Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsVB SyntaxEnterprise DevelopmentDatabase AccessControlsCOMWin APICrystal ReportDeploymentGeneralGeneral 2
Related Topics
VB.NET / ASP.NETMS SQL ServerMS AccessOther Database ProductsMore Topics ...

VB Forum / General / September 2004


Tip: Looking for answers? Try searching our database.

Encrypting variables

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
David Hodgkins - 30 Sep 2004 16:19 GMT
Hello all,
    I have a program that has to use a hard coded UserID and password to
access an encrypted file. For example:

**********************************************************
Dim strX as string 'UserID
Dim strYas string 'password
Dim strPath as string 'path to the file
Dim secFile as New SecureFile 'class to open encrypted file

strX = "JoeSmith"
strY = "jkdlsw23gh3"
strPath = "C:\Program Files\MyDirectory\MyFile.sec"

secFile.open strPath,strX, strY
**********************************************************

The problem with this is taht if someone were to open the exe with a text
editor, the username and password are visible. My proposed solution is that
instead or typing a literal string is to concatinate together the individual
characters  using the Chr() function.

Is this a valid method or is there a better method?
Reply to this Message
Tim Baur - 30 Sep 2004 16:26 GMT
"=?Utf-8?B?RGF2aWQgSG9kZ2tpbnM=?="
<DavidHodgkins@discussions.microsoft.com> wrote in news:935F55C8-DC65-4C19-
A701-5F97C6B9B467@microsoft.com:

> Is this a valid method or is there a better method?

That's what I do, and that's how I've seen it done.  I'm guessing a
determined hacker could still get at it though.  It's not inconceivable the
Chr() function has an identifiable fingerprint in a compiled exe.  The
value is literal, so that could be examined as well.

It's really all about level of risk.  If you need to keep this password out
of the hands of terrorists, then yeah, you should do more.  You could mask
your values with a few math operations and function calls.  Perhaps use
split to parse them.  There's really no end to the number of ways you could
obfuscate it.

If you're simply trying to keep honest people honest, then you're probably
good how you are.
Reply to this Message
Ralph - 30 Sep 2004 16:37 GMT
> Hello all,
>      I have a program that has to use a hard coded UserID and password to
[quoted text clipped - 19 lines]
>
> Is this a valid method or is there a better method?

You didn't mention the Windows plaform you need to support, so the actual
library or call will vary, but don't bother creating your own encryption
routines - they are often buggy and never as safe as the authors think they
are. Use the routines provided by your OS. Or open Google and start
searching for one of the many freebies out there.

On Win2k checkout the "CryptAPI".

hth
-ralph
Reply to this Message
Tim Baur - 30 Sep 2004 16:49 GMT
"Ralph" <msnews.20.nt_consulting32@spamgourmet.com> wrote in news:#iW
$vOwpEHA.1960@TK2MSFTNGP10.phx.gbl:

> Use the routines provided by your OS. Or open Google and start
> searching for one of the many freebies out there.

Ralph,

No matter what encryption routine he uses, he'll still have to store the
key to the encrypted key, won't he?  Unless I misunderstand the scheme,
couldn't the encryption key be hacked as easily as anything else?
Reply to this Message
Bob O`Bob - 30 Sep 2004 17:18 GMT
> "Ralph" <msnews.20.nt_consulting32@spamgourmet.com> wrote in news:#iW
> $vOwpEHA.1960@TK2MSFTNGP10.phx.gbl:
[quoted text clipped - 7 lines]
> key to the encrypted key, won't he?  Unless I misunderstand the scheme,
> couldn't the encryption key be hacked as easily as anything else?

Often that's just not the case.  What's stored is a hash of the key, and
many a hashing algorithm can be designed so that working it backwards is
just impractical.

    Bob
Reply to this Message
Tim Baur - 30 Sep 2004 17:42 GMT
Bob O`Bob <filterbob@yahoogroups.com> wrote in news:u#M2skwpEHA.2900
@TK2MSFTNGP12.phx.gbl:

> What's stored is a hash of the key, and
> many a hashing algorithm can be designed so that working it backwards is
> just impractical.

I don't have a lot of experience with encryption, so bear with me here.

My understanding is that the encryption engine takes a seed - a key - that
only you and no one else knows.  Once you seed it with the key, you can
encrypt and decrypt as much data as you want.  Other people who have that
key can decipher the encrypted values.

When I write a program that encrypts, my program must know what that key
is.  If I hard code it, then it has to store it somewhere in its code.  
It's up to me, not the encryption engine, to store it in a way that it
can't be decompiled out of the code later on.

This, in effect, is what David originally wanted.  Only instead of a key,
he wanted to store a password (same thing, really).  In this case, it seems
like the encryption is only adding a new layer of indirection, but not
necessarily a new layer of security.
Reply to this Message
Bob O`Bob - 30 Sep 2004 20:26 GMT
> This, in effect, is what David originally wanted.  Only instead of a key,
> he wanted to store a password (same thing, really).  In this case, it seems
> like the encryption is only adding a new layer of indirection, but not
> necessarily a new layer of security.

could be.

I have my at-work newsreader configured to filter out postings from
"@discussions.microsoft.com" because too many of them (for my taste)
were a complete waste of time.  So I can't easily go back to check the
original post, even it it was one of the exceptions.

    Bob
Reply to this Message
David Hodgkins - 30 Sep 2004 17:37 GMT
> > Hello all,
> >      I have a program that has to use a hard coded UserID and password to
[quoted text clipped - 32 lines]
> hth
> -ralph

It is a shrink-wrapped program designed to run on anything from Win98 on up.
The encryption routine is not my own, but that is just an example. I am not
worried about the encrypted file. What I am worried about is someone using
something like TextPad to open the exe and seeing "J.o.e.S.m.i.t.h." and the
password in the same way.
Reply to this Message
Bonj - 30 Sep 2004 17:03 GMT
It is a better method, and is probably as far as you need to go but without
going too far. There'll always be somebody that breaks it, but you've got to
weigh up the ratio of your effort to designing encryption algorithm to your
effort at designing the rest of the program, aswell as the cracker's effort
in breaking it against the cracker's potential gain by breaking it.

I always think that making it so you need to have at least *some* reasonable
knowledge of disassembly / assembly language / machine code to crack it is
always a good benchmark.

FWIW, one of the major problems with designing a licensing algorithm is that
no matter how sophisticated it is, any person cracking it by attempting to
unravel the machine code may not need to know *how it works*, they may only
need to know *where it is*, and just find out what it is supposed to return
and just intercept it before the end.

(Still fwiw)
To this end, I have designed an algorithm to fox people who may be able to
try their hand at this. I haven't implemented it yet, as the component which
it is designed to protect isn't finished yet, but in principle, what it does
is this: the application (my application, that is allowed to use the
component) instantiates it. It then calls a method, passing it an IDispatch*
(object). The component then gets some data from its resource, and calls a
method on this IDispatch which gets the same amount of data from the client
application's resource. It then XORs these two pieces of data together, to
get a string, (n * m * r) long. n is the number of 'security' functions the
component must call off the IDispatch* that it has been passed, m is the
length of the name of each one, r is the 'red-herring' padding factor of the
functions (completely cryptographically random function names). Hidden to
about three or four levels or indirection in the XORed data is the actual
number of functions to call (i.e. only part of the big string represents
valid names of functions at all), and some algorithm runs on the return
values of the functions (also cryptographically random strings), this
algorithm will be probaby just another 3 or 4 levels of indirection, to tell
it which is the correct return value. Hidden in the return value of the
correct function, is some data which is actually relevant to the program.
Hence, if it uses the wrong data - it won't 'refuse' instantiation in any
way, it will just crash spectacularly.
Deliberately designed to make the licensing code 'peppered' all over the
place. Just think of how it will look in machine code -that's all you have to
do... not necessarily understand it!

> Hello all,
>      I have a program that has to use a hard coded UserID and password to
[quoted text clipped - 19 lines]
>
> Is this a valid method or is there a better method?
Reply to this Message
Larry Serflaten - 30 Sep 2004 19:14 GMT
"David Hodgkins" <DavidHodgkins@discussions.microsoft.com> wrote
> Hello all,
>      I have a program that has to use a hard coded UserID and password to
> access an encrypted file. For example:
...
> The problem with this is taht if someone were to open the exe with a text
> editor, the username and password are visible. My proposed solution is that
> instead or typing a literal string is to concatinate together the individual
> characters  using the Chr() function.
>
> Is this a valid method or is there a better method?

Depending on who you want to stop, you may just use an encoded string
in some other base (like base 57, or some odd figure).  But for my money,
the trick is to force that hacker to have to look all over your code for the
needed parts to figure out the name/password.

To do that you can simply put the various parts at distant places in your
code, including secondary modules, and so forth.  Calling routines out of
the VB runtine will also force him to look there to know what your code is
doing.

For an example, imagine if the following routines were tucked in amonst all
your other event code, and so forth:

HTH
LFS

Option Explicit

Private HiddenValue As Double

Private Sub Form_Load()
Dim Name As String
Dim dummy As String
Dim idx

   ' Placed in your init code
   HiddenValue = 2.62845

  ' Build Name part
  dummy = runaround()
  For idx = 1 To 14 Step 2
    Name = Name & Puzzle(Val(Mid$(dummy, idx, 2)))
  Next
 
  MsgBox Name

End Sub

Private Function runaround() As String
' Tucked in between two large events, etc...
 runaround = Fakeout1 & Fakeout2
End Function

Public Function Fakeout1() As Variant
' In some .BAS module
Dim data As String
 data = Format(3 / 7.219, ".0000000000000")
 Fakeout1 = Mid$(data, 2)
End Function

Private Function Fakeout2() As Variant
' Tucked in between two large routines, etc...
Dim data As String
 data = HiddenValue * 0.214 * CDec(0.19119787)
 Fakeout2 = Mid$(data, 3)
End Function

Private Function Puzzle(ByVal Index As Long) As String
'  This same routine could be used to build other strings
'  Debug.Print Index
 
 Select Case Index
 Case 1: Puzzle = ""
 Case 2: Puzzle = "mi"
 Case 35: Puzzle = "t"
 Case 38: Puzzle = "ch"
 Case 41: Puzzle = "Jo"
 Case 45: Puzzle = "Pa  "
 Case 49: Puzzle = "h"
 Case 55: Puzzle = "e "
 Case 70: Puzzle = "S"
 ' ...
 End Select
 
End Function

 
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.