From: Valdir M. <val...@ig...> - 2005-04-09 21:41:22
|
Hi all, My experience is in Pascal, Clipper and Delphi. I develop projects in Delphi for living. I also develop in J2SE for University subjects (I just know the basic for developing the logic). In feb/05 I took a 60h-course on C++ to get myself able to study and help the FlameRobin project. I was not able to compile the project (Dev-C++ 4.9.9.1), so far, but I am still studying the "Dev-Cpp_How_to_build.txt" file. As much as I can I try to read de devel messages. This time, I hope I can collaborate with something. The source below was taken from the course I took and it is free for use. It was used for a whole file, but it might be used only for a sigle string. Sincerily, Valdir Sao Paulo city, Sao Paulo state, Brazil ------------------------- #include <iostream> #include <fstream> #include <stdlib.h> /* How to cryptograph a binary file d = 0; t = strlen(password); read ch from the origen file { save ch^password[d] ^ (password[0] * d) in the destine file password[d] + = (d < (t-1)) ? password[d+1] : password[0]; if (!password[d]) password [d]++; if (++d >= t) d=0; } */ using namespace std; int crypt(char *ArqOrigem, char *ArqDestino, char *password); int main(int argc, char **argv) { if (argc != 4) { cout << "\nHow to use: C:\>Password.exe From_File To_File password"; cout << "\nInteger Number" << argc; exit(1); } crypt(argv[1], argv[2], argv[3]); // system ("pause"); return 0; } int crypt(char *From_File, char *To_File, char *password) { int d = 0; int t = strlen(password); ifstream fin; ofstream fout(To_File); char ch; if (!fin.good()) // any bit turned on indicates that there were an error { cout << "It was not possible to open the file!" << endl << endl; exit(1); } fin.open(From_File, ios::binary); while (fin.get(ch)) { fout.put(ch^password[d] ^ (password[0] * d)); password[d] += (d < (t-1)) ? password[d+1] : password[0]; if (!password[d]) password [d]++; if (++d >= t) d=0; } } ------------------------- ----- Original Message ----- From: "Milan Babuskov" <mi...@km...> To: <fla...@li...> Sent: Saturday, April 09, 2005 4:07 PM Subject: [Flamerobin-devel] Password security > Hi all, > > I have some ideas about passwords. Currently, we store them as plain text. > It is very easy to read them from config files, which is Bad(tm). > > I've been thinking about a simple scheme: encrypt all passwords, and save > them encrypted into config file. Have a master password which will be used > as a key for these encryptions. When user runs FR, he is asked for master > password, which is then remembered and used each time to decrypt all the > individual passwords. We could make this a database-level option, i.e. in > each DatabaseRegistration dialog user would have a checkbox to store > encrypted or plain password for it. > > I'm not an expert in cryptography, but I believe we can develop some > algorithm that does this on our own. We could use some of the existing > libraries, but they have a lot of drawbacks: size, portability, licenses. > > I believe writing a simple encryption with XOR-ing the server password > with key (master password) would be enough for standard usage. The reason > is that we are encrypting another password (which is another string that > doesn't make sense), so the attacked would have to test each password > against a real server anyway. Thus all the advanced security concerns are > moved to the Firebird server itself. In fact, it would be much easier for > attacker to launch a brute-force attack on Firebird server then to first > run every combination through our algorithm. > > The only weakness is that someone could sit at your computer while you're > logged in FR, and "register new database". He would know both the password > (since he'll write it) and the hash (read later from servers.xml), and > thus get the master password easily. To prevent this, we could ask for > master password each time the user: > - registers a new database (with enc. pass.) > - changes password for database (with enc. pass) > - changes database password storage type (enc->plain and plain->enc). > > As for implementation, we could simply make few functions that do > enc/decryption, and change Database::getPassword() to return encrypted > password where wanted. > > I believe I have this very well thought, so I'm posting it here as a > reference for future job of actually doing it. I'd like to see if anyone > has got something to add to this? Perhaps some good XOR algorithm so we > don't reinvent the wheel? > > -- > Milan Babuskov > http://fbexport.sourceforge.net > http://www.flamerobin.org > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > Flamerobin-devel mailing list > Fla...@li... > https://lists.sourceforge.net/lists/listinfo/flamerobin-devel > > |