Password security

From: "Tuvas" <tuvas21@xxxxxxxxx>
Date: 8 Mar 2006 06:01:55 -0800

I am working on a way to transmit passwords securely. The method I am
choosing relies on AES ecryption, where the password is converted to a
key, and the key is used to encrypt a text, which is compared to see if
the password was correct.

The method I have to convert the password to a key is as follows:

def cpassword(username,password):
ret=0
for x in range(1,1+min(len(username),18-min(18,len(password))):
ret=ret +(2**(128-7*x))*ord(username[x-1])
for x in range(min(len(password),18)):
ret=ret+((2**(7*x)))*ord(password[x])
return ret

Note that I only am working with 128 bit encryption. To simplify this,
what happens is the following:

1. The password is written on the least signifigant bit size of the
system, written in 7-bit ASCII (The reason for chopping a bit is to
allow for more characters, and to make it harder if anyone's probing
around in memory to identify the text as a word.)
2. The user name is written in the section of the most signifigant bits
of the 128 bit key. However, it will allow the password to be given
priority over itself.

There is 2 bits of security that are inheirently lost in this method,
however, depending on the size of the username and password, these 2
bits could be in several different spots. Also, if the username or
password is short, then there will be a larger null zone.

What do you think of this system? Thanks!

.

Follow-Ups:
- Re: Password security
  - From: Kristian Gjøsteen
- Re: Password security
  - From: Unruh
- Re: Password security
  - From: Tuvas
- Re: Password security
  - From: Paul Rubin
- Re: Password security
  - From: Joseph Ashwood
- Re: Password security
  - From: Unruh
- Re: Password security
  - From: Joseph Ashwood
- Re: Password security
  - From: Paul Rubin
- Re: Password security
  - From: Joseph Ashwood
- Re: Password security
  - From: Unruh
- Re: Password security
  - From: Kristian Gjøsteen

Prev by Date: Re: RSA question
Next by Date: VHDL code for aes using subpipelining
Previous by thread: About DES, mode ECB
Next by thread: Re: Password security
Index(es):
- Date
- Thread

Relevant Pages

Re: WSE 3.0 + UserNameToken without X.509 Cert/Kerberos + Signing + Encryption How?
... message security and thefore it does not encrypt the message. ... You need to combine this assertion with a secure transport like SSL if you ... between client and server using a UserNameToken that passes the UserName ...
(microsoft.public.dotnet.framework.webservices.enhancements)
Re: WSE 2.0 SP2: UsernameTokens must be encrypted to request SCT?
... William Stacey, MVP ... > The SecurityTokenServiceClient class will now automatically encrypt any ... > Username tokens included in a request. ...
(microsoft.public.dotnet.framework.webservices.enhancements)
Re: Encrypt a UsernameToken Authenticated WSE Response
... username and passwort und the data is symmetric encrypted, ... >> Decrypt) a SOAP Message by Using a Username and Password". ... But when I start my Client Application and call my ... >>> so that is used to generate a key to encrypt with. ...
(microsoft.public.dotnet.framework.webservices.enhancements)
Re: WSE 3.0 cert question
... Since you are using SSL, the username token will be encrypted ... encrypt this UsernameToken so using an X509 cert sounds like the logical ... boxes (click-once install only) so making the client install a cert into ...
(microsoft.public.dotnet.framework.webservices.enhancements)
Re: Re:simple text encrypt / decrypt
... i wrote a script which will contain an username and password of an FTP ... i want to encrypt these username and password using DPAPIs so that no ... executed the exe decrypts itself "on the fly" ... distributing confidential VBS sourcecode ...
(microsoft.public.scripting.vbscript)