New Program I have written

Discussion in 'Programming & Software Development' started by Jab, Jan 27, 2007.

  1. Ze.

    Ze. Member

    Joined:
    Sep 13, 2003
    Messages:
    7,871
    Location:
    Newcastle, NSW
    Just a note when i was saying i wouldn't use your software it wasn't because i thought you had done anything unethical , just that the risks of a bug or mistake in implementation are too much when there is software out there by respected professionals in the security and cryptographic community (eg Bruce Schneider).

    I wouldn't pay too much attention to Ravenclaw he's a bit of a crank imho.
     
  2. Ravenclaw

    Ravenclaw Member

    Joined:
    Dec 6, 2004
    Messages:
    2,090
    look Ze

    you shouldn't accuse me of being a crank

    i have saved a lot of hassle here

    this program was badly flawed

    so lets try and separate the ravenclaw that posts in CE and the ravenclaw that posts in graphics and programming

    i know that might be hard for you commie witchhunters to do

    seeing as you stalked me from current events

    anyway, here is a program that will read the password vault

    Code:
    using System.Security.Cryptography;
    using System;
    using System.IO;
    using System.Text;
    using System.Xml;
    
    public class Test 
    {
    	private static readonly String MASTER_SECRET = "pn9#80y&%&";
    	private static readonly String USERDATA_SECRET = "pn9#80y&%&U";
    
    	public static void Main(string[] args) 
    	{
    		Console.WriteLine("Trying to load password vault from current directory");
    
    		XmlDocument document = new XmlDocument();
    		document.Load("PassVlt.exe.config");
    		XmlNode node = document.SelectSingleNode("/configuration/appSettings/add[@key='mpw']/@value");
    		if (emptyIfNull(node).Length == 0) 
    		{
    			Console.WriteLine("missing password");
    		} 
    		else 
    		{
    			string masterPassword = decode(node.InnerText, MASTER_SECRET);
    			Console.WriteLine("master password {0}", masterPassword);
    			
    		}
    
    		readEntries();
    	}
    
    	private static void readEntries() 
    	{
    		XmlDocument document = new XmlDocument();
    		document.Load("userdata.xml");
    		XmlNodeList list = document.SelectNodes("/Keys_Table/location");
    		
    		foreach (XmlNode node in list) 
    		{
    			string encryptedPassword = emptyIfNull(node.SelectSingleNode("Password"));
    			string password;
    			if (encryptedPassword.Length == 0) 
    			{
    				password = "";
    			} 
    			else 
    			{
    				password = decode(encryptedPassword, USERDATA_SECRET);
    			}
    			Console.WriteLine("URL: {0} Loginname: {1} Password: {2}",
    				emptyIfNull(node.SelectSingleNode("Url")),
    				emptyIfNull(node.SelectSingleNode("Loginname")),
    				password);
    			
    		}
    
    	}
    
    	private static string emptyIfNull(XmlNode node) 
    	{
    		if (node == null) 
    		{
    			return "";
    		} 
    		else 
    		{
    			return node.InnerText;
    		}
    	}
    
    	public static string decode(string encoded, string key) 
    	{
    
    		byte[] raw = Convert.FromBase64String(encoded);
    		
    		TripleDESCryptoServiceProvider provider1 = new TripleDESCryptoServiceProvider();
    		provider1.IV = new byte[8];
    		provider1.Key = new PasswordDeriveBytes(key, new byte[0]).CryptDeriveKey("RC2", "MD5", 0x80, new byte[8]);
    		MemoryStream stream1 = new MemoryStream();
    		CryptoStream stream2 = new CryptoStream(stream1, provider1.CreateDecryptor(), CryptoStreamMode.Write);
    
    		stream2.Write(raw, 0, raw.Length);
    		
    		stream2.FlushFinalBlock();
    		byte[] buffer2 = new byte[stream1.Length];
    		stream1.Position = 0;
    		stream1.Read(buffer2, 0, (int) stream1.Length);
    		stream2.Close();
    
    		return Encoding.UTF8.GetString(buffer2);
    	}
    
    
    
    }
    
     
  3. Jaffa_Cree

    Jaffa_Cree Member

    Joined:
    Feb 26, 2002
    Messages:
    1,976
    Ravenclaw,


    I am assuming you decompiled the assembly in something like reflector and found the secret key(s) hard coded either as a string or a byte array.

    What would you suggest as an alternative way of storing the private key whether it be a reusable or random key?
     
  4. Ravenclaw

    Ravenclaw Member

    Joined:
    Dec 6, 2004
    Messages:
    2,090
    what is this nonsense about storing a key inside a program

    you can store the key inside someones head

    or part of it inside someones head and part of it on a usb key

    you have a totally random key to encrypt the database and another random key to use as input to a HMAC function

    and you store this as part of the database or on a separate storage medium (usb key)

    these keys are encrypted with another key that is derived from a users passphrase using a key derivation function

    this is how schneiders password safe and keepassx work

    i would just like to say reflector.exe is awesome. more powerful in terms of analyzing program flow than visual studio was last time i used it but less powerful than eclipse. :)
     
    Last edited: Feb 2, 2007
  5. Jaffa_Cree

    Jaffa_Cree Member

    Joined:
    Feb 26, 2002
    Messages:
    1,976
    Let me conjure up a scenario.

    You got developed a database driven windows application. This windows application stores sensitive data into this database. The end users have no need to access this data so the key is not known to them. Only the application consumes this secret key to encrypt/decrypt to get either the cipher or plaintext.

    In this scenario, how would you store the private key?
    I understand embedding the key in source code is a bad idea, so what other alternatives are there?

    Sure we can store the key in the database and even use the database to generate random private keys, IV keys, and salt values, but the application needs to access this database through some sprocs therefore the application needs to know the SQL connection credentials. So how are we going to supply the SQL credentials to the application without jeopardising the keys?
     
    Last edited: Feb 2, 2007
  6. Ravenclaw

    Ravenclaw Member

    Joined:
    Dec 6, 2004
    Messages:
    2,090
    client/server
     
  7. Jaffa_Cree

    Jaffa_Cree Member

    Joined:
    Feb 26, 2002
    Messages:
    1,976
    Can you please elaborate :confused:

    In the above scenario, the database and client application will be on the same machine.
    The client windows app is a standalone application. So both app and database are closed off and do not communicate to any other services etc.

    So by storing the keys in the database it keeps the key safe.
    But now we have to store the SQL connection credentials safely somewhere as well incase someone gets a hold of it so therefore risking the keys in the database.
     
    Last edited: Feb 2, 2007
  8. Ravenclaw

    Ravenclaw Member

    Joined:
    Dec 6, 2004
    Messages:
    2,090
    you put the database and the logic to manipulate it on a server

    the client applications authenticate using the users credentials to the server and ask it to perform functions on behalf of the user
     
  9. Jaffa_Cree

    Jaffa_Cree Member

    Joined:
    Feb 26, 2002
    Messages:
    1,976
    I am not trying to be annoying or anything but i am just trying to come up with a scenario to see where keys should be kept.

    Let say this client application does not authenticate the user. So you have an installer that deploys the windows app and database to the PC locally.
    So anyone that has access to the PC is granted access to this application.

    Therefore the deployed database will probably have a preconfigured user account to access the data. How will this credential be supplied to the application and it be kept secured?
     
  10. Ravenclaw

    Ravenclaw Member

    Joined:
    Dec 6, 2004
    Messages:
    2,090
    if you going to put keys in executables

    and then give these executables to users

    then your secret key is not very secret

    since it won't cost much in terms of time or money to retrieve it

    look at how software always gets cracked

    if the program can read the secret then someone else can read the secret very easily

    i'm not going to give you hints on how to secure it

    because it is stupid

    on the other hand, you will have more luck doing something like this with hardware. because you can make devices that are very tamper resistant.
     
  11. Ze.

    Ze. Member

    Joined:
    Sep 13, 2003
    Messages:
    7,871
    Location:
    Newcastle, NSW
    I didn't stalk you from Current Events to here , i regularly read and post in this forum myself :)

    Going by your original post without pointing out where the backdoor was i just presumed you were doing another crank post like current events :) but it appears you did some good work pointing out the flaw.
     
  12. Deadly Bulb

    Deadly Bulb Member

    Joined:
    Apr 12, 2002
    Messages:
    199
    Someone is confused about what a "backdoor" is. A backdoor implies the user's passwords are being uploading to an online database, or something along those lines, so Jab can steal your login info :p

    I doubt RavenClaw could decrypt the password vault data if you used an obfuscator or didn't explain exactly how you encrypted data in the first place.

    There really wasn't any reason to take the program down from your website.
     
  13. Jaffa_Cree

    Jaffa_Cree Member

    Joined:
    Feb 26, 2002
    Messages:
    1,976
    The source code was obfuscated.
     
  14. Ravenclaw

    Ravenclaw Member

    Joined:
    Dec 6, 2004
    Messages:
    2,090
    backdoor
    i don't have to use the normal authentication, knowledge of the secret password, in order to access the password vault. sounds like a backdoor to me.

    he did use an obfuscater and knowledge of an algorithm shouldn't be used to protect secrets. much easier to protect a secret key than it is to protect a secret algorithm.
     
  15. OP
    OP
    Jab

    Jab Member

    Joined:
    Jun 26, 2001
    Messages:
    828
    Location:
    Brisbane, QLD
    Well yes there was ! The program was significantly flawed ! Unfortunatly !

    The bit that worries me now that I have moved on from this debacle is other code I have written. Since the obsfucation I applied was worthless I am at a loss as to what to do next. I have PM'd Ravenclaw for some suggestions in this regard, if in fact something can be done. I would not like to think that every bit of C# .net code available is totally open to the world !

    Open for anybody to suggest what I can do please. Are commercial obfuscation products then worth the money ?

    Jim
     
  16. hellcat

    hellcat Member

    Joined:
    Jun 27, 2001
    Messages:
    1,271
    Location:
    Avondale Heights
    Don't worry to much about all this, everybody learns from failed developments. If I listed all the "projects" that worked perfectly before some good testing I'd have a very short list. Some mistakes have even slipped through to production. It can happen to even the most seasoned developers. The important thing is to learn from it, find a better way to do it, and possibly fix your existing program.

    I always try to fix the existing project, unless it's going to take a huge amount of time. Mainly because it helps to reinforce the lessons learnt from the mistake(s).

    Always remember to get knowledgeable people in the particular field you're developing for to test your work before you release it. If there is an exploit you can be sure somebody will find it, especially when it comes to security.

    As for previous code you've written, if you feel it may be open to the same problems then you really should check it.

    Cheers,
    Hellcat
     
  17. OP
    OP
    Jab

    Jab Member

    Joined:
    Jun 26, 2001
    Messages:
    828
    Location:
    Brisbane, QLD
    hellcat

    The other programs don't have a security component per se but they may have a need to 'hide' some data. One is my own CD/DVD writing program the other the my photo workflow/editing software.

    Well one is never to old to learn from one's mistakes. I have been programming nearly 30 years in a multitude of languages. And still phuck it up ! O' Well :)

    As for the other software I will use it internally but now probably not release it.

    I am keen to find out how to properly obfuscate the code though.

    Thanks
    Jim
     
  18. yoink

    yoink Member

    Joined:
    Feb 19, 2002
    Messages:
    3,483
    Hey Jab,

    It would be a shame to not release your other software, just because someone can unobfuscate it - just be sure to find the "best" way to obfuscate it, I'm pretty sure there will always be *someone* who can unobfuscate it.
    Anyway, as far as encoding goes, if you hash the passwords using the program password as key, (as I think Ravenclaw suggested?), you probably can't go too wrong :)
     
  19. Ze.

    Ze. Member

    Joined:
    Sep 13, 2003
    Messages:
    7,871
    Location:
    Newcastle, NSW
    It's always going to be readable to someone who puts in enough effort. If the security of your code relies on code obfuscation then it isn't secure.
     
  20. OP
    OP
    Jab

    Jab Member

    Joined:
    Jun 26, 2001
    Messages:
    828
    Location:
    Brisbane, QLD
    Then whats the answer then ?
     

Share This Page

Advertisement: