Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Password Encryption

by Anonymous Monk
on Aug 20, 2002 at 07:43 UTC ( #191404=perlquestion: print w/ replies, xml ) Need Help??
Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

All,
I am looking for a simple way to encrypt/decrypt passwords which are stored in a properties file.

For example, root passwords to unix machines.

I have tried looking at the Crypt packages, but the ciphertext contains unicode characters which
give problems when reading back from a file.

Heavyweight encryption is not really needed.
Thanks.

Comment on Password Encryption
Re: Password Encryption
by hotshot (Prior) on Aug 20, 2002 at 07:59 UTC
    you can use Crypt::PasswdMD5 module
    $encryptedPassword = &unix_md5_crypt($password, $salt);


    Hotshot
Re: Password Encryption
by derby (Abbot) on Aug 20, 2002 at 08:17 UTC
    For storing passwords, you really don't want encryption, you want a one-way hash function such as crypt. This allows you to safely "encrypt" (one-way hash) a word but you can never really decrypt. In order to check if the password is valid, you would run the entered password through the one-way hash function and compare that value with the stored value. The unicode req really throws a wrench into things, I'm not sure if crypt will handle that. There are other one-way hash modules on cpan such as MD5 and SHA that may also be helpful.

    -derby

      Although I like the approach of using hashes to protect passwords, this system does have a major drawback in that the passwords are not recoverable. In some cases this is unacceptable since it means options like, "email me my password" are not available. Since the poster specified the ability to "decrypt" the password, either they are unclear on what their requirements truly are, or a one-way function is not a solution in this case.

Re: Password Encryption
by JaWi (Hermit) on Aug 20, 2002 at 09:18 UTC
    Assuming your writing some sort of `KeyRing' program thingie that stores all your important user/password combo's. In that case you probably want to look at modules like Des or TripleDes or similar.

    Success!

    -- JaWi

    "A chicken is an egg's way of producing more eggs."

Re: Password Encryption
by fsn (Friar) on Aug 20, 2002 at 09:25 UTC
    Why not rot13 encode it:
    > cat cleartextpasswords.txt | tr /a-zA-Z/ /n-za-mN-ZA-M/ > encryptedp +asswords.txt > cat encryptedpasswords.txt | tr /a-zA-Z/ /n-za-mN-ZA-M/ > cleartextp +asswords.txt
    Or is that a little TOO insecure...?
        Hmm... I would argue that the tr command probably predates Perl by a decade. So, who is reinventing the wheel? And is the perl version even faster to write than the tr version?

        And also, look at the memory footprint issue. tr takes 28k on my RH72, where the Perl binary alone takes 708k, + loading the Crypt module...

        Oh, and by the way, :-)

Re: Password Encryption
by grantm (Parson) on Aug 20, 2002 at 10:27 UTC

    If I understand your requirements correctly, you need to be able to retrieve the password but you don't want to store it in plaintext. One-way hashing algorithms such as the crypt function or the MD5 module won't help there (my favourite quote to illustrate this point is "you can wind a sausage machine backwards but it won't give you pigs" - if only I could remember who said it).

    Actually, nothing is going to be really secure since if someone can read your script they will have all the info they need to decrypt the password.

    If you just want to slow someone down, encode it using MIME::Base64 like this:

    perl -MMIME::Base64 -le "print encode_base64('p4assw0rd')"
      grantm,

      Good call on knowing what reqs you have and tieing that to what type of security you need; however, I need to nitpick on a few things:

      if I understand your requirements correctly, you need to be able to retrieve the password but you don't want to store it in plaintext. One-way hashing algorithms such as the crypt function or the MD5 module won't help there (my favourite quote to illustrate this point is "you can wind a sausage machine backwards but it won't give you pigs" - if only I could remember who said it).

      True but that's okay because you never need to compare the plaintext, you compare the output of the one-way hash with the stored value.

      Actually, nothing is going to be really secure since if someone can read your script they will have all the info they need to decrypt the password.

      Well ... nothing in and of itself is secure. You need several layers of security. When I first read the problem, I didn't think the passwords would be stored in a script or going across the wire (in plaintext). If you need to store the password in a script, well that's where things like ACLs and file permissions come into play. As for going across the wire, then you encrypt the wire via https (web) or SSL -- security is all about layers.

      update: And as a bonus, if you use one-way hash, there is nothing in the script that "decrypts" the password. The script would run the user supplied password through the one-way hash and compare the output to the stored value.

      If you just want to slow someone down, encode it using MIME::Base64 like this:

      Hmmm ... well there's a lot of controversy about security through obscurity and with base64 - that's what you're doing. I think it would fail even quicker than crypt and would be useless all together once someone knew base64 was the algorithm. With one-way hash functions, you can know the algorithm (des, md5) but you never really know that you have cracked the password until you try to use it. With base64, once you know base64 is the obfuscation, you don't have to try to use the password - you know it's the plaintext.

      -derby

Re: Password Encryption
by Anonymous Monk on Aug 21, 2002 at 06:15 UTC
    Thanks to everyone who contributed

    A one-way hash is not going to work in our case as the perl script is supposed to run in a non-interactive mode.

    The perl script simply reads the properties file, decrypts the password and then logs into the unix machine.

    The basic idea was just to slow someone down. I tried using the some of the well known algorthims (such as DES),
    but found the ciphertext contained non-alphabetic/non-numeric characters. Does anyone know how I can restrict the output to just these chars ?

    I appreciate doing this is going to make the encryption less secure, but that isn't too important.
      You really want to use pack/unpack to hex-format your ciphertext, so that they are guaranteed to be alphanumeric.

      To wit:

      use Crypt::CBC; $cipher = Crypt::CBC->new( { key => 'SomeSecretKeyHere', cipher => 'Rijndael', }); my $source_text = "This data is hush hush"; my $cipher_text = unpack('H*', $cipher->encrypt($source_text)); my $decrypted = $cipher->decrypt(pack('H*', $cipher_text));
      Also, please do not use the fragile DES cipher, as weak crypto is worse than no crypto. Rijndael is much more secure, almost as fast, and equally easy to use.

      Thanks,
      /Autrijus/

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://191404]
Approved by rob_au
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (5)
As of 2014-12-21 00:41 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (100 votes), past polls