[SOLVED] Is this method secure enough to Encrypt a password?

[incendio]

Hi guys,

I am new to encrypting/decrypting password.

I found these code

Code: Pascal  [Select][+][-]

1. unit uCrypto;
2.  
3. {$mode objfpc}{$H+}
4.  
5. interface
6.  
7. uses
8.   Classes, SysUtils, BlowFish, Base64;
9.  
10.   function Encrypt(const AKey, AText: String): String;
11.   function Decrypt(const AKey, AText: String): String;
12.  
13. implementation
14.  
15. function Encrypt(const AKey, AText: String): String;
16. var
17.   SS: TStringStream;
18.   BES: TBlowFishEncryptStream;
19. begin
20.   Result := '';
21.   if Trim(AText) = '' then
22.     Exit;
23.   SS := TStringStream.Create('');
24.   try
25.     BES := TBlowFishEncryptStream.Create(AKey, SS);
26.     try
27.       BES.Write(Pointer(AText)^, Length(AText));
28.     finally
29.       BES.Free;
30.     end;
31.     Result := EncodeStringBase64(SS.DataString);
32.   finally
33.     SS.Free;
34.   end;
35. end;
36.  
37. function Decrypt(const AKey, AText: String): String;
38. var
39.   SS: TStringStream;
40.   BDS: TBlowFishDeCryptStream;
41.   Str, Txt: String;
42. begin
43.   Result := '';
44.   if Trim(AText) = '' then
45.     Exit;
46.   Str := '';
47.   Txt := DecodeStringBase64(AText);
48.   SS := TStringStream.Create(Txt);
49.   try
50.     BDS := TBlowFishDeCryptStream.Create(AKey, SS);
51.     try
52.       SetLength(Str, SS.Size);
53.       BDS.Read(Pointer(Str)^, SS.Size);
54.       Result := Str;
55.     finally
56.       BDS.Free;
57.     end;
58.   finally
59.     SS.Free;
60.   end;
61. end;
62.  
63. end.
64.  

From this link (post #21 - thanks to GetMem)
https://forum.lazarus.freepascal.org/index.php/topic,56489.15.html

Those codes is enough for me, but the problem is the key that stored in the executable file. When the file disassembled, it is easy enough to find this key.

So I tried to hide that key in the executable file with these method

• Generate Ascii code from Ascii 32 to 126
• Build my key by selecting characters from that generated Ascii codes

Here are the codes

Code: Pascal  [Select][+][-]

1. var
2.   Form1: TForm1;
3.   s,MyKey : String;
4.  
5. procedure TForm1.FormCreate(Sender: TObject);
6. var
7.    i : integer;
8.  
9. begin
10.   s:='';
11.   setLength(s,95);
12.   for i := 1 to 95 do s[i] := chr(i+31);
13.  
14.   MyKey := s[15]+s[36]+s[70]+s[22];
15.   Encrypt(MyKey,'Some text');
16. end;
17.  

With a program, like Hex Editor, I found the generated Ascii codes, but couldn't find the key.

What do you guys thinks, is that method secure enough?

[SymbolicFrank]

You can store and compare the checksum of a password instead. That's totally safe. No embedded keys needed.

[incendio]

You can store and compare the checksum of a password instead. That's totally safe. No embedded keys needed.

How to do that?

[MarkMLl]

With a program, like Hex Editor, I found the generated Ascii codes, but couldn't find the key.

What do you guys thinks, is that method secure enough?

The problem is that there are programs in the wild which are unreasonably good at finding random data where there /should/ be some sort of pattern, and the longer an encryption key or obfuscated password is the easier the target.

Do what @SymbolicFrank is suggesting: store the cryptographically hashed passphrase, get the user to enter a passphrase and compare its hash against what you've got stored (being careful to overwrite any strings before they go out of scope).

If you have a decent hash function it's difficult to work out matching input text. However NOTHING is proof against a user with the skill (or friends or resources) to find the single comparison instruction which decides whether the program can proceed.

MarkMLl

[incendio]

The problem is that there are programs in the wild which are unreasonably good at finding random data where there /should/ be some sort of pattern, and the longer an encryption key or obfuscated password is the easier the target.

Do what @SymbolicFrank is suggesting: store the cryptographically hashed passphrase, get the user to enter a passphrase and compare its hash against what you've got stored (being careful to overwrite any strings before they go out of scope).

If you have a decent hash function it's difficult to work out matching input text. However NOTHING is proof against a user with the skill (or friends or resources) to find the single comparison instruction which decides whether the program can proceed.

MarkMLl

I am totally agree with you and @SymbolicFrank, but I am really newbie in this area.

Could you tell me how to store the cryptographically hashed passphrase / point me to the link where I can learn it.

Btw, the key to the password, it is embedded in the app but is not stored in some sort of pattern or obfuscated, it is just a plain text hidden in the plain sight.

Perhaps if the app is reverse engineering, the key will be found.

[balazsszekely]

@incendio

Your method is safe from the Average Joe. Somebody with a disassembler can easily find your key and a hashed passphrase won't help either. If you wish to store user passwords my suggestion is: just don't do it. If you need the encryption to hide plain text from regular user then your method is good enough.

[incendio]

@incendio

Your method is safe from the Average Joe. Somebody with a disassembler can easily find your key and a hashed passphrase won't help either. If you wish to store user passwords my suggestion is: just don't do it. If you need the encryption to hide plain text from regular user then your method is good enough.

Thanks for your suggestion.

For now, I will use this method till I have enough skill to build the better one.