New Program I have written

Discussion in 'Programming & Software Development' started by Jab, Jan 27, 2007.

  1. Jab

    Jab Member

    Joined:
    Jun 26, 2001
    Messages:
    828
    Location:
    Brisbane, QLD
    Being one of the older guys here I keep forgetting passwords etc to websites. So I decided to write a password manager program. Now I know there are many out there but mine offers a few features over some of the others.

    • Customisable column headings, tailor the program for other uses
    • Semi portable, run it from your USB key or even in some cases mobile phone (Needs the .NET 2 Framework on any host computer it runs on)

    Now before I go any further on about it I would appreciate NO posts
    "sif use .NET" or similiar OR "Program xyz has all these features, people should use it"

    Full details are here - http://www.realtime-systems.com/passvault.html

    Some of the uses my testers suggested apart from password storage are

    • Store software registration keys
    • Point the URL column at a thumbnail pic of a household item and record the serial number of it

    Anyway have a look at it if you think it might be useful and any intelligent suggestions welcome.

    Jim :)

    [​IMG] [​IMG]
     
    Last edited: Jan 28, 2007
  2. foxmulder881

    foxmulder881 Member

    Joined:
    Nov 17, 2004
    Messages:
    5,884
    Location:
    Gold Coast, QLD OS:Linux
    What sort of encryption does it use to protect that data and how strong is it? If you lose your USB stick, you would want it well encrypted. Otherwise, I doubt it would be hard to crack.
     
  3. OP
    OP
    Jab

    Jab Member

    Joined:
    Jun 26, 2001
    Messages:
    828
    Location:
    Brisbane, QLD
    foxmulder881

    Please feel free to give it a go and crack it :)

    It uses the .NET TripleDESCryptoServiceProvider with an MD5 hash name.

    Jim
     
  4. foxmulder881

    foxmulder881 Member

    Joined:
    Nov 17, 2004
    Messages:
    5,884
    Location:
    Gold Coast, QLD OS:Linux
    That's okay mate. Just curious that's all. Seems secure enough though.
     
  5. wwwww

    wwwww Member

    Joined:
    Aug 22, 2005
    Messages:
    6,270
    Location:
    Bangkok
  6. OP
    OP
    Jab

    Jab Member

    Joined:
    Jun 26, 2001
    Messages:
    828
    Location:
    Brisbane, QLD
    wwwww

    Thanks ! Will look at it and see why it did that.
     
  7. f3n1x

    f3n1x Member

    Joined:
    Mar 20, 2003
    Messages:
    1,704
    Location:
    Armadale, Melbourne
  8. wwwww

    wwwww Member

    Joined:
    Aug 22, 2005
    Messages:
    6,270
    Location:
    Bangkok
  9. Nitrov8

    Nitrov8 Member

    Joined:
    Dec 24, 2001
    Messages:
    876
    Location:
    Perth
    I'm Making exactly the same sort of program atm as well, except the tools i'm using are quite different. I'm using flash8, zinc and mysql.
    Its just a small personal side project while I learn zinc.

    One feature I built into mine which you may have or not already is one click copy to the clipboard. easy enough to do, so you left click on the password field and the password gets put on the clipboard ready for pasting :thumbup:
     
  10. OP
    OP
    Jab

    Jab Member

    Joined:
    Jun 26, 2001
    Messages:
    828
    Location:
    Brisbane, QLD
    wwwww
    For the moment I have not packaged the program up into an installer so it assumes you do have the .NET 2 framework installed. I also think this is the problem.

    Nitrov8
    I have added to the main post the help screen. One of the "right-click" options is in fact copying the cell data to the clipboard :)
    In lieu of a database I store the data encrypted in an XML file. That way it can easily be "re-constructed" from a printout.

    f3n1x
    I purchased a commercial set of icons for a number of developments, thanks.
     
  11. Ravenclaw

    Ravenclaw Member

    Joined:
    Dec 6, 2004
    Messages:
    2,090
    post your encryption algorithm then people can give you some feedback about its security.

    here are my criticisms

    it uses the same IV each time it encrypts the file. this leaks information.

    it derives the password using the same salt which makes it more vulnerable to offline attacks
     
    Last edited: Jan 29, 2007
  12. BAC :S

    BAC :S Member

    Joined:
    Dec 26, 2001
    Messages:
    1,385
    Location:
    Melbourne
    I thought he already did?
     
  13. OP
    OP
    Jab

    Jab Member

    Joined:
    Jun 26, 2001
    Messages:
    828
    Location:
    Brisbane, QLD
    Ravenclaw
    So your saying it would be better to have say half a dozen keys and randomly choose one to encrypt the data with. Only thing I would have to do then is also embed into the encrypted data an indicator as to which key was used.

    Jim

     
  14. rockuman_ex

    rockuman_ex Member

    Joined:
    Apr 3, 2002
    Messages:
    3,873
    Location:
    Brisbane
  15. Ravenclaw

    Ravenclaw Member

    Joined:
    Dec 6, 2004
    Messages:
    2,090
    you are using a block cipher in CBC mode

    one of the reasons for using CBC is so two identical plaintexts will never be encrypted to the same ciphertext

    if two identical plaintexts are encrypted to the same ciphertext then you leak information

    if you are encrypting multiple streams with CBC and the same key then you need to use a unique IV (initialization vector) for each one.

    however, it should be good enough to use a random one. very unlikely that you will ever choose two 128bit values that are the same. you would have to encode 2^64 messages before you had a 50% chance of that happening.

    you seem to be using all zeros as the initialization vector

    you should also use a random salt as part of key derivation function

    the reason for using a random salt is stop brute force dictionary attacks from being cheaper

    at this point i will assume you are using a key derivation function that uses multiple iterations to try and stop brute force dictionary attacks

    say i wanted to break into 1000 password databases, then i could simply perform the key derivation function on my dictionary, store the results and then use the keys to try and break into the databases. this increases my speed by around 1000x.

    EDIT: ignore the bit below. this doesn't apply.

    your implementation also has a more serious flaw because you are using constant IV and no salt and i'm guessing the first 16 characters in the XML file are always going to be the same (<?xml version="1 )

    i can simply get my dictionary and calculate the first encrypted block for each password in the dictionary and store these blocks in a giant hashtable

    i can then break a password database in one lookup operation assuming the password is in my dictionary. this attack is somewhat similar to this one for windows passwords.

    the encryption in microsoft office was broken because it used the same IV every time. so these attacks are very real. but the office vulnerability is orders of magnitude worse.


    ok guys. i totally missed the biggest problem with this password vault on my first analysis. i just decompiled one function and assumed the vault would be written similar to how i would write it but making novice mistakes. this is not the case. the password vault is backdoored (probably not deliberately). do not use it. if you want proof send me a file and i will decrypt it.
     
    Last edited: Jan 29, 2007
  16. Ze.

    Ze. Member

    Joined:
    Sep 13, 2003
    Messages:
    7,871
    Location:
    Newcastle, NSW
    Jab : Whilst it's great you've written the program i wouldn't expect other people to use it when it's very easy for someone an insecure program. Personally if i was going to use one I'd use the one written by Bruce Schneider.
     
  17. FearTec

    FearTec Member

    Joined:
    Jul 22, 2003
    Messages:
    2,401
    Location:
    NSW
    I use http://www.truecrypt.org/docs/ on all of My USB drives and also create a partition on my main drive.

    All of my partitions/*.tc files have a hidden partition after a empty static parent parent with mixed encryption at all levels

    Very secure.

    Jab, Check out the encryption podcasts on GRC.com here: http://www.grc.com/securitynow/

    :)
     
  18. OP
    OP
    Jab

    Jab Member

    Joined:
    Jun 26, 2001
    Messages:
    828
    Location:
    Brisbane, QLD
    Phew, Boy one really does learn from one's mistakes.

    I have removed the download of PassVault from my website, it never to reappear.

    The webpage will go in a few days.

    Jim.

    PS Ravenclaw, email me please what you found re backdoored. It was CERTAINLY not my intent.
     
  19. OP
    OP
    Jab

    Jab Member

    Joined:
    Jun 26, 2001
    Messages:
    828
    Location:
    Brisbane, QLD
    After thinking about it for a little while I would likr to re-iterate in the most stongest manner I WOULD NEVER INTENTIONALLY BUILD IN A BACKDOOR TO ANY SOFTWARE I HAVE WRITTEN.

    Even any suggestion of that could ruin my reputation of some 25+ years in the industry. I would like to think that possibly in the future I may post some other software (but doubtful now) I have on the go but this will effectively kill anybody's desire to look at anything I write.

    Also my business, Realtime Systems reputation also hangs on this as well. From my early days as the first distributor in Australia of Corsair memory through my extensive work in government with database work and application system design I have tried to maintain an ethical business, totally.

    I hope this is clear to all.

    Jim.
     
  20. Nitrov8

    Nitrov8 Member

    Joined:
    Dec 24, 2001
    Messages:
    876
    Location:
    Perth
    I believe you Jab :thumbup:

    but it does beg the question about security testing before releasing any type of software, surely there must be somewhere out there where you can say here is my program see if it has any holes.
     

Share This Page

Advertisement: