|
Re: Password Encryption
by derby (Abbot) on Aug 20, 2002 at 08:17 UTC
|
For storing passwords, you really don't want encryption, you want a one-way hash function such as crypt. This allows you to safely "encrypt" (one-way hash) a word but you can never really decrypt. In order to check if the password is valid, you would run the entered password through the one-way hash function and compare that value with the stored value. The unicode req really throws a wrench into things, I'm not sure if crypt will handle that. There are other one-way hash modules on cpan such as MD5 and SHA that may also be helpful.
-derby | [reply] |
|
|
Although I like the approach of using hashes to protect passwords, this system does have a major drawback in that the passwords are not recoverable. In some cases this is unacceptable since it means options like, "email me my password" are not available. Since the poster specified the ability to "decrypt" the password, either they are unclear on what their requirements truly are, or a one-way function is not a solution in this case.
| [reply] |
Re: Password Encryption
by hotshot (Prior) on Aug 20, 2002 at 07:59 UTC
|
you can use Crypt::PasswdMD5 module
$encryptedPassword = &unix_md5_crypt($password, $salt);
Hotshot | [reply]
[d/l] |
Re: Password Encryption
by grantm (Parson) on Aug 20, 2002 at 10:27 UTC
|
If I understand your requirements correctly, you need to
be able to retrieve the password but you don't want to store it in plaintext. One-way hashing algorithms such
as the crypt function or the MD5 module won't help there
(my favourite quote to illustrate this point is "you can
wind a sausage machine backwards but it won't give you
pigs" - if only I could remember who said it).
Actually, nothing is going to be really secure since
if someone can read your script they will have all the
info they need to decrypt the password.
If you just want to slow someone down, encode it using
MIME::Base64 like this:
perl -MMIME::Base64 -le "print encode_base64('p4assw0rd')"
| [reply]
[d/l] |
|
|
grantm,
Good call on knowing what reqs you have and tieing that
to what type of security you need; however, I need to
nitpick on a few things:
if I understand your requirements correctly, you need to be able to retrieve the password but you don't want to store it in plaintext. One-way hashing algorithms such as the crypt function or the MD5 module won't help there (my favourite quote to illustrate this point is "you can wind a sausage machine backwards but it won't give you pigs" - if only I could remember who said it).
True but that's okay because you never need to compare the plaintext, you compare the output of the one-way hash with the stored value.
Actually, nothing is going to be really secure since if someone can read your script they will have all the info they need to decrypt the password.
Well ... nothing in and of itself is secure. You need several layers of security. When I first read the problem, I didn't think the passwords would be stored in a script or going across the wire (in plaintext). If you need to store the password in a script, well that's where things like ACLs and file permissions come into play. As for going across the wire, then you encrypt the wire via https (web) or SSL -- security is all about layers.
update: And as a bonus, if you use one-way hash, there is nothing in the script that "decrypts" the password. The script would run the user supplied password through the one-way hash and compare the output to the stored value.
If you just want to slow someone down, encode it using MIME::Base64 like this:
Hmmm ... well there's a lot of controversy about security through obscurity and with base64 - that's what you're doing. I think it would fail even quicker than crypt and would be useless all together once someone knew base64 was the algorithm. With one-way hash functions, you can know the algorithm (des, md5) but you never really know that you have cracked the
password until you try to use it. With base64, once you know
base64 is the obfuscation, you don't have to try to use
the password - you know it's the plaintext.
-derby
| [reply] |
Re: Password Encryption
by JaWi (Hermit) on Aug 20, 2002 at 09:18 UTC
|
| [reply] |
Re: Password Encryption
by fsn (Friar) on Aug 20, 2002 at 09:25 UTC
|
> cat cleartextpasswords.txt | tr /a-zA-Z/ /n-za-mN-ZA-M/ > encryptedp
+asswords.txt
> cat encryptedpasswords.txt | tr /a-zA-Z/ /n-za-mN-ZA-M/ > cleartextp
+asswords.txt
Or is that a little TOO insecure...? | [reply]
[d/l] |
|
|
()-()
\"/
`
| [reply] |
|
|
Hmm... I would argue that the tr command probably predates Perl by a decade. So, who is reinventing the wheel? And is the perl version even faster to write than the tr version?
And also, look at the memory footprint issue. tr takes 28k on my RH72, where the Perl binary alone takes 708k, + loading the Crypt module...
Oh, and by the way, :-)
| [reply]
[d/l] |
|
|
Re: Password Encryption
by Anonymous Monk on Aug 21, 2002 at 06:15 UTC
|
Thanks to everyone who contributed
A one-way hash is not going to work in our case as the perl script is supposed to run in a non-interactive mode.
The perl script simply reads the properties file, decrypts the password and then logs into the unix machine.
The basic idea was just to slow someone down. I tried using the some of the well known algorthims (such as DES),
but found the ciphertext contained non-alphabetic/non-numeric characters. Does anyone know how I can restrict the output to just these chars ?
I appreciate doing this is going to make the encryption less secure, but that isn't too important. | [reply] |
|
|
You really want to use pack/unpack to hex-format your ciphertext, so that they are guaranteed to be alphanumeric.
To wit:
use Crypt::CBC;
$cipher = Crypt::CBC->new( {
key => 'SomeSecretKeyHere',
cipher => 'Rijndael',
});
my $source_text = "This data is hush hush";
my $cipher_text = unpack('H*', $cipher->encrypt($source_text));
my $decrypted = $cipher->decrypt(pack('H*', $cipher_text));
Also, please do not use the fragile DES cipher, as weak crypto is worse than no crypto. Rijndael is much more secure, almost as fast, and equally easy to use.
Thanks,
/Autrijus/
| [reply]
[d/l] |