl -w

use strict;
use Crypt::RC4;

print "usage: $0 [ crypt | view ] <filename> <password>\n" and exit un
+less validateInput(@ARGV);

my ($option, $file, $password) = @ARGV;
my ($plaintext, $crypted, $decrypted);

$plaintext = openFile($file);

if ($option eq 'view') {
  
  $decrypted = RC4($password, $plaintext);
  print "$decrypted\n";
  
} elsif ($option eq 'crypt') {
  
  my $outputname = "$file" . '.enc';
  $crypted = RC4($password, $plaintext);
  open FH, ">$outputname" or print "error: $!\n" and exit;
  print FH "$crypted";
  close FH;
  print "$file encrypted with the given password\nnew filename $output
+name\n";
}

sub openFile {

my $filename = shift;
my $data;
open FH, "<$filename" or print "error: $!\n" and exit;
while (<FH>) {
  $data .= $_;
}
close FH;
return $data;
}

sub validateInput {

return undef unless @_ == 3;
return undef unless ($_[0] =~ /view|crypt/);
return undef unless (-e $_[1]);
1;
}
[download]

Comment on Small encryption script Download Code

Replies are listed 'Best First'.
Re: Small encryption script by planetscape (Chancellor) on Apr 04, 2007 at 17:00 UTC
See also: CryptoPad crypt_edit.pl SabreHex I also like Password Safe by Bruce Schneier, author of Applied Cryptography. HTH, planetscape	[reply]
Re: Small encryption script by ikegami (Patriarch) on Apr 04, 2007 at 17:27 UTC
Security is hard. I spotted two major weaknesses in a cursory glance. No salting is employed. If the same password is used twice, your security could be weakened. A low entropy password will likely be supplied. Often, the human-readable password protects the high-entropy randomly-generated password that will actually be used.	[reply]
Re^2: Small encryption script by roboticus (Chancellor) on Apr 06, 2007 at 04:27 UTC
(3) ...not to mention that the `ps` command could show your password. Update: Somehow, I managed to not pay attention to the second paragraph of the OP, as indicated by the venerable ikegami. 8^) /Update ...roboticus	[reply] [d/l]
Re^3: Small encryption script by ikegami (Patriarch) on Apr 06, 2007 at 13:32 UTC
The OP said he would address that.	[reply]
Re: Small encryption script by quester (Vicar) on Apr 05, 2007 at 05:48 UTC
Probably the best way to do this would be to use OpenSSL, which comes with most Linux distributions and Cygwin, openssl enc -aes-256-cbc -a -in plaintextfile -out cypherfile and openssl enc -d -aes-256-cbc -a -in cypherfile -out plaintextfile will do everything for you including the "salting" operation and (with -a) making the cyphertext into base64 printable characters. If you want a Perl interface, openssl has plenty. You will be a lot safer using a heavily-tested common utility than rolling your own, IMHO. Unless you really know what you are doing, *never* use RC4! To quote from Wikipedia's article on Rc4, "While remarkable in its simplicity, RC4 falls short of the high standards of security set by cryptographers, and some ways of using RC4 can lead to very insecure cryptosystems (including WEP). It is not recommended for use in new systems.". If you really want to/need to do it yourself, AES would be a safer choice, preferable AES-256. (AES doesn't slow down too much as the number of key bits increases; AES-256 is actually faster than the old standard triple-DES on every PC platform I've tried.) You might try Crypt::GCrypt, or Crypt::Rijndael_PP if you prefer pure Perl (slow, but that shouldn't matter much for a password container.) Also, it is good practice to take a digest of your passphrase (Digest::SHA256 for instance) so that you can use long passphrases that have high entropy. OpenSSL will take care of that for you, using its own hashing algorithm.	[reply]
Re: Small encryption script by diotalevi (Canon) on Apr 04, 2007 at 17:13 UTC
What about gpg? ⠤⠤ ⠙⠊⠕⠞⠁⠇⠑⠧⠊	[reply]
Re: Small encryption script by zentara (Cardinal) on Apr 05, 2007 at 11:11 UTC
<spy-vs-spy> In addition to RC4 being broken already, consider the following before you think you are "secure". Cameras are everywhere, and can pick up your password as you enter it. The keyboard broadcasts your keys as you press them, and there are electronics available to read them at a distance. If you are in a big corporate headquarters or in some government building, they may be routinely capturing all keypresses. There are a couple of strategies to combat this. One is to change your password daily. The other is to use a program like xkeyboard, to create a virtual keyboard on your screen, and enter keys with mouse presses( this avoids the keyboard). </spy-vs-spy> Of course, you probably don't have to worry about this level of intrusion, but remember there is a absolutley HUGE secret budget for spying on US citizens, and many non-disclosure agreements are signed by it's workers. So just remember, it's very difficult to make a computer secure. Just google for "Tempest surveillance" and remember, the really secret stuff is 20 years ahead of what google will show you. I'm not really a human, but I play one on earth. Cogito ergo sum a bum	[reply]