Recent

Author Topic: [SOLVED] Is this method secure enough to Encrypt a password?  (Read 3729 times)

incendio

  • Full Member
  • ***
  • Posts: 157
[SOLVED] Is this method secure enough to Encrypt a password?
« on: November 22, 2021, 05:46:51 am »
Hi guys,

I am new to encrypting/decrypting password.

I found these code
Code: Pascal  [Select][+][-]
  1. unit uCrypto;
  2.  
  3. {$mode objfpc}{$H+}
  4.  
  5. interface
  6.  
  7. uses
  8.   Classes, SysUtils, BlowFish, Base64;
  9.  
  10.   function Encrypt(const AKey, AText: String): String;
  11.   function Decrypt(const AKey, AText: String): String;
  12.  
  13. implementation
  14.  
  15. function Encrypt(const AKey, AText: String): String;
  16. var
  17.   SS: TStringStream;
  18.   BES: TBlowFishEncryptStream;
  19. begin
  20.   Result := '';
  21.   if Trim(AText) = '' then
  22.     Exit;
  23.   SS := TStringStream.Create('');
  24.   try
  25.     BES := TBlowFishEncryptStream.Create(AKey, SS);
  26.     try
  27.       BES.Write(Pointer(AText)^, Length(AText));
  28.     finally
  29.       BES.Free;
  30.     end;
  31.     Result := EncodeStringBase64(SS.DataString);
  32.   finally
  33.     SS.Free;
  34.   end;
  35. end;
  36.  
  37. function Decrypt(const AKey, AText: String): String;
  38. var
  39.   SS: TStringStream;
  40.   BDS: TBlowFishDeCryptStream;
  41.   Str, Txt: String;
  42. begin
  43.   Result := '';
  44.   if Trim(AText) = '' then
  45.     Exit;
  46.   Str := '';
  47.   Txt := DecodeStringBase64(AText);
  48.   SS := TStringStream.Create(Txt);
  49.   try
  50.     BDS := TBlowFishDeCryptStream.Create(AKey, SS);
  51.     try
  52.       SetLength(Str, SS.Size);
  53.       BDS.Read(Pointer(Str)^, SS.Size);
  54.       Result := Str;
  55.     finally
  56.       BDS.Free;
  57.     end;
  58.   finally
  59.     SS.Free;
  60.   end;
  61. end;
  62.  
  63. end.
  64.  

From this link (post #21 - thanks to GetMem)
https://forum.lazarus.freepascal.org/index.php/topic,56489.15.html

Those codes is enough for me, but the problem is the key that stored in the executable file. When the file disassembled, it is easy enough to find this key.

So I tried to hide that key in the executable file with these method
  • Generate Ascii code from Ascii 32 to 126
  • Build my key by selecting characters from that generated Ascii codes

Here are the codes
Code: Pascal  [Select][+][-]
  1. var
  2.   Form1: TForm1;
  3.   s,MyKey : String;
  4.  
  5. procedure TForm1.FormCreate(Sender: TObject);
  6. var
  7.    i : integer;
  8.  
  9. begin
  10.   s:='';
  11.   setLength(s,95);
  12.   for i := 1 to 95 do s[i] := chr(i+31);
  13.  
  14.   MyKey := s[15]+s[36]+s[70]+s[22];
  15.   Encrypt(MyKey,'Some text');
  16. end;
  17.  

With a program, like Hex Editor, I found the generated Ascii codes, but couldn't find the key.

What do you guys thinks, is that method secure enough?
« Last Edit: November 23, 2021, 07:03:59 am by incendio »

SymbolicFrank

  • Hero Member
  • *****
  • Posts: 935
Re: Is this method secure enough to Encrypt a password?
« Reply #1 on: November 22, 2021, 09:03:42 am »
You can store and compare the checksum of a password instead. That's totally safe. No embedded keys needed.

incendio

  • Full Member
  • ***
  • Posts: 157
Re: Is this method secure enough to Encrypt a password?
« Reply #2 on: November 22, 2021, 09:15:33 am »
You can store and compare the checksum of a password instead. That's totally safe. No embedded keys needed.

How to do that?

MarkMLl

  • Hero Member
  • *****
  • Posts: 4212
Re: Is this method secure enough to Encrypt a password?
« Reply #3 on: November 22, 2021, 09:24:32 am »
With a program, like Hex Editor, I found the generated Ascii codes, but couldn't find the key.

What do you guys thinks, is that method secure enough?

The problem is that there are programs in the wild which are unreasonably good at finding random data where there /should/ be some sort of pattern, and the longer an encryption key or obfuscated password is the easier the target.

Do what @SymbolicFrank is suggesting: store the cryptographically hashed passphrase, get the user to enter a passphrase and compare its hash against what you've got stored (being careful to overwrite any strings before they go out of scope).

If you have a decent hash function it's difficult to work out matching input text. However NOTHING is proof against a user with the skill (or friends or resources) to find the single comparison instruction which decides whether the program can proceed.

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

incendio

  • Full Member
  • ***
  • Posts: 157
Re: Is this method secure enough to Encrypt a password?
« Reply #4 on: November 23, 2021, 03:48:07 am »
The problem is that there are programs in the wild which are unreasonably good at finding random data where there /should/ be some sort of pattern, and the longer an encryption key or obfuscated password is the easier the target.

Do what @SymbolicFrank is suggesting: store the cryptographically hashed passphrase, get the user to enter a passphrase and compare its hash against what you've got stored (being careful to overwrite any strings before they go out of scope).

If you have a decent hash function it's difficult to work out matching input text. However NOTHING is proof against a user with the skill (or friends or resources) to find the single comparison instruction which decides whether the program can proceed.

MarkMLl

I am totally agree with you and @SymbolicFrank, but I am really newbie in this area.

Could you tell me how to store the cryptographically hashed passphrase / point me to the link where I can learn it.

Btw, the key to the password, it is embedded in the app but is not stored in some sort of pattern or obfuscated, it is just a plain text hidden in the plain sight.

Perhaps if the app is reverse engineering, the key will be found.

GetMem

  • Hero Member
  • *****
  • Posts: 3745
Re: Is this method secure enough to Encrypt a password?
« Reply #5 on: November 23, 2021, 06:49:47 am »
@incendio

Your method is safe from the Average Joe. Somebody with a disassembler can easily find your key and a hashed passphrase won't help either. If you wish to store user passwords my suggestion is: just don't do it. If you need the encryption to hide plain text from regular user then your method is good enough.

incendio

  • Full Member
  • ***
  • Posts: 157
Re: Is this method secure enough to Encrypt a password?
« Reply #6 on: November 23, 2021, 07:03:22 am »
@incendio

Your method is safe from the Average Joe. Somebody with a disassembler can easily find your key and a hashed passphrase won't help either. If you wish to store user passwords my suggestion is: just don't do it. If you need the encryption to hide plain text from regular user then your method is good enough.
Thanks for your suggestion.

For now, I will use this method till I have enough skill to build the better one.

 

TinyPortal © 2005-2018