2) In the secure scheme I have for some of my apps, the app reads the security file and as soon as the username/password is validated, the password is set to an empty string to remove it from memory. But, the user's security privilege is not because I have to reference it frequently in the program to determine what the user has access to. I'm assuming it wouldn't be difficult for someone to hack the memory and upgrade the user's privileges if they wanted to. So what I'm looking for is a way to either prevent memory hacks or maybe a better scheme keep track of what privileges the user has without leaving it in memory.
blowfish & twofish are reasonably secure. But a dedicated hacker could, in theory, break 'em.
You have to look at security this way - how much time would a weirdo spend to crack your program? It depends on the rewards(answer ).
I don't mean monetary. A STUPID ISP (RT66.com) in New Mexico dared hackers to break in. It was a ploy to show off how secure the system was. Hackers nuked 'em repeatedly. For about a year the ISP was on again- off again.
The api comes with DES encryption support (called Crypto). Basically, this takes full-time supercomputer access for years to crack. Since supercomputing costs $1000/ hour and up, most back-basement hackers are not gonna get far with DES.
Download the www.allapi.net apiguide and their apiviewer. All free - and it comes with pretty good samples for using Crypto.
Thanks for the info Jim. Personally, I don't dare people to break my stuff, because, like you said, someone will find away.
I look at encryption as really being second-rate security no matter how good it is. The best security is keep people away from your stuff in the first place. Easier said than done, I know. But it your network is secure, then you've limited the possible hackers to those who you've ALLOWED onto your network.
If they simply want the info your files hold, then they need to break the encryption. If they just want to cause havoc, then they can corrupt or delete files.
So all I need is something that keeps the average user out without making it such a pain that they hate using the program. I'll look into the crypto stuff.
The reason I asked about blowfish was I found some really complex looking source code for it. I've never been able to hack into anything, so obviously, everything is secure from me. But that doesn't mean a 6th grader next door won't laugh as he spends ten seconds breaking into my stuff.
Originally posted by cafeenman I look at encryption as really being second-rate security no matter how good it is. The best security is keep people away from your stuff in the first place.
I can't find the emoticon for "I disagree strongly" but I've gotta tell you cafeenman - its MUCH easier for someone to kick your front door down and beat you until you give them your secrets than to break something like blowfish - a publically tested and analysed 128-bit code designed by a top rank cryptographer.
I think its the cryptographer Ross Anderson who coins the phrase 'forced key' for this rubber hose technique.
Looking for a friendly intelligent chat forum? Visit the white-hart.net
I can't find the emoticon for "I disagree strongly" but I've gotta tell you cafeenman - its MUCH easier for someone to kick your front door down and beat you until you give them your secrets than to break something like blowfish - a publically tested and analysed 128-bit code designed by a top rank cryptographer.
I think its the cryptographer Ross Anderson who coins the phrase 'forced key' for this rubber hose technique.
I see what you mean, and I don't disagree with that in a real world sense. But if my computer isn't hooked up to anything, then nobody is going to break into my Microsoft Money file unless I let them use my computer. I do believe that good encryption is stronger than network security, so I was really speaking hypothetically.
Anyway, I never did get an answer about the memory thing. Is this something I should be worried about and take into account?
I'm currently trying to decipher all this blowfish code I've got. Basically, it has a ton of options for the demo program - most of which I'll never use. So I'm stepping through it and trying to figure out what I need to keep, what I can discard, and what all the hard-coded values mean. I'm not sure if they are actual numbers that need to be the values they are so the program will work or just magic number for generating keys. In the latter case, I probably need to change them to something else so they aren't the same as the other 100,000 people's who downloaded the same thing.
Originally posted by jim mcnamara blowfish & twofish are reasonably secure. But a dedicated hacker could, in theory, break 'em.
DES . . . takes full-time supercomputer access for years to crack. Since supercomputing costs $1000/ hour and up, most back-basement hackers are not gonna get far with DES.
Download the www.allapi.net apiguide and their apiviewer. All free - and it comes with pretty good samples for using Crypto.
Have you got a reference for this? - there have been several cases of grad students cracking DES by using their college computer networks over the summer vac.
Twofish was a runner up in the US federal AES competion to replace DES. This is what the US National Institute of Standards and Technology says about AES -
A code-breaking scheme that takes only 1 second to defeat today's DES would need 149 trillion years to crack a 128-bit implementation of the AES standard
Looking for a friendly intelligent chat forum? Visit the white-hart.net
Originally posted by cafeenman I'm currently trying to decipher all this blowfish code I've got. Basically, it has a ton of options for the demo program - most of which I'll never use. So I'm stepping through it and trying to figure out what I need to keep, what I can discard, and what all the hard-coded values mean. I'm not sure if they are actual numbers that need to be the values they are so the program will work or just magic number for generating keys. In the latter case, I probably need to change them to something else so they aren't the same as the other 100,000 people's who downloaded the same thing.
If it is a proper implementation of Blowfish (go to the Blowfish inventors home page at http://www.counterpane.com/blowfish.html to get a good one) the only thing you need to change is the key used to lock up the data.
If you implement everything properly then this is the real weakness - getting a unique key
Looking for a friendly intelligent chat forum? Visit the white-hart.net
If it is a proper implementation of Blowfish (go to the Blowfish inventors home page at http://www.counterpane.com/blowfish.html to get a good one) the only thing you need to change is the key used to lock up the data.
If you implement everything properly then this is the real weakness - getting a unique key
On algorithm I used (keeping in mind I don't know anything about this stuff) uses the user password for the key. Then it generates a random number and goes through the ascii table for each character and finds a replacement. Then it uses that value as a seed for the next random number and so on and so forth.
It works because if you always use the same seed with VB's random number generator, you'll always get the same set of numbers. After all that's done, I generate a checksum based on certain values of each user record. Then I generate another checksum for the entire file. Then I encrypt the entire file and save it.
When it comes right down to it, someone who knows what they're doing could probably crack it pretty quickly, but even though I know how it works, I can't crack it without the password.
The next problem is that the master key has to be stored somewhere, and that information can probably be extracted from the exe fairly easily. I encrypted the key so it wouldn't be obvious if someone were to hex edit the exe. The problem is that it doesn't work on some computers. I think that has to do with the unicode thing which I still don't understand. Everyone keeps talking to me about byte arrays, but I don't get why or how I'm supposed to convert text to a byte array.
Anyway... I still want to know about the memory thing.
If it is a proper implementation of Blowfish (go to the Blowfish inventors home page at http://www.counterpane.com/blowfish.html to get a good one) the only thing you need to change is the key used to lock up the data.
If you implement everything properly then this is the real weakness - getting a unique key
That's the code I downloaded. I'm not sure what the implications are of using it in my app, but I don't need most of the code and he has copyrights all over it. All I want to do is encrypt and decrypt strings using one of the algorithms. He's got a bunch of different options for encryption as well as file encryption. It's all good, but way more than I need. But legally, I don't know if I'm allowed to strip it down to what I do need.
, but I don't get why or how I'm supposed to convert text to a byte array.
VB Code:
Dim bArr() As Byte
Private Sub Command1_Click()
bArr = StrConv("This is the Text", vbFromUnicode)
End Sub
Anyway... I still want to know about the memory thing
To avoid in-memory hacking is difficult. One really convoluted method that come to my mind is to have your privilege variable as a Class Module and Raise an On_Change event, where you could check whether the change occured as a result of a login method or just a sudden change mid-way.
"Brothers, you asked for it."
...Francisco Domingo Carlos Andres Sebastian D'Anconia
Originally posted by KayJay One really convoluted method that come to my mind is to have your privilege variable as a Class Module and Raise an On_Change event, where you could check whether the change occured as a result of a login method or just a sudden change mid-way.
OK, you guys seemed to have picked everything I don't know squat about. I still haven't got a clue how to raise events in my classes.
Here's a problem that actually came up with one of my apps. Someone downloaded it overseas (I forget which country). The connection string was something like this:
VB Code:
Private Function StartDatabase
dim sPassword As String
sPassword = Decrypt("xyz123abc987")
Set DB = wks.OpenDatabase(SF.DbFilename, Exclusive, False, "MS Access;pwd=" & sPassword & ")"
End Function
It had worked flawlessly until he used it and for some reason the password wasn't being sent properly. I had to hardcode the real password into the connection string and it worked fine. Don't nitpick the code above, because it may not be exactly right. The point is this software is installed and working on versions of windows from 95 through XP and it always worked fine.
I'm pretty sure it's a unicode thing, but not being there to play with it I never could be sure.
Originally posted by KayJay what was the Encryption algorithm U used there?
The one I was talking about in an earlier post. It has functioned flawlessly on every computer I've ever installed my app on. It's just that one guy in some other country who's computer it failed on. I think it was Turkey.
On algorithm I used (keeping in mind I don't know anything about this stuff) uses the user password for the key. Then it generates a random number and goes through the ascii table for each character and finds a replacement. Then it uses that value as a seed for the next random number and so on and so forth
That one? Then it sure is the Unicode prob. try this
VB Code:
Dim bArr() As Byte, UniCodestr As String
Private Sub Command1_Click()
UniCodestr = StrConv("xyzabc123987", vbUnicode)
Debug.Print UniCodestr
bArr = StrConv("xyzabc123987", vbFromUnicode)
For i = LBound(bArr) To UBound(bArr)
Debug.Print Chr(bArr(i))
Next
End Sub
' You could now either use UniCodestr or the bArr() array depending on the alogrith u use
And if it ain't overkill. Check out this collection of Modules for Coder/Decoders.
"Brothers, you asked for it."
...Francisco Domingo Carlos Andres Sebastian D'Anconia
I don't remember exactly what I did and I changed the code to just send the password after that. Besides, we all know how easy it is to defeat an access password anyway, so encrypting the password within the exe is a lame security attempt at best.
Anway, I think I sent the password through this and used the result as the string in the exe. Then I passed it through the decrypt version before putting it in the connection string. This algorithm doesn't use a key and I know it's not very secure. I just didn't want the password in plain sight within the exe.
VB Code:
Public Function EncryptText(sString As String) As String
Dim i As Long
Dim iLen As Long
Dim sDest As String
On Error GoTo errHandler
sDest = sString
iLen = Len(sDest) + 1
For i = 1 To Len(sDest)
Mid$(sDest, i, 1) = Chr$((270 + i - Asc(Mid$(sString, iLen - i, 1))) And 255)
If you use a version of Windows that is designed for a non-Latin alphabet such as Arabic, Cyrillic, Greek, Hebrew or Thai to view a document that has been typed using the ANSI character set, then characters from these languages may replace some of those in the 128–255 range; this problem will be resolved when Unicode becomes more widely used, because it provides a unique numeric identifier for each character. There are similar problems when transferring ANSI documents to DOS or Macintosh computers, because DOS and MacRoman arrange characters differently in the 128–255 range.
{ Emphasis Mine }
"Brothers, you asked for it."
...Francisco Domingo Carlos Andres Sebastian D'Anconia
Originally posted by KayJay Since you have coded using the ANSI character set, the prob. may be the Turkish comp. is using a different langauge setting as default.
OK, I guess it's time to start doing conversion so I can do multi-cultural applications
Umm i didnt read it all but saw you where opening an access database.
I gather your access database is password protected with the same password right?
Most hackers wont go through your app to get to a database they'll just go straight to the .mdb file and hack that password.
I know you just wanna hide your password from spy ware though.
But seriously access passwords are quite easy to crack anyways. I'd say that should be your biggest concern.
I can get most passwords from access 2k and 97(havent trid xp etc.)
Umm i didnt read it all but saw you where opening an access database.
I gather your access database is password protected with the same password right?
Most hackers wont go through your app to get to a database they'll just go straight to the .mdb file and hack that password.
I know you just wanna hide your password from spy ware though.
But seriously access passwords are quite easy to crack anyways. I'd say that should be your biggest concern.
I can get most passwords from access 2k and 97(havent trid xp etc.)
I did mention that in an earlier post. When I wrote the code several years ago I didn't know how easy it was to hack the password. Now I'm asking about it just because of the error that was raised when sending the password to the database.
The ultimate problem is that if I say my application is secure, I want to be telling the truth. I know nothing is 100%, but I want to be able to say to what extent it is secure so those who use my programs know what the risks are. I don't like withholding that kind of information. First, I don't think it's cool. Second, I could be setting myself up for lawsuits if I say it's secure and an 8 y/o breaks into it with his nintendo key generator.
So what I'm looking for is a way to either prevent memory hacks or maybe a better scheme keep track of what privileges the user has without leaving it in memory.
I do not know how to make a "Trainer" yet. But would this work?
VB Code:
'In a module
Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Private Declare Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long