Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

Password Encryption and Decryption

by slayedbylucifer (Scribe)
on Mar 23, 2012 at 19:10 UTC ( #961290=perlquestion: print w/ replies, xml ) Need Help??
slayedbylucifer has asked for the wisdom of the Perl Monks concerning the following question:

Hello Monks,

I have simple question for you. I am newbie at Perl. I want to have apassword encryption and decryption mechanism in my perl script. Write now hte password that I use in my script is a clear text passwordand my scripts works fine wiht it. so, I want to get rid of the clear text password.

So far after doing a lot of googling, I came accorss following 3 modules whihc could be useful for my use case

Crypt::CBC Crypt::Twofish_PP MIME::Base64

I am just not able to get it right with either of them. Eeither I am too naive to understand these modules OR I am running after the wrong stuff.

So, this is what i want to:

1) encrypt the password in a dedicated perl script 2) Use this encrypted password in my perl script (where right now I have clear text password), tun a subrouting to decrypt this password and then retunr the necessary password to the caller so that my Perl script continue to execute.

Could you give me guidance on how to proceed. Thanks.

Comment on Password Encryption and Decryption
Download Code
Re: Password Encryption and Decryption
by JavaFan (Canon) on Mar 23, 2012 at 19:13 UTC
    Are you sure you want to use an encryption method that allows for decryption? That is not what most people consider to be a secure way of dealing with passwords. And it's hardly more secure than storing them in plain text.

      I am not sure whether I really want what you have asked. But I have to pass the REAL password to my application because it will never recognize a crypted password. BTW, I am logging to my application with my Active Directory Account and hence I am providing the my AD password in clear text format in my script. So I wanted not to write it in clear text and rather have it in the encrypted form and then decrypt it on the fly every time the script runs. THis is the reason I need a decryption mechanism.

      Please do let me know if am thinking in wrong direction.

        What makes this more secure than storing passwords in plain text? If a program can automatically decrypt the passwords, an attacker can as well - he'd just run the program. Of course, you could protect the "encrypted" password with a password, but than you're back to the beginning, aren't you?

        If you need to authenticate your users against a LDAP (like Active Directory), you have not to store user's passwords at all. You need not to store them.

        You need to use LDAP authentication for your appliation, when the user insert the login/password pair, you forward these info to Active Directory and if it confirms you know that the user is authenticated in that system.

      use a password file and cat that file to get the password when you need it. i agree with everyone here encrypting and decrypting is futile since an attacker can just run your decrypter and get the file.

        i agree with everyone here encrypting and decrypting is futile

        Fair enough, 'everyone' is saying don't encrypt/decrypt passwords. That might lead someone to the (incorrect) conclusion that 'everyone' thinks passwords should just be stored in plain text.

        What 'everyone' was failing to say is that the correct approach is to stored hashed passwords rather than encrypted passwords.

Re: Password Encryption and Decryption
by zentara (Archbishop) on Mar 23, 2012 at 23:13 UTC
    Could you give me guidance on how to proceed.

    Your main problem with keeping an encrypted string in your program, is that most encrypted output is binary, and not printable. So.... you will need a technique to base64encode the encrypted output, THEN base64decode the string back to binary, before decryption. Pack and unpack could also be used.

    You could also hide your key in plain site, but hidden in your script, like seek to line 42, and grab the 3rd word. :-) Few novices would follow the code to the the key, but its poor security.

    Here are the basic techniques. You will find that anyone who knows even a bit of Perl, will be able to hack this. You cannot decrypt a password in a script, without the password being in the script somewhere. You can use RSA keys, to decrypt a key, because the RSA key is in another file, but that depends on home directories, user groups, and permissions setup correctly. Your easiest bet is to use a technique like pack() or MIME_BASE64 to just obscure your key.

    #!/usr/bin/perl use warnings; use strict; use Crypt::CBC; use MIME::Base64; my $KEY = 'secret_foo'; my $string = 'yadda yadda yadda yadda'; print "input: $string\n"; my $enc = encryptString( $string ); print "encrypted binary: $enc\n"; my $mime = encode_base64($enc); print "MIME: $mime\n"; my $mime_decode = decode_base64($mime); print "MIME_decode: $mime_decode\n"; my $dec = decryptString( $enc ); print "decrypted: $dec\n"; my $mime_dec = decryptString( decode_base64($mime) ); print "decrypted_mime: $mime_dec\n"; ############################################################ sub encryptString { my $string = shift; my $cipher = Crypt::CBC->new( -key => $KEY, -cipher => 'Blowfish', -padding => 'space', -add_header => 1 ); my $enc = $cipher->encrypt( $string ); return $enc; } ################################################################### sub decryptString { my $string = shift; my $cipher = Crypt::CBC->new( -key => $KEY, -cipher => 'Blowfish', -padding => 'space', -add_header => 1 ); my $dec = $cipher->decrypt( $string ); return $dec; } #############################################################3
    And here is a way of obscuring your key with pack(). You could also use encode_base64 to obscure your key.
    #!/usr/bin/perl use warnings; use strict; #by fokat of perlmonks my $string = 'justanotherperlhacker'; print "$string\n"; my $obscure = pack("u",$string); print "$obscure\n"; my $unobscure = unpack(chr(ord("a") + 19 + print ""),$obscure); print "$unobscure\n";

    I'm not really a human, but I play one on earth.
    Old Perl Programmer Haiku ................... flash japh
      Thanks Zentara. I did come across the CryptCBC and MIMEBase64 Modules and knew that this would somehow work, but I could not get what i wanted. your examples will definitely help me. this is what i wanted. thank you very much.
Re: Password Encryption and Decryption
by grantm (Parson) on Mar 24, 2012 at 08:42 UTC

    The thing about passwords is that you don't need to encrypt/decrypt them. Instead, all you need to do is store a cryptographic hash (also known as a "message digest") of the password. A hash cannot be 'decrypted' back to the original plain text but when you want to validate a login attempt, you just hash the supplied password and compare the result to the hash you have stored.

    So for example if you want to accept the password "SmokeScreen" you might use the SHA1 hashing algorithm like this:

    use Digest::SHA1 qw(sha1_hex); print sha1_hex("SmokeScreen"), "\n"; # Prints "95cb0bfd2977c761298d9624e4b4d4c72a39974a"

    You could then store this 40 character string.

    Later when someone attempts to log in they'll provide a plaintext password which you'll feed through the same sha1_hex function and if the result is the same 40 character string then they obviously supplied the right password.

    A flaw with this plan is that if two people have the same password then they'll have the same 40 character hash (even on another server that uses the same hashing algorithm) - this could be useful information to an attacker.

    A slightly more complex approach is to generate a few bytes of random "salt" when you initially hash the password. You'll add the salt bytes on the start of the plaintext before hashing and also on the start of the hash that you store. Then to validate a password you take the salt value from the stored hash and add it on the start of what the user provides. Because the salt bytes are random at the time the password is initially set, then two people with the same password will have different hash values.

      thanks grantm. What you have suggested can get me my head spinning towards a whole new approach. I will play around in my spare time. That's a really good suggestion. thanks.
        You can check out Crypt::SaltedHash which implements this - http://search.cpan.org/~esskar/Crypt-SaltedHash-0.06/lib/Crypt/SaltedHash.pm
Reaped: Re: Password Encryption and Decryption
by NodeReaper (Curate) on Oct 19, 2013 at 20:58 UTC
Reaped: Re: Password Encryption and Decryption
by NodeReaper (Curate) on Oct 19, 2013 at 20:59 UTC

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://961290]
Approved by Corion
Front-paged by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (6)
As of 2014-10-02 06:26 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    What is your favourite meta-syntactic variable name?














    Results (49 votes), past polls