Results 1 to 24 of 24

Thread: Security, encryption & hacking questions

  1. #1

    Thread Starter
    PowerPoster cafeenman's Avatar
    Join Date
    Mar 2002
    Location
    Florida
    Posts
    2,819

    Security, encryption & hacking questions

    1) How secure is the blowfish encryption?

    2) In the secure scheme I have for some of my apps, the app reads the security file and as soon as the username/password is validated, the password is set to an empty string to remove it from memory. But, the user's security privilege is not because I have to reference it frequently in the program to determine what the user has access to. I'm assuming it wouldn't be difficult for someone to hack the memory and upgrade the user's privileges if they wanted to. So what I'm looking for is a way to either prevent memory hacks or maybe a better scheme keep track of what privileges the user has without leaving it in memory.

  2. #2
    jim mcnamara
    Guest
    blowfish & twofish are reasonably secure. But a dedicated hacker could, in theory, break 'em.

    You have to look at security this way - how much time would a weirdo spend to crack your program? It depends on the rewards(answer ).

    I don't mean monetary. A STUPID ISP (RT66.com) in New Mexico dared hackers to break in. It was a ploy to show off how secure the system was. Hackers nuked 'em repeatedly. For about a year the ISP was on again- off again.

    The api comes with DES encryption support (called Crypto). Basically, this takes full-time supercomputer access for years to crack. Since supercomputing costs $1000/ hour and up, most back-basement hackers are not gonna get far with DES.

    Download the www.allapi.net apiguide and their apiviewer. All free - and it comes with pretty good samples for using Crypto.

  3. #3

    Thread Starter
    PowerPoster cafeenman's Avatar
    Join Date
    Mar 2002
    Location
    Florida
    Posts
    2,819
    Thanks for the info Jim. Personally, I don't dare people to break my stuff, because, like you said, someone will find away.

    I look at encryption as really being second-rate security no matter how good it is. The best security is keep people away from your stuff in the first place. Easier said than done, I know. But it your network is secure, then you've limited the possible hackers to those who you've ALLOWED onto your network.

    If they simply want the info your files hold, then they need to break the encryption. If they just want to cause havoc, then they can corrupt or delete files.

    So all I need is something that keeps the average user out without making it such a pain that they hate using the program. I'll look into the crypto stuff.

    The reason I asked about blowfish was I found some really complex looking source code for it. I've never been able to hack into anything, so obviously, everything is secure from me. But that doesn't mean a 6th grader next door won't laugh as he spends ten seconds breaking into my stuff.

  4. #4
    Fanatic Member Kzin's Avatar
    Join Date
    Dec 2000
    Posts
    611
    Originally posted by cafeenman
    I look at encryption as really being second-rate security no matter how good it is. The best security is keep people away from your stuff in the first place.
    I can't find the emoticon for "I disagree strongly" but I've gotta tell you cafeenman - its MUCH easier for someone to kick your front door down and beat you until you give them your secrets than to break something like blowfish - a publically tested and analysed 128-bit code designed by a top rank cryptographer.

    I think its the cryptographer Ross Anderson who coins the phrase 'forced key' for this rubber hose technique.
    Looking for a friendly intelligent chat forum? Visit the white-hart.net

  5. #5

    Thread Starter
    PowerPoster cafeenman's Avatar
    Join Date
    Mar 2002
    Location
    Florida
    Posts
    2,819
    Originally posted by Kzin


    I can't find the emoticon for "I disagree strongly" but I've gotta tell you cafeenman - its MUCH easier for someone to kick your front door down and beat you until you give them your secrets than to break something like blowfish - a publically tested and analysed 128-bit code designed by a top rank cryptographer.

    I think its the cryptographer Ross Anderson who coins the phrase 'forced key' for this rubber hose technique.
    I see what you mean, and I don't disagree with that in a real world sense. But if my computer isn't hooked up to anything, then nobody is going to break into my Microsoft Money file unless I let them use my computer. I do believe that good encryption is stronger than network security, so I was really speaking hypothetically.

    Anyway, I never did get an answer about the memory thing. Is this something I should be worried about and take into account?

  6. #6

    Thread Starter
    PowerPoster cafeenman's Avatar
    Join Date
    Mar 2002
    Location
    Florida
    Posts
    2,819
    I'm currently trying to decipher all this blowfish code I've got. Basically, it has a ton of options for the demo program - most of which I'll never use. So I'm stepping through it and trying to figure out what I need to keep, what I can discard, and what all the hard-coded values mean. I'm not sure if they are actual numbers that need to be the values they are so the program will work or just magic number for generating keys. In the latter case, I probably need to change them to something else so they aren't the same as the other 100,000 people's who downloaded the same thing.

  7. #7
    Fanatic Member Kzin's Avatar
    Join Date
    Dec 2000
    Posts
    611
    Originally posted by jim mcnamara
    blowfish & twofish are reasonably secure. But a dedicated hacker could, in theory, break 'em.


    DES . . . takes full-time supercomputer access for years to crack. Since supercomputing costs $1000/ hour and up, most back-basement hackers are not gonna get far with DES.

    Download the www.allapi.net apiguide and their apiviewer. All free - and it comes with pretty good samples for using Crypto.

    Have you got a reference for this? - there have been several cases of grad students cracking DES by using their college computer networks over the summer vac.

    Twofish was a runner up in the US federal AES competion to replace DES. This is what the US National Institute of Standards and Technology says about AES -

    A code-breaking scheme that takes only 1 second to defeat today's DES would need 149 trillion years to crack a 128-bit implementation of the AES standard
    Looking for a friendly intelligent chat forum? Visit the white-hart.net

  8. #8
    Frenzied Member KayJay's Avatar
    Join Date
    Jul 2001
    Location
    Chennai
    Posts
    1,849
    Caffenman,
    Blowfish is quite secure. Attached is a library that exposes its functions. Pretty easy to use.

    As Jim commented, the cost-benefit analysis should weigh in favour of your Application, in most cases.

    "Brothers, you asked for it."
    ...Francisco Domingo Carlos Andres Sebastian D'Anconia

  9. #9
    Fanatic Member Kzin's Avatar
    Join Date
    Dec 2000
    Posts
    611
    Originally posted by cafeenman
    I'm currently trying to decipher all this blowfish code I've got. Basically, it has a ton of options for the demo program - most of which I'll never use. So I'm stepping through it and trying to figure out what I need to keep, what I can discard, and what all the hard-coded values mean. I'm not sure if they are actual numbers that need to be the values they are so the program will work or just magic number for generating keys. In the latter case, I probably need to change them to something else so they aren't the same as the other 100,000 people's who downloaded the same thing.
    If it is a proper implementation of Blowfish (go to the Blowfish inventors home page at http://www.counterpane.com/blowfish.html to get a good one) the only thing you need to change is the key used to lock up the data.

    If you implement everything properly then this is the real weakness - getting a unique key
    Looking for a friendly intelligent chat forum? Visit the white-hart.net

  10. #10

    Thread Starter
    PowerPoster cafeenman's Avatar
    Join Date
    Mar 2002
    Location
    Florida
    Posts
    2,819
    Originally posted by KayJay
    Caffenman,
    Blowfish is quite secure. Attached is a library that exposes its functions. Pretty easy to use.

    As Jim commented, the cost-benefit analysis should weigh in favour of your Application, in most cases.
    Thanks, I'll look at it. I really don't like including 3rd party dll's in my apps though. I fundamentally don't trust them.

  11. #11

    Thread Starter
    PowerPoster cafeenman's Avatar
    Join Date
    Mar 2002
    Location
    Florida
    Posts
    2,819
    Originally posted by Kzin


    If it is a proper implementation of Blowfish (go to the Blowfish inventors home page at http://www.counterpane.com/blowfish.html to get a good one) the only thing you need to change is the key used to lock up the data.

    If you implement everything properly then this is the real weakness - getting a unique key
    On algorithm I used (keeping in mind I don't know anything about this stuff) uses the user password for the key. Then it generates a random number and goes through the ascii table for each character and finds a replacement. Then it uses that value as a seed for the next random number and so on and so forth.

    It works because if you always use the same seed with VB's random number generator, you'll always get the same set of numbers. After all that's done, I generate a checksum based on certain values of each user record. Then I generate another checksum for the entire file. Then I encrypt the entire file and save it.

    When it comes right down to it, someone who knows what they're doing could probably crack it pretty quickly, but even though I know how it works, I can't crack it without the password.

    The next problem is that the master key has to be stored somewhere, and that information can probably be extracted from the exe fairly easily. I encrypted the key so it wouldn't be obvious if someone were to hex edit the exe. The problem is that it doesn't work on some computers. I think that has to do with the unicode thing which I still don't understand. Everyone keeps talking to me about byte arrays, but I don't get why or how I'm supposed to convert text to a byte array.

    Anyway... I still want to know about the memory thing.

  12. #12

    Thread Starter
    PowerPoster cafeenman's Avatar
    Join Date
    Mar 2002
    Location
    Florida
    Posts
    2,819
    Originally posted by Kzin


    If it is a proper implementation of Blowfish (go to the Blowfish inventors home page at http://www.counterpane.com/blowfish.html to get a good one) the only thing you need to change is the key used to lock up the data.

    If you implement everything properly then this is the real weakness - getting a unique key
    That's the code I downloaded. I'm not sure what the implications are of using it in my app, but I don't need most of the code and he has copyrights all over it. All I want to do is encrypt and decrypt strings using one of the algorithms. He's got a bunch of different options for encryption as well as file encryption. It's all good, but way more than I need. But legally, I don't know if I'm allowed to strip it down to what I do need.

  13. #13
    Frenzied Member KayJay's Avatar
    Join Date
    Jul 2001
    Location
    Chennai
    Posts
    1,849
    , but I don't get why or how I'm supposed to convert text to a byte array.
    VB Code:
    1. Dim bArr() As Byte
    2.  
    3. Private Sub Command1_Click()
    4. bArr = StrConv("This is the Text", vbFromUnicode)
    5. End Sub
    Anyway... I still want to know about the memory thing
    To avoid in-memory hacking is difficult. One really convoluted method that come to my mind is to have your privilege variable as a Class Module and Raise an On_Change event, where you could check whether the change occured as a result of a login method or just a sudden change mid-way.

    "Brothers, you asked for it."
    ...Francisco Domingo Carlos Andres Sebastian D'Anconia

  14. #14

    Thread Starter
    PowerPoster cafeenman's Avatar
    Join Date
    Mar 2002
    Location
    Florida
    Posts
    2,819
    Originally posted by KayJay
    One really convoluted method that come to my mind is to have your privilege variable as a Class Module and Raise an On_Change event, where you could check whether the change occured as a result of a login method or just a sudden change mid-way.
    OK, you guys seemed to have picked everything I don't know squat about. I still haven't got a clue how to raise events in my classes.

    Here's a problem that actually came up with one of my apps. Someone downloaded it overseas (I forget which country). The connection string was something like this:

    VB Code:
    1. Private Function StartDatabase
    2. dim sPassword As String
    3.  
    4. sPassword = Decrypt("xyz123abc987")
    5.  
    6. Set DB = wks.OpenDatabase(SF.DbFilename, Exclusive, False, "MS Access;pwd=" & sPassword & ")"
    7.  
    8. End Function
    It had worked flawlessly until he used it and for some reason the password wasn't being sent properly. I had to hardcode the real password into the connection string and it worked fine. Don't nitpick the code above, because it may not be exactly right. The point is this software is installed and working on versions of windows from 95 through XP and it always worked fine.

    I'm pretty sure it's a unicode thing, but not being there to play with it I never could be sure.

  15. #15
    Frenzied Member KayJay's Avatar
    Join Date
    Jul 2001
    Location
    Chennai
    Posts
    1,849
    what was the Encryption algorithm U used there?

    "Brothers, you asked for it."
    ...Francisco Domingo Carlos Andres Sebastian D'Anconia

  16. #16

    Thread Starter
    PowerPoster cafeenman's Avatar
    Join Date
    Mar 2002
    Location
    Florida
    Posts
    2,819
    Originally posted by KayJay
    what was the Encryption algorithm U used there?
    The one I was talking about in an earlier post. It has functioned flawlessly on every computer I've ever installed my app on. It's just that one guy in some other country who's computer it failed on. I think it was Turkey.

  17. #17
    Frenzied Member KayJay's Avatar
    Join Date
    Jul 2001
    Location
    Chennai
    Posts
    1,849
    On algorithm I used (keeping in mind I don't know anything about this stuff) uses the user password for the key. Then it generates a random number and goes through the ascii table for each character and finds a replacement. Then it uses that value as a seed for the next random number and so on and so forth
    That one? Then it sure is the Unicode prob. try this
    VB Code:
    1. Dim bArr() As Byte, UniCodestr As String
    2.  
    3. Private Sub Command1_Click()
    4.  
    5. UniCodestr = StrConv("xyzabc123987", vbUnicode)
    6. Debug.Print UniCodestr
    7. bArr = StrConv("xyzabc123987", vbFromUnicode)
    8.     For i = LBound(bArr) To UBound(bArr)
    9.         Debug.Print Chr(bArr(i))
    10.     Next
    11. End Sub
    12. ' You could now either use UniCodestr or the bArr() array depending on the alogrith u use

    And if it ain't overkill. Check out this collection of Modules for Coder/Decoders.
    Attached Files Attached Files

    "Brothers, you asked for it."
    ...Francisco Domingo Carlos Andres Sebastian D'Anconia

  18. #18

    Thread Starter
    PowerPoster cafeenman's Avatar
    Join Date
    Mar 2002
    Location
    Florida
    Posts
    2,819
    I don't remember exactly what I did and I changed the code to just send the password after that. Besides, we all know how easy it is to defeat an access password anyway, so encrypting the password within the exe is a lame security attempt at best.

    Anway, I think I sent the password through this and used the result as the string in the exe. Then I passed it through the decrypt version before putting it in the connection string. This algorithm doesn't use a key and I know it's not very secure. I just didn't want the password in plain sight within the exe.

    VB Code:
    1. Public Function EncryptText(sString As String) As String
    2. Dim i As Long
    3. Dim iLen As Long
    4. Dim sDest As String
    5.  
    6. On Error GoTo errHandler
    7.  
    8. sDest = sString
    9. iLen = Len(sDest) + 1
    10.  
    11. For i = 1 To Len(sDest)
    12.   Mid$(sDest, i, 1) = Chr$((270 + i - Asc(Mid$(sString, iLen - i, 1))) And 255)
    13. Next i
    14.  
    15. EncryptText = sDest
    16.  
    17. Exit Function
    18.  
    19. errHandler:
    20. LogError Error, Err, vbNullString, "bFunctions.EncryptText"
    21. EncryptText = vbNullString
    22.  
    23. End Function

  19. #19
    Frenzied Member KayJay's Avatar
    Join Date
    Jul 2001
    Location
    Chennai
    Posts
    1,849
    Since you have coded using the ANSI character set, the prob. may be the Turkish comp. is using a different langauge setting as default.

    A quote from http://www.hclrss.demon.co.uk/demos/ansi.html
    If you use a version of Windows that is designed for a non-Latin alphabet such as Arabic, Cyrillic, Greek, Hebrew or Thai to view a document that has been typed using the ANSI character set, then characters from these languages may replace some of those in the 128–255 range; this problem will be resolved when Unicode becomes more widely used, because it provides a unique numeric identifier for each character. There are similar problems when transferring ANSI documents to DOS or Macintosh computers, because DOS and MacRoman arrange characters differently in the 128–255 range.
    { Emphasis Mine }

    "Brothers, you asked for it."
    ...Francisco Domingo Carlos Andres Sebastian D'Anconia

  20. #20

    Thread Starter
    PowerPoster cafeenman's Avatar
    Join Date
    Mar 2002
    Location
    Florida
    Posts
    2,819
    Originally posted by KayJay
    Since you have coded using the ANSI character set, the prob. may be the Turkish comp. is using a different langauge setting as default.
    OK, I guess it's time to start doing conversion so I can do multi-cultural applications

    Thanks for your help.

  21. #21
    PowerPoster Beacon's Avatar
    Join Date
    Jan 2001
    Location
    Pub Floor
    Posts
    3,188
    Hi cf!

    Umm i didnt read it all but saw you where opening an access database.
    I gather your access database is password protected with the same password right?
    Most hackers wont go through your app to get to a database they'll just go straight to the .mdb file and hack that password.
    I know you just wanna hide your password from spy ware though.
    But seriously access passwords are quite easy to crack anyways. I'd say that should be your biggest concern.
    I can get most passwords from access 2k and 97(havent trid xp etc.)

  22. #22

    Thread Starter
    PowerPoster cafeenman's Avatar
    Join Date
    Mar 2002
    Location
    Florida
    Posts
    2,819
    Originally posted by Beacon
    Hi cf!

    Umm i didnt read it all but saw you where opening an access database.
    I gather your access database is password protected with the same password right?
    Most hackers wont go through your app to get to a database they'll just go straight to the .mdb file and hack that password.
    I know you just wanna hide your password from spy ware though.
    But seriously access passwords are quite easy to crack anyways. I'd say that should be your biggest concern.
    I can get most passwords from access 2k and 97(havent trid xp etc.)
    I did mention that in an earlier post. When I wrote the code several years ago I didn't know how easy it was to hack the password. Now I'm asking about it just because of the error that was raised when sending the password to the database.

    The ultimate problem is that if I say my application is secure, I want to be telling the truth. I know nothing is 100%, but I want to be able to say to what extent it is secure so those who use my programs know what the risks are. I don't like withholding that kind of information. First, I don't think it's cool. Second, I could be setting myself up for lawsuits if I say it's secure and an 8 y/o breaks into it with his nintendo key generator.

  23. #23
    Frenzied Member KayJay's Avatar
    Join Date
    Jul 2001
    Location
    Chennai
    Posts
    1,849
    So what I'm looking for is a way to either prevent memory hacks or maybe a better scheme keep track of what privileges the user has without leaving it in memory.
    I do not know how to make a "Trainer" yet. But would this work?
    VB Code:
    1. 'In a module
    2. Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
    3. Private Declare Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
    4. Private Const GWL_WNDPROC = -4
    5. Private Const WM_SETTEXT = &HC
    6. Private lpPrevWndProc As Long
    7. Private lngHWnd As Long
    8.  
    9. Public Sub Hook(hWnd As Long)
    10. lngHWnd = hWnd
    11. lpPrevWndProc = SetWindowLong(lngHWnd, GWL_WNDPROC, AddressOf WindowProc)
    12. End Sub
    13. Public Sub UnHook()
    14. Dim lngReturnValue As Long
    15. lngReturnValue = SetWindowLong(lngHWnd, GWL_WNDPROC, lpPrevWndProc)
    16. End Sub
    17. Public Function WindowProc(ByVal hw As Long, ByVal uMsg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
    18. Select Case uMsg
    19.     Case WM_SETTEXT
    20.         MsgBox "Not Possible!"
    21.     Case Else
    22.         WindowProc = CallWindowProc(lpPrevWndProc, hw, uMsg, wParam, lParam)
    23. End Select
    24. End Function
    25.  
    26.  
    27. 'In a form
    28. Private Sub Command1_Click()
    29. Text1.Text = "UltraSuperUser"
    30. MsgBox Text1.Text
    31. End Sub
    32.  
    33. Private Sub Form_Load()
    34.     Dim priv As String
    35.     Text1.Visible = False
    36.     priv = "SuperUser"
    37.     Text1.Text = priv
    38.     priv = ""
    39.     Call Hook(Text1.hWnd)
    40. End Sub
    41.  
    42. Private Sub Form_Unload(Cancel As Integer)
    43. Call UnHook
    44. End Sub
    45. ' and use Text1.Text whenever you want to access the privilege varaible.
    Last edited by KayJay; Jun 11th, 2002 at 05:12 AM.

    "Brothers, you asked for it."
    ...Francisco Domingo Carlos Andres Sebastian D'Anconia

  24. #24
    Registered User
    Join Date
    Jan 2003
    Posts
    218
    Does anyone know the answer to this problem I have: http://www.vbforums.com/showthread.p...88#post1450188

    Mnay thanks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width