Trying to Understand Encrypting INI data

[Webs]

So to use the _StringEncrypt function I have to have the value I'm encrypting in the function. Then once I want to decrypt I have to have that value in the function too? That is what I do not understand. For example I used the following code to add two encrypted values to an INI file:

#include <String.au3>
#include <file.au3>
#include <INet.au3>

$iniFile = "dir"
$s_EncryptText1 = "username"
$s_EncryptText2 = "password"
$s_EncryptPassword = "random characters"

IniWrite ( $iniFile, "Settings", 6, _StringEncrypt ( 1, $s_EncryptText1, $s_EncryptPassword, 1 ) )
IniWrite ( $iniFile, "Settings", 7, _StringEncrypt ( 1, $s_EncryptText2, $s_EncryptPassword, 1 ) )

So those two variables, $s_EncryptText1 and 2, would they be necessary to be able to decrypt the values in the INI files? That to me doesn't make much sense and would seem to defeat the purpose of encrypting in the first place. Or am I missing something? If not, is there a way I could safely encrypt the strings without having to type the username and password in the script in clear text.

BTW, this is part of an automated script so it would not help me to have a popup box or something that asks for input.

[jchd]

It doesn't work the way you think, hopefully.

Here is how it really works:

Local $plaintext = "Assume that you can read this sentence."
Local $password = "s0Me 95% SékiuRe p@ß_wörd"

;; encryption
Local $cyphertext = _StringEncrypt(1, $plaintext, $password)

;; check readability (should fail)
ConsoleWrite($cyphertext & @LF)

; .../...

;; in some other part of code or another program
Local $recoveredPlaintext = _StringEncrypt(0, $cyphertext, $password)

;; check readability (should succeed)
ConsoleWrite($recoveredPlaintext & @LF)

[PsaltyDS]

It's called "symmetrical encryption" because the same password is used both ways. That's why it's not secure, and why _StringEncrypt() has never been recommended to secure critical data inside a script.

[Webs]

But here is what I'm trying to do.

I have a username and password in the INI file that I want to load into a script to use for creating a remote connection to a server. But I don't want that username and password in clear text in the script. So I have it in the INI file. But now its in clear text in the INI. Can I encrypt that?

It doesn't have to be anything super fancy because if someone gets root access to our servers an unencrypted INI file will be the least of our worries as the account that is in the INI file cannot do much. But I think to be compliant with our security measures at work, it just cannot be listed in clear text in INI.

I'm not sure how to do this because it looks like the way _StringEncrypt works is that it wants a cleartext value to encrypt as "$s_EncryptText".

I guess what I'm trying to explain is that I'm okay with having a clear text password for encryption in the script. But I just do not understand what the value "$s_EncryptText" is used for? Would this be my username, and then I would need a whole new line for the password with a second value?

Edited April 6, 2010 by Webs

[wraithdu]

This should make sense to you I hope. You're waaaay overcomplicating this:

#NoTrayIcon
#include <String.au3>

#cs
Ini File:

[Settings]
user=50980AD72A6D1F0F997015124C4B3583
pass=509D0DD52B6B1F0E980015674D443582

Generate those values:

ConsoleWrite(_StringEncrypt(1, "username", $sEncPass) & @CRLF)
ConsoleWrite(_StringEncrypt(1, "password", $sEncPass) & @CRLF)

#ce

$iniFile = "C:\some\path\to\inifile.ini"
$sEncPass = "secret"

$sUser = _StringEncrypt(0, IniRead($iniFile, "Settings", "user", ""), $sEncPass)
$sPass = _StringEncrypt(0, IniRead($iniFile, "Settings", "pass", ""), $sEncPass)

ConsoleWrite($sUser & "  :  " & $sPass & @CRLF)

[PhilHibbs]

Put simply: the same function call that encrypted your plain text can also be used to decrypt the encrypted version. So you pass the plain text and password in the first time, then you call the same functon but this time you pass in the encrypted text and the password, and you get back the unencrypted text.

The simplest form of symmetric encryption is "ROT13", which means "Rotate 13 characters". If you write down the 26-character alphabet on the outside of a circle, and rotate by 13 characters on the circle for each character of your input, a user name of "phibbs" would become "cuvoof". If you then take "cuvoof" and pass it through the same encryption process, you get "phibbs" back again. _StringEncrypt() is like that, but uses a password to make it a bit less obvious than ROT13.

Edited April 6, 2010 by PhilHibbs

[Webs]

Thanks wraithdu, I wasn't think about it correctly. Having the INIRead function inside the stringencrypt is what I was missing. For someone my brain didn't latch onto that concept.

Thanks for the explanation of the encryption Phil, that makes sense. I think it should be secure enough for what I'm doing.