How to hide the crypt key

[alexre2003]

Hi all,

Actually we are removing hard coded Oracle password in all our Pro*C programs..
Instead of hard coding the password we wrote some program
ULOGON where decrypting the password:

char *cmd = &quot;/usr/bin/crypt key < /u01/home/sinbz/rajesh/db_access/pass1&quot;;

But we don't want to show the crypt password(key) we are using to decrypt the password in the code. We can read it from the file but in this case everybody can find this file
which contains the key.

Any help would greatly appriciated!

Thank you in advance

Alexander Reichman

 

[Salem]

Who are you protecting against - the casual snoop or the determined hacker?
The former is easy - you just make the executable execute only --x--x--x and nobody can use say 'od' to read it and get the passwords.

Unless you make /u01/home/sinbz/rajesh/db_access/pass1 something line r-------- then you wont stop someone manually typing in the command to recover the password.

If you put anything in the code, you will need to keep the source code under lock and key as well.

 

[butthead]

If you will add code that encrypts the key that is placed int the file then when your app reads the file it decrypts this encrypted key and nobody will get any thing from the file. I'm sure you realize that you can only protect the passwords from the casual user. If a federal agency or an experienced hacker wants your passwords they'll get them.
In light of this I have a simple encryption algorithm that encrypts a text file. I dont assume it is secure but I am sure that it would take some time to decrypt most text generated with it. your welcome to it if you like. in the meantime you can download the application that I created it for at my web site. look for &quot;MadEncryption&quot;. This is the
algorithm in use, and you may find it useful. Also if your program that does the stuff (ULOGON) is not protected you have more problems.

The password liability function is inversely proportional to the difficulty incured in the logon procedure multiplied by the degree of difficulty to access the key. (The madhatters rule of logon paranoia)

The server and or information on it is only as secure as the door which is protecting it. Sofware is no security.
Steal doors are the only secure protection. There is a balance between accesibility and security with sofware.

tomcruz.net

 

[lionelhill]

About casual snoopers:
For what it's worth, I know of at least one piece of commercial software purporting to give password protection to users of a piece of laboratory equipment, that stores all its passwords, usernames, and what each user is entitled to do, as a text file (albeit with a funny file extension)! Unencrypted! But it's still good enough to keep the average scientist under control.

Having said that, I'm very angry at this piece of software, because users (who don't like to remember too many passwords) may tend to feed it the same password as they use for the system in general, and thereby throw away all the security built into windows logons.

 

[palbano]

For causal snooper defense just store the byte values in some base other than 10 like hex or whatever.

-pete
_{I just can't seem to get back my IntelliSense}