Sign in to follow this  
Followers 0
Naveed

Security Issue with Encryption Key

8 posts in this topic

#1 ·  Posted (edited)

I have created a password manager which stores passwords in a text file using an encryption key.

However as part of the requirements the encryption key needs to be random and not one set by me and not visible to me either, how would i go about doing this?

I have written the code below which will generate the random encryption key however where do i store this to protect it from me because if i know where the encryption key is kept, i can use it to decrypt the values?

Is there a way of keeping it within the code so the key is not visible at all but can still be used to decrypt the password values?

#include <Security.au3>
#Include <String.au3>

ProgressOn("Generating Encryption", "Move the mouse around the screen", "0 %")
$pos1 = MouseGetPos()
sleep(1000)
ProgressSet(10,10 & " %")
$pos2 = MouseGetPos()
sleep(1000)
ProgressSet(20,20 & " %")
$pos3 = MouseGetPos()
sleep(1000)
ProgressSet(30,30 & " %")
$pos4 = MouseGetPos()
sleep(1000)
ProgressSet(40,40 & " %")
$pos5 = MouseGetPos()
sleep(1000)
ProgressSet(50,50 & " %")
$pos6 = MouseGetPos()
sleep(1000)
ProgressSet(60,60 & " %")
$pos7 = MouseGetPos()
sleep(1000)
ProgressSet(70,70 & " %")
$pos8 = MouseGetPos()
sleep(1000)
ProgressSet(80,80 & " %")
$pos9 = MouseGetPos()
sleep(1000)
ProgressSet(90,90 & " %")
$pos10 = MouseGetPos()
sleep(1000)
ProgressSet(100,100 & " %")
ProgressOff()

$text = ""
For $i = 0 to 9-7
    $text &= Chr(Random(97,122,1))
    $text &= Chr(Random(65,90,1))
    $text &= Random(0,9,1)
Next
$randomcharacters = $text

$ENCRYPTIONKEY = $pos1[0]&$pos1[1]&$pos2[0]&$pos2[1]&$pos3[0]&$pos3[1]&$pos4[0]&$pos4[1]&@UserName&$pos5[0]&$pos5[1]&$pos6[0]&$pos6[1]& _
$pos7[0]&$pos7[1]&$pos8[0]&$pos8[1]&$pos9[0]&$pos9[1]&$pos10[0]&$pos10[1]&$randomcharacters

$i_Encrypt = 1
$s_EncryptText = "Userspassword"
$s_EncryptPassword = $ENCRYPTIONKEY
$i_EncryptLevel = 1
$FINALENCRYPTEDVALUE = _StringEncrypt($i_Encrypt, $s_EncryptText, $s_EncryptPassword, $i_EncryptLevel)

MsgBox(1,"","Final EncryptionKey: " & $FINALENCRYPTEDVALUE)

Any help will be appreciated

Thanks

Naveed

Edited by Naveed

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

You can add some layers of abstraction, but it will still be fairly easy to crack your executable and get the encryption key.

This requirement is interesting because it was obviously written by someone that doesn't work with encryption much. Where did it come from, the PHB?

;)

Edited by PsaltyDS

Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

PsaltyDS,

May I ask how would you store the encryption key? This indeed seems to be a major problem with using the encryption functions.

Regards,

4Eyes

Share this post


Link to post
Share on other sites

Not sure what the PHB is, or who Phil is? ;)

Have you guys got any suggestions on how to get round this issue?

I would normally embed a unique encryption key within the script, but i have a requirement for it to be random which is where the problem arises?

Thanks

Share this post


Link to post
Share on other sites

@4Eyes: The problem is that the key is stored at all in the same container (the compiled .exe) with the encrypted data. It's like having a strong pad lock on the hasp, but the key is hanging on a string right next to it. So maybe you obfuscate the key somewhat, that's just like hiding the key under the mat. The required key is still right there with the lock and fairly easy to find with a little effort.

The answer is NOT to store the key with data. Period. The user should have to bring the key with them, or not get access.

@Naveed: The encryption key should be provided by the user at run time and never be hard-coded into your script. To add a layer of obfuscation, you might apply the user's provided key to produce a secure hash of some randomized phrase stored in the script, then the generated hash is used as the pass phrase for data encryption/decryption. But because the randomized phrase is still stored in the executable, it is still just a layer of obfuscation, not additional encryption. But just to be able to honestly tell the PHB there's a random element in the chain might help you with this specific instance.

;)


Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

PsaltyDS,

Food for thought. Thank you.

4Eyes

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0