Crypted passwords in PHP-apis? Twitter? - encryption

I'm creating a small service using api-libraries, such as Twitter. Is it possible to input users password to Twitter-api crypted. I would not like to store peoples passwords uncrypted on my server, but writing them every time is annoying.
Does someone know?
Martti Laine

You should consider using OAuth.
Here are some examples.

If you're using PHP you can use the GnuPG extension to easily encrypt any credentials on your side, and decrypting them before making the API calls.
Here's a check list of things you need:
make sure gpg is installed on your system;
create a gpg key pair and store the files on a safe location;
optionally password protect the generated private key;
use PHP's GnuPG extension to encrypt and decrypt data using those keys.
Here's a small PHP example, taken from the gnupg_encrypt() manual:
<?php
$res = gnupg_init();
gnupg_addencryptkey($res,"8660281B6051D071D94B5B230549F9DC851566DC");
$enc = gnupg_encrypt($res, "just a test");
echo $enc;
?>
This technique should also be applied even if you're using OAuth or other password-less authentication method. A common mistake is to use OAuth and not encrypt locally saved tokens as access to those tokens might give anyone the power to act on behalf of the user.

Related

How to change encrypted password in context file without using the studio

I am using a group context to configure the db connection. The password of the db has a password type. When deploying the job, the password is automatically encrypted in the default.properties under the contexts folder.
What if i want to change the password without using the studio (on a client environment)? what can i use to encrypt the new password?
I was able to do it by creating a separate encryption job with a tjava component and the following code:
System.out.println(routines.system.PasswordEncryptUtil.encryptPassword(context.Password));
where context.Password is an input context variable of type String. When running the job, the user is prompted to enter a password and then the encrypted Talend password will be printed. It will have the following format: enc:routine.encryption.key.v1:[encryptedPassword] The routine encryption key can be modified if needed by following this link: https://help.talend.com/r/en-US/8.0/installation-guide-data-integration-windows/rotating-encryption-keys-in-talend-studio
There's actually a few ways for this:
myJob.sh --context_param myPassword=pass123
this unfortunately can be seen by anyone via ps / task manager.
You can also edit the contexts/contextName.properties file and change the context parameters there. This way the context can only be seen if you have access to the file.
Theoretically both should be able to accept the cleartext/encrypted password.
Implicit context load feature can also be used to load contexts: https://help.talend.com/r/en-US/8.0/data-integration-job-examples/creating-job-and-defining-context-variables

Ktor - checking passwords against wordpress database

I'm trying to perform user authentication against a wordpress/Mysql database in ktor. As far as I know, passwords are stored in the wp_users table after a hashing transformation, performed with phpass framework.
Starting from a plain text password, my aim is to compare this password with the hash stored in the database, to understand if I have to authenticate the user or not.
Is there any support between ktor and mysql/wordpress?
Obviously, Ktor itself knows nothing about Wordpress or any other PHP techonology.
Actually, it doesn't know about databases either. There is an Exposed ORM-framework, which is often used in Ktor projects for that. It supports MySQL databases, so it will be suitable in this case too.
But I believe you will have to write this integration by yourself, cause this is a rather exotic combination of technologies (Ktor+Wordpress), and highly unlikely someone else did it before.
I finally made it!
I found out from the documentation that wordpress uses a password hashing function called bcrypt. Then I searched github for a java implementation and I got into this repository by Wolf480pl.
By copying BCrypt.java and PHPass.java files into my project, I just wrote this simple kotlin function to check the match between the hash stored into the database (I used Exposed to connect to the mySQL db) and the plain text password:
fun passwordMatch(password: String, storedHash: String): Boolean {
val checker = PHPass(8)
return checker.checkPassword(password, storedHash)
}
Just that, it works!

How encrypt SQLite database with FireDAC?

I'm create SQLite databse with DB Browser for SQLite (non encrypted) and open with FireDAC in delphi.(Can retrive data Eg. Select * from abc).
How encrypt this SQLite database with FireDAC? When enter username, password and encrypt get message "Cipher DB is not encrypdet"
Note:
When create SQLite database from Delphi FireDac I can use encryption!
To encrypt a database, use a TFDSQLiteSecurity Component. You'll also need a TFDSQLitePhysSQLiteDriverLink component to go along with it.
If a database is unencrypted, then its password is ''. So use '' as the OldPassword and create the new password in that case. Passwords are formatted as algorithm:PassPhrase. See documentation on the choices, I use aes-256. Also, the database needs to be closed when you do this.
...
//Change password
FDSQLiteSecurity1.Password := OldPassword;
FDSQLiteSecurity1.ToPassword := NewPassword; // example: 'aes-256:mypassword123'
FDSQLiteSecurity1.ChangePassword;
...
//Remove Password
FDSQLiteSecurity1.Password := OldPassword;
FDSQLiteSecurity1.ToPassword := '';
FDSQLiteSecurity1.RemovePassword;
...
From the Documentation
SQLite Encrypted Database
Approach
One of the distinctive SQLite
features is the high-speed strong database encryption. It allows you
to make database file content confidential and enforce integrity
control on the database file. The encrypted database format is not
compatible with other similar SQLite encryption extensions. This means
that you cannot use an encrypted database, encrypted with non-FireDAC
libraries. If you need to do this, then you have to decrypt a database
with an original tool and encrypt it with FireDAC.
Recent Delphi versions come with an example project for working with encryption on Sqlite databases, see this documentation. I have not used this myself, btw.
It includes this section
Encrypt DB
Encrypt: Encrypts the database according to the Encryption mode and the password provided.
The sampe uses TFDSQLiteSecurity.SetPassword to encrypt the database with the password provided.
The database password is the combination of <encryption algorythm>:<password>.
I have faced several challenges when first time tried to encrypt SQLite database for use with Embarcadero FireDAC. Also all information is published by Embarcadero question pops up again and again on different forums. My case was solved based on community support, but when time has permitted simple Delphi application was assembled and available on Sourceforge. Hope it will make encryption/decryption slightly easier particularly for the newbie
https://sourceforge.net/projects/sqlite-sequrity-for-delphi/

AES-256 best practices implementation

I'm reversing an app but I'm not very expert of the AES algorithm.
The application gives the user the opportunity to make an offline login.
The user is asked to provide his username and password
This is the function that is used to store the info of the user
public void EncryptLoginInfo(string username, byte[] secretShared, byte[] salt)
{
byte[] random = calc.GenerateRandomBytes();
byte[] array = aes.Encrypt(secretShared, random);
OfflineLogin loginInfo = new OfflineLogin()
{
Username = username,
SecretShared = array,
Iv = random,
Salt = salt
};
this._userCredentials.StoreOfflineLoginData(username, loginInfo);
}
And this are the info that are stored inside an internal config file of the app. In the example below, the password passed to the encryptLoginInfo is 123
Username: not_important
SecretShared: 4KVrjy1cQVWYpWF7aolpMS0HzhKyFf+9VXauQrXoXVUbf0bGXIDOLDJuSVhYoFo2
Iv:yil4nn02IoKsOnX5KXVsDg==
Salt: 5kJio2VQEqjomHRdQMqRVJ0zkBsmqi8K3NypC2VWJk4
If the user want to make an offline login, he is asked to provide username and his password.
Question: Is this algo safe? If an attacker is able to obtain SecretShared+Iv+Salt is he able to recover the password of the user (that in this specific example is 123)
This is the decrypt function
public void DencryptLoginInfo(OfflineLogin loginInfo)
{
byte[] array = aes.Decrypt(loginInfo.SecretShared, loginInfo.Iv);
loginInfo.SecretShared = array;
loginInfo.Iv = (byte[]) null;
}
Are you able to spot any security issues in this implementation? The algo used should be AES-256.. Are you able to implement a POC in python to decrypt the PASSWORD given SecretShared+Iv+Salt?
According to your comment, your goal is to authenticate the user. For that we use password base key derivation functions on the password. Often people refer to this as "hashing passwords", which is unfortunate terminology because "hashing" can mean anything. But the main point is that we do not encrypt passwords, instead we send them through a one-way function that is designed to be slow. The slow speed deters brute force attacks.
You do not need an IV to do this. Instead, your app should be deriving a salt and and using a password based key derivation function (sometimes referred to as a "password hashing" algorithm: you will have to excuse that the industry has made a mess out of the terminology on this topic). You can find guidance on this all over the web. But I suggest you have a read of point 4 in Top 10 Developer Crypto Mistakes to see common pitfalls in implementing this.
Don't use openssl to convert a password into a key (or password hash)! The algorithm in openssl is weak. Openssl's EVP_BytesToKey() fails to meet the requirements of slow speed, meaning that it is easy to brute force your key from your password.
The proper solution to this problem is to use an algorithm such as bcrypt or pbkdf2 (Java implementations can be found without much effort) to derive a "hash" from the password. You then verify that the user typed in the password correctly by re-doing the same computation with the user entered password and the salt that was stored for this password. If they match, access is granted, otherwise access is denied.
Note that if this app interacts with a server, normally you do password verification on the server side. If your app does not interact with a server, then you may have a good reason to do it on the device. I don't know what your app does, so I cannot tell you what is right or wrong for you.
A great reference for doing this properly is How to Safely Store Your Users' Passwords in 2016 .

Multiple property encryption using jasypt encryption

I have relatively less idea about encryption but i have done research on encryption in spring boot in application.properties file but i have not found any material based on multiple password encryption.If someone could provide some material or some direction as to how i would proceed will be helpful
Basically you got to do 3 things.
1. Encrypt your password using jasypt.This can be done using command line tool as indicated here or using a simple java program as indicated here. You need a password along with the string you need to encrypt. password is something like a secret key(or salt) which is used to encrypt the string you want to encrypt.
2. Add this to your application properties or yml jasypt.encryptor.password=password_used_in_the_previous_step
3. And add the encrypted password you got from step 1 like this ENC(Your_Encrypted_Password)
Add the necessary dependencies.
Here is a good example.
https://github.com/ulisesbocchio/jasypt-spring-boot.

Resources