Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation

Opening an Encrypted DB_File database

by crabbdean (Pilgrim)
on Jul 14, 2004 at 15:47 UTC ( #374327=perlquestion: print w/replies, xml ) Need Help??
crabbdean has asked for the wisdom of the Perl Monks concerning the following question:

I'm creating a password encryption program to store passwords. I store the values into a DB_File database which I then encrypt. The problem comes in then opening and decrypting that database. Normally to tie the database you use:
tie (%cryptohash, 'DB_File', undef, O_RDWR|O_CREAT, 0644, $DB_BTREE) or die "Database error: $!";
and then refer to %cryptohash like any normal hash and save it back to file when done. Problem is once the file is encrypted you can't do the tie UNTIL you've decrypted it first (because DB_File doesn't recognise the file format and the tie fails). So you have to decrypt first and then tie.

Now I could just decrypt the master file to a temporary file and then tie to that temporary file (in DB_FILE format) but if during execution the program dies you then have a decrypted copy just lying around. SO ... I'm trying to find a way to decrypt the file into memory and then tie to that piece of memory, instead of to a file. Of course the memory has to be a hash because that is what DB_File utilises and ties to.

But how do you read a file into a hash in memory and then tie to it? OR, if I read the file into an @array how do I then translate that into a valid DB_File format again which can be tied? Its this one little step that I'm stuck at.

Now in my testing I found out you can tie a %hash to a undef'ined file value, which is literally stored in memory which you can then save to file (see below code). This helps solve part of the puzzle(and is an interesting trick), but still not all of the puzzle. Keep in mind I DON'T want to be creating an decrypted verion of the data to file due to security issues.

Any ideas how to bridge this gap?
#!perl use DB_File; use Fcntl; # For the constants O_RDWR and O_CREAT use strict; use warnings; ## master file name my $cryptofile = "crypt.qap"; ## create Berkeley DB my %cryptohash; my %testhash; tie (%testhash, 'DB_File', undef, O_RDWR|O_CREAT, 0644, $DB_BTREE) or die "Database error: $!"; $testhash{'this'} = "hello"; print $testhash{'hello'}; tie (%cryptohash, 'DB_File', $cryptofile, O_RDWR|O_CREAT, 0644, $DB_BT +REE) or die "Database error: $!"; %cryptohash = %testhash; untie %cryptohash; untie %testhash;

The Funkster of Mirth
Programming these days takes more than a lone avenger with a compiler. - sam
RFC1149: A Standard for the Transmission of IP Datagrams on Avian Carriers

Replies are listed 'Best First'.
Re: Opening an Encrypted DB_File database
by iburrell (Chaplain) on Jul 14, 2004 at 16:11 UTC
    The solution: don't encrypt the whole DB_File. The Berkley DB library wants to deal with the database file on disk. The best solution is not encrypt the whole file, but the individual keys and values that you want to protect.

    One trick you could use is to decrypt to a temporary file, tie with DB_File, and unlink the file. Unix systems will keep the file around until the filehandle is closed. DB_File supports anonymous maps that work this way. The problem is relying on Berkeley DB not opening new filehandles or closing its existing filehandles. Also, it makes getting the modified file difficult.

    Another trick is put the unencrypted database file on a RAM disk that is only readable by the user running the script.

      Hi iburrell, I've already encrypted each key/value pair in the DB_File database using a 256 bit cipher. But I was discussing with my flatmate who works for the government doing cryptography and she said it would be wise to also encrypt the file. I'm trusting her judgement on that.

      I attempted to unlink the file as suggested. Doesn't work as DB_File puts a lock on it. The temp file opens the vulnerability of leaving a decrypted version lying around which I would really like to avoid.

      I'm unsure how to go about putting it onto a ramdisk. Can you suggest further on how to go about this?

      Thanks for your help.

      The Funkster of Mirth
      Programming these days takes more than a lone avenger with a compiler. - sam
      RFC1149: A Standard for the Transmission of IP Datagrams on Avian Carriers

        If you encrypt a file with a known format (like a DB file), wouldn't an attacker have information to assist in decrypting the entire file? I thought it was recommended not to encrypt data that was predectible or known, because it gave a target to shoot for.

        Just my $0.02 USD.


Re: Opening an Encrypted DB_File database
by PodMaster (Abbot) on Jul 14, 2004 at 19:43 UTC
    See "DBM Filters" in the DB_File documentation or simply use BerkeleyDB instead.

    MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
    I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
    ** The third rule of perl club is a statement of fact: pod is sexy.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://374327]
Approved by Paladin
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (9)
As of 2018-03-21 21:16 GMT
Find Nodes?
    Voting Booth?
    When I think of a mole I think of:

    Results (270 votes). Check out past polls.