Secure storage of private key [closed] - encryption

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
We want to store our passwords for FTP, websites, databases, etc. You can compare our software to keypass but we wanted to do our own solution.
The passwords will be encrypted and stored in a database. We can't use checksums because we need to show the passwords in plaintext.
The problem is that we couldn't find a good solution to store the private key. If it's written in the code, you can get it quite easily. If it's hidden in a dll, you can't hide it effectively, because the machine has to use it. All users of our software have full access to the source code, the database with the encripted passwords and are admins on their PCs, so they could read the code when it's used.
We thought about storing the private keys in a seperate database which is accessed with another password but the key will be used anyway.
So, we're not getting anywhere. We are aware that there is no 100% save solution for this but there got to be an almost safe one.

First i would advise against writing your own solution, there are so many ways to do it wrong, and you need to invest a lot of time to know about all important points.
You don't need to store a key anywhere, just use the key to encrypt the data then forget the key. For decrypting you use the key as entered, if the key is correct you get back the data, otherwise you get back scrambled content.
Because users do not like to type strong keys and prefere passwords, you should use a key-derivation function like BCrypt or PBKDF2 (Password-Based-Key-Derivation-Function-2), which can translate a password to a key.

Related

using cryptographichash in Qt [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I am making a program in Qt5.2.1 and in it I am using a text file to store some data. I would like to encrypt it and decrypt it inside the program and display the text stored in the file in a QPlainTextEdit ( or any other similar widget).
I searched and came across Qcryptographichash but i have no idea how to use it. I read somewhere that it does not provide a very secure encryption but that doesn't matter ( I am not expecting hackers to try and read this file).
So, could anyone guide me in the right direction, maybe even give me some code. :D
QCryptographic hash creates a hash from given data. That is a one-way process, so the it will not do what you want, namely encrypt the data in a form that can be retrieved via decryption.
You can read more about the difference between encryption and hashes here.
You need to research into possible encryption algorithms. To my knowledge, that's not something that is part of Qt.
It's a large area of on-going research; there are so many to choose from, as you can see here.

Given an encrypted file, and a non-encrypted version of the same file, can the encryption key be easily recovered? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 8 years ago.
Improve this question
This question is partly theoretical and partly practical. A perfect answer would answer theoretically why, and practically how.
Question
Given an encrypted file, and a non-encrypted version of the same file, can the encryption key be recovered? More specifically how might one achieve this?
Background
I have some backup files from a colleagues old machine. They have been stored in an encrypted 7zip file. The file table has not been encrypted, so it should be possible to isolate individual files. What I don't have is the actual encryption key (due to a storage medium failure). I do however have some unencrypted files which are also in the container. How can I use these to recover the whole archive?
As others have said, this is a "Known Plaintext Attack". All good cyphers are proof against such an attack. Any cypher which cannot withstand such an attack never gets off the starting blocks.
The best suggestion is to find out the specific encryption method used and look for specific weaknesses in that particular method. Alternatively, ask people who knew the key if they can remember even part of the original password. "It began with a D" will reduce the work you need to do to brute force it by a factor of 26 or 52.

Encoding login-password pair [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I have a login and password that I need to store in my database. What is a safer way to encode them (I use AES algorithm): as one string with separator between login/pass, or as a two separate strings?
Encoding has to be reversable, so please don't mention hash.
Safety has not much to do with your choice. If you use AES with mode different than ECB and PKCS7/PKCS5 Padding you can either encrypt logins and passwords alone or logins and passwords seperately. It depends on wheather you will need a login without a password in your implementation. You will probably use the same key to encrypt both login and password. So splitting is by no means an additional security measure. If you woudl use some salted PKDF keys can be different for each record, but attacker still needs only to get the master password and a salt.
That's no any additional security in encrypting them together or separately.
However, you should also choose wisely cipher mode/initial vector - for CBC and CTR (and CFB?) input to encryption is xored with encrypted Initial Vector, so having the same vector for two encrypted passwords, xoring them would allow to get xor of original passwords, which can leak information.

in-place encryption with gpg [closed]

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
Is it possible to force gpg to do in-place encryption? In other words, to overwrite the source (unencrypted) file with encrypted data?
This is how ccrypt(1) operates by default.
The answer is basically no, not without custom code.
gpg can operate on pipes, so if there were an easy way to destructively send data to a pipe, this might be doable. But there isn't.
Another idea to keep from using up the disk quickly is encrypt chunks at a time (in custom software).
while !eof:
read()
encrypt()
write()
seek()
It appears that ccrypt is able to operate in-place because the encrypted data is the same length as the decrypted data (I know little of crypto, but this might just be a general property of block ciphers). GPG/PGP does stuff like compressing and adding headers, so the output data won't be the same length. If it is shorter, no problem (the above custom code should work). If it is longer, more work would need to be done to place overflow somewhere else.
This custom code adds complexity (and obscurity) to encryption and decryption.
gpg does it by opening a new file using the original filename and appending a .gpg extension, then writing the encrypted data out to the new file. if everything works fine, it deletes the original file.
I don't think you'd want to use actual in-place encryption, where it would read a byte, crypt it, write it back out to the file, etc... what happens if something kills the gpg process half-way through? You've now got a corrupted file, with half of the plaintext dangling in the breeze.

How do you set up an API key system for your website? [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
Let say that I have a website with some information that could be access externally. Those information need to be only change by the respected client. Example: Google Analytic or WordPress API key. How can I create a system that work like that (no matter the programming language)?
A number of smart people are working on a standard, and it's called OAuth. It already has a number of sample implementations, so it's pretty easy to get started.
Simple:
Generate a key for each user
Deny access for each request without this key
Currently, I use a concatenation of multiple MD5s with a salt. The MD5s are generated off of various concatenations of user data.
A good way of generating a key would be to store a GUID (Globally Unique Identifier) on each user record n the database. GUID is going to be unique and almost impossible to guess.
There are also infrastructure services that manage all this for you like http://www.3scale.net (disclosure I work there), http://www.mashery.com and http://www.apigee.com/.

Resources