Naveed Posted September 23, 2010 Share Posted September 23, 2010 (edited) I have created a password manager which stores passwords in a text file using an encryption key. However as part of the requirements the encryption key needs to be random and not one set by me and not visible to me either, how would i go about doing this? I have written the code below which will generate the random encryption key however where do i store this to protect it from me because if i know where the encryption key is kept, i can use it to decrypt the values? Is there a way of keeping it within the code so the key is not visible at all but can still be used to decrypt the password values? expandcollapse popup#include <Security.au3> #Include <String.au3> ProgressOn("Generating Encryption", "Move the mouse around the screen", "0 %") $pos1 = MouseGetPos() sleep(1000) ProgressSet(10,10 & " %") $pos2 = MouseGetPos() sleep(1000) ProgressSet(20,20 & " %") $pos3 = MouseGetPos() sleep(1000) ProgressSet(30,30 & " %") $pos4 = MouseGetPos() sleep(1000) ProgressSet(40,40 & " %") $pos5 = MouseGetPos() sleep(1000) ProgressSet(50,50 & " %") $pos6 = MouseGetPos() sleep(1000) ProgressSet(60,60 & " %") $pos7 = MouseGetPos() sleep(1000) ProgressSet(70,70 & " %") $pos8 = MouseGetPos() sleep(1000) ProgressSet(80,80 & " %") $pos9 = MouseGetPos() sleep(1000) ProgressSet(90,90 & " %") $pos10 = MouseGetPos() sleep(1000) ProgressSet(100,100 & " %") ProgressOff() $text = "" For $i = 0 to 9-7 $text &= Chr(Random(97,122,1)) $text &= Chr(Random(65,90,1)) $text &= Random(0,9,1) Next $randomcharacters = $text $ENCRYPTIONKEY = $pos1[0]&$pos1[1]&$pos2[0]&$pos2[1]&$pos3[0]&$pos3[1]&$pos4[0]&$pos4[1]&@UserName&$pos5[0]&$pos5[1]&$pos6[0]&$pos6[1]& _ $pos7[0]&$pos7[1]&$pos8[0]&$pos8[1]&$pos9[0]&$pos9[1]&$pos10[0]&$pos10[1]&$randomcharacters $i_Encrypt = 1 $s_EncryptText = "Userspassword" $s_EncryptPassword = $ENCRYPTIONKEY $i_EncryptLevel = 1 $FINALENCRYPTEDVALUE = _StringEncrypt($i_Encrypt, $s_EncryptText, $s_EncryptPassword, $i_EncryptLevel) MsgBox(1,"","Final EncryptionKey: " & $FINALENCRYPTEDVALUE) Any help will be appreciated Thanks Naveed Edited September 23, 2010 by Naveed Link to comment Share on other sites More sharing options...
PsaltyDS Posted September 23, 2010 Share Posted September 23, 2010 (edited) You can add some layers of abstraction, but it will still be fairly easy to crack your executable and get the encryption key. This requirement is interesting because it was obviously written by someone that doesn't work with encryption much. Where did it come from, the PHB? Edited September 23, 2010 by PsaltyDS Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law Link to comment Share on other sites More sharing options...
Bert Posted September 23, 2010 Share Posted September 23, 2010 Naaa.... Maybe Phil put him up to it.... The Vollatran project My blog: http://www.vollysinterestingshit.com/ Link to comment Share on other sites More sharing options...
PsaltyDS Posted September 23, 2010 Share Posted September 23, 2010 Poor PFY doesn't even know who I'm talking about... Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law Link to comment Share on other sites More sharing options...
4Eyes Posted September 23, 2010 Share Posted September 23, 2010 PsaltyDS, May I ask how would you store the encryption key? This indeed seems to be a major problem with using the encryption functions. Regards, 4Eyes Link to comment Share on other sites More sharing options...
Naveed Posted September 24, 2010 Author Share Posted September 24, 2010 Not sure what the PHB is, or who Phil is? Have you guys got any suggestions on how to get round this issue? I would normally embed a unique encryption key within the script, but i have a requirement for it to be random which is where the problem arises? Thanks Link to comment Share on other sites More sharing options...
PsaltyDS Posted September 24, 2010 Share Posted September 24, 2010 @4Eyes: The problem is that the key is stored at all in the same container (the compiled .exe) with the encrypted data. It's like having a strong pad lock on the hasp, but the key is hanging on a string right next to it. So maybe you obfuscate the key somewhat, that's just like hiding the key under the mat. The required key is still right there with the lock and fairly easy to find with a little effort. The answer is NOT to store the key with data. Period. The user should have to bring the key with them, or not get access. @Naveed: The encryption key should be provided by the user at run time and never be hard-coded into your script. To add a layer of obfuscation, you might apply the user's provided key to produce a secure hash of some randomized phrase stored in the script, then the generated hash is used as the pass phrase for data encryption/decryption. But because the randomized phrase is still stored in the executable, it is still just a layer of obfuscation, not additional encryption. But just to be able to honestly tell the PHB there's a random element in the chain might help you with this specific instance. Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law Link to comment Share on other sites More sharing options...
4Eyes Posted September 25, 2010 Share Posted September 25, 2010 PsaltyDS, Food for thought. Thank you. 4Eyes Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now