Re: Encrypting a password within an executable
- From: Unruh <unruh-spam@xxxxxxxxxxxxxx>
- Date: Wed, 7 Feb 2007 02:12:04 +0100 (CET)
Ertugrul Soeylemez <usenet@xxxxxxxxxxxxxx> writes:
"Ian Toltz" <itoltz@xxxxxxxxx> (07-02-05 12:44:44):
Hey all, I was hoping you could give me some advice. I'm working on an
application which will most likely (we're still not done ironing out
the details) have to use an important password for our organization.
One thing we're worried about is that if we just assigned a variable
(i.e. password="foo") someone could just open the executable in a hex
editor and it may well show up as plain text.
Uh, not clear what you mean. Do you mean that you at present have a
password used for critical things, and you want this executable to use that
password to perform one of them? That is almost always a bad idea. There
will be a password equivalent stored in the program.
What you want is that a human have to enter the secret before running the
program.
Store the password as a hash value.
Unfortunately, my google-fu is lacking in this subject... All I can
find, depending on how I word my searches, are applications which
encrypt files on your computer, or tutorials on encrypting passwords
that are put into databases for web stuff.
Maybe that's the correct solution. Don't just ask for a password and
quit if wrong. Encrypt the executable and use the password hash as the
decryption key. Simple.
It doesn't have to be anything unbreakable, just something to prevent
casual snooping. We're considering maybe making some simple algorithm
If it is a critical password, assume that your most voracious competitor is
after that password, a competitor who is determined to drive you out of
business. Could your business survive him discovering that password? If
not, what you are asking for is irresponsible.
(similar in sophistication to rot-13, but a tiny bit more complicated)
in the actual code that decrypts the password at run time or something
along those lines...
A lot of effort for a totally-insecure-anyway system.
Anyways, I'm just wondering... It seems like this should be a fairly
common concern, so is there a "usual" way to do it? Is there some
obvious and simple attack I'm missing in our plan? I'm not an expert
on cryptography by any means.
The implementation cannot be good, if the concept is bad. Try a
completely new idea. I've given you one above. Otherwise you're going
to stick with hardware (e.g. dongles).
.
- References:
- Encrypting a password within an executable
- From: Ian Toltz
- Re: Encrypting a password within an executable
- From: Ertugrul Soeylemez
- Encrypting a password within an executable
- Prev by Date: Re: Rolling dices
- Next by Date: Re: Rolling dices
- Previous by thread: Re: Encrypting a password within an executable
- Next by thread: Decryption Challenge
- Index(es):
Relevant Pages
|
