Password encryption script 3

[Zoom1234]

Can anyone tell me what the following script does exactly?

use strict;

sub new{
        my($class,@args) = @_;
        my $self = [];
        bless $self,$class;
        return $self;
}

sub decode_pw {
    my ($self,$decoded) = @_;
        my ($offset, $work);

        $decoded = "";
        $work =~ s|\&amp\;|\&|g;

    for ($offset=length($_[1]); $offset>0; $offset--) {
        $work = ord(substr($_[1], $offset-1, 1)) + 13;
        $work = $work - 256 if ($work > 256);
        $decoded = $decoded . chr($work);
    }
    return($decoded);
}


sub encode_pw{
        my ($self,$string) = @_;
        my($loop,$coded,$work);
        for ($loop=length($string); $loop>0; $loop--) {
                $work = ord(substr($string, $loop-1, 1));
                $work = $work + 256 if ($work < 13);
                $work = $work - 13;
                $coded = $coded . chr($work);
        }

        $coded =~ s|\&|\&amp\;|g;
        return $coded;
}

 

[NullTerminator]

Simply put is is applying an offset of 13 to each letter in the original pass word, and wrapping if the result would be less that zero. Then it escapes ampersands to &


decode_pw simply reverses it. Unsecape ampersands and undo the offset.

Rather primitive.

Jeb

 

[Zoom1234]

Hi NullTerminator ,
Thanks for the response. I am implementing this in follwoing way. Do you have any suggestions?

require ("Encryption.pm");

my $test = new Encryption;
my $enpwd = $test->encode_pw("secreatpassword") ; # encrypt password
my originalpwd = $test->decode_pw($enpwd) ;

 

[KevinADC]

If this is used for non critical applications then it's fine. If this is something that really needs commercial strength encryption then you should use something else. There's modules like Crypt::Blowfish which is good enough for lots of non critical things. Crypt::TwoFish I believe uses stronger encryption (128 bit or more). There is always perls built-in crypt() function but there is no decrypt for that, it's one way but it's good for passwords because generally you don't need to decrypt a password. If you search CPAN (encryption) you will find more crypt modules than you will know what to do with.

 

[Zoom1234]

Thanks mate. I will keep that in mind.

 

[NullTerminator]

crypt works very well. it is 56 bit DES encryption. You never really unencrypt, but instead encrypt the supplied password and test it against the stored, encrypted password.

crypt uses a two character 'seed' to insure that not all encryptions use the same calculations. The seed is stored as the first two characters in the resultant string so it can be used later for generating an encrypted password for comparison.

see

http://www.die.net/doc/linux/man/man3/crypt.3.html

\0

 

[Zoom1234]

NullTerminator ,
Thanks for the explanation.
I followed the link given by you.
However the document says

Warning: The key space consists of 2**56 equal 7.2e16 possible values. Exhaustive searches of this key space are possible using massively parallel computers. Software, such as crack(1), is available which will search the portion of this key space that is generally used by humans for passwords. Hence, password selection should, at minimum, avoid common words and names. The use of a passwd(1) program that checks for crackable passwords during the selection process is recommended.

Though being a newbie, i did not understand exactly what it means, but is it safe enough to use for critical password encryption?

 

[KevinADC]

It is safe to use for "critical" passwords. As the article tried to explain, it's the generation the password itself that is the weak link in the system. If some dork decides his password is 'qwerty' (a real common choice) no amount of encryption is going to protect such a poor choice of a password. Here is some intersting reading:

http://www.google.com/search?hl=en&lr=&q=common+passwords&btnG=Search

http://www.google.com/search?hl=en&q=encryption+keys&btnG=Google+Search

Bottom line, if your passwords or data is that critical, 128 bit encryption or higher is best.

 

[Zoom1234]

Ok..

Can u give me an example how it can be used?
If i use the following code,

$salt = "ZZ" ;
$pwd = "WQ#@@" ;
$encpwd = crypt($pwd, $salt); 
print $encpwd;

The encrypted passsword will always have 'ZZ' at the beginning of it.(No matter what actaul password is.)
How can we provide that vaule of $salt more efficiently.

Thanks

 

[KevinADC]

you should randomly generate the salt, something like:

my @salt = ('.' ,  '/' , '0'..'9', 'A'..'Z', 'a'..'z');
my $rand_salt = $salt[rand @salt] . $salt[rand @salt];
my $password = 'thY6W2#j9';
my $crypt = crypt($password,$rand_salt);

 

[Zoom1234]

Thanks for the quality help to both of you.

 

[Zoom1234]

One last question.
How do i compare the encrypted password for authentication

 

[NullTerminator]

Use the first two charcters of the encrypted password to generated the encrypted password that you want to test.

my $passwordStored = lookup('user');
my $passwordFromUser = 'secretpwd';
## crypt will take the first two characters of stored password
##  as salt for encryption of new one passed in
if( crypt($passwordFromUser, $passwordStored) 
    eq $passwordStored ) {
   print "Original Password matches Password given";
}

Jeb
\0

 

[Zoom1234]

Thanks!!

 

[stevexff]

The OP code provides a crude rot13 encryption scheme with an escape for ampersands, presumably so that it can be safely stored as XML. In that case, then it should probably escape and unescape ", ', <, and > too. As NullTerminator points out this is rather primitive, and has been in use since Roman times.

The last post from NullTerminator kind of implies that the $passwordFromUser is being provided as plaintext. If this is being sent over the wire as HTTP rather than HTTPS (on a form, perhaps), then it's not secret at all and you may as well skip the whole crypt/decrypt thing altogether.

Steve

[small]"Every program can be reduced by one instruction, and every program has at least one bug. Therefore, any program can be reduced to one instruction which doesn't work." (Object:erlDesignPatterns)[/small]

 

[NullTerminator]

Good point, HTTPS will protect the password while on the wire. When it gets back to the application layer it will be back in plain text. Zoom can encrypt and compare to the stored key.

Jeb

 

[Zoom1234]

You are right stevexff,
The encrypted password is put in XML file.
So like you said, to escape and unescape ", ', <, and >

#encode
$coded =~ s|\"|\&quot\;|g;
$coded =~ s|\'|\&apos\;|g;
$coded =~ s|\<|\&lt\;|g;
$coded =~ s|\>|\&gt\;|g;
#reverse it for decode

Does it seem alright?
I am aware of the fact that this module is not enough, but for the time being i have to continue with this

 

[stevexff]

In the encode, you have to do the & first, otherwise it screws up the others.

#encode
$coded =~ s|\&|\&amp\;|g;
$coded =~ s|\"|\&quot\;|g;
$coded =~ s|\'|\&apos\;|g;
$coded =~ s|\<|\&lt\;|g;
$coded =~ s|\>|\&gt\;|g;

In the reverse direction, it doesn't matter what order you do them in.

Steve

[small]"Every program can be reduced by one instruction, and every program has at least one bug. Therefore, any program can be reduced to one instruction which doesn't work." (Object:erlDesignPatterns)[/small]