Password encryption 
Author Message
 Password encryption

I tried to post this earlier this week, but somehow it did not work, so
i will try it from a different pc...

I have a file that is used by an Expect script; this file contains the
password for each system we use. Even though this file is saved with
read/write permission for the user only I dont think that is security
enough. I would like to be able to encrypt the file in such a way that
the Expect script will be able to decrypt the file when needed, get the
password information it needs and keep going. I wonder if Expect, Tcl or

Ksh have a module for that.

Thanks,

Fernando



Fri, 30 Jul 2004 05:47:41 GMT  
 Password encryption
What I've done in the past when I was real paranoid was to have the script
prompt the user at startup for the passphrase or password that was used to
decrypt credit card orders that were encrypted through a pipe to PGP. I only
kept the
passphrase in memory and never on disk. I figured if somebody was smart
enough and determined enough to retrieve the information directly from
memory
they could probably defeat most of my approaches anyway.
(The script I wrote was actually a expect/kermit daemon process that
uploaded
the processed credit card orders to a bulletin board every morning with a
modem.
That was 7 years ago BTW.)

Of course if somebody broke into the system as root, they could always
modify the script to store the passphrase  in some secret location the next
time the unsuspecting user started up the script (the trojan horse
approach.)

Quote:

> I tried to post this earlier this week, but somehow it did not work, so
> i will try it from a different pc...

> I have a file that is used by an Expect script; this file contains the
> password for each system we use. Even though this file is saved with
> read/write permission for the user only I dont think that is security
> enough. I would like to be able to encrypt the file in such a way that
> the Expect script will be able to decrypt the file when needed, get the
> password information it needs and keep going. I wonder if Expect, Tcl or

> Ksh have a module for that.

> Thanks,

> Fernando



Fri, 30 Jul 2004 06:08:06 GMT  
 Password encryption
After some quick googling I found these crypt extensions:

http://www.muc.de/~jensj/tcl/tclcrypt.html
http://home.snafu.de/jn/tcl/crypt-example.html

Here's some pgp links:

http://www.pgp.com/
http://www.pgpi.org/

I thought this was especially interesting:

PGP ATTACKS
http://axion.physics.ubc.ca/pgp-attack.html

Quote:

> I tried to post this earlier this week, but somehow it did not work, so
> i will try it from a different pc...

> I have a file that is used by an Expect script; this file contains the
> password for each system we use. Even though this file is saved with
> read/write permission for the user only I dont think that is security
> enough. I would like to be able to encrypt the file in such a way that
> the Expect script will be able to decrypt the file when needed, get the
> password information it needs and keep going. I wonder if Expect, Tcl or

> Ksh have a module for that.

> Thanks,

> Fernando



Fri, 30 Jul 2004 06:39:18 GMT  
 Password encryption
Quote:

> I tried to post this earlier this week, but somehow it did not work, so
> i will try it from a different pc...

> I have a file that is used by an Expect script; this file contains the
> password for each system we use. Even though this file is saved with
> read/write permission for the user only I don't think that is security
> enough. I would like to be able to encrypt the file in such a way that
> the Expect script will be able to decrypt the file when needed, get the
> password information it needs and keep going. I wonder if Expect, Tcl or

> Ksh have a module for that.

TRF + TRFcrypt ?
http://www.oche.de/~akupries/tcltk.html

Michael Schlenker



Fri, 30 Jul 2004 09:40:08 GMT  
 Password encryption

Quote:

> I tried to post this earlier this week, but somehow it did not work, so
> i will try it from a different pc...

> I have a file that is used by an Expect script; this file contains the
> password for each system we use. Even though this file is saved with
> read/write permission for the user only I don't think that is security
> enough. I would like to be able to encrypt the file in such a way that
> the Expect script will be able to decrypt the file when needed, get the
> password information it needs and keep going. I wonder if Expect, Tcl or

> Ksh have a module for that.

> Thanks,

> Fernando

You could roll your own trivial cipher for the problem.
I've done this before using character index in string and
a simple constant value applied to the char and then transition
the charcater to hex. Really basic rot13 type thing.
So it looks like

for {set i 0} {$i < [string length $my]} {incr i} {
           if {[regexp "\[aeiou\]"  $my]} {
               switch -exact -- [string range $my $i $i] \
                a {  set place($i)      [string index $my $i]
                     set place($i,hex)    [format "%x" [expr $i + 1]]
              } e {  set place($i)      [string index $my $i]
                      set place($i,hex)   [format "%x" [expr $i + 2]]
              } i {  set place($i)      [string index $my $i]
                     set place($i,hex)    [format "%x" [expr $i + 3]]
              } o {  set place($i)      [string index $my $i]
                     set place($i,hex)    [format "%x" [expr $i + 4]]
              } u {  set place($i)      [string index $my $i]
                     set place($i,hex)     [format "%x" [expr $i + 5]]
              etc..

I find that allowing every possible character with variable length
passwords using this method breaks it, so you may want to have something
a little more sophisticated.
Good luck



Fri, 30 Jul 2004 11:11:28 GMT  
 Password encryption

Quote:

> I tried to post this earlier this week, but somehow it did not work, so
> i will try it from a different pc...

> I have a file that is used by an Expect script; this file contains the
> password for each system we use. Even though this file is saved with
> read/write permission for the user only I don't think that is security
> enough. I would like to be able to encrypt the file in such a way that
> the Expect script will be able to decrypt the file when needed, get the
> password information it needs and keep going. I wonder if Expect, Tcl or

> Ksh have a module for that.

> Thanks,

see   <  http://mini.net/tcl/2889! > for some various
encryption methods of varying levels of security.

Bruce



Fri, 30 Jul 2004 19:31:08 GMT  
 Password encryption

Quote:


> > I tried to post this earlier this week, but somehow it did not work, so
> > i will try it from a different pc...

> > I have a file that is used by an Expect script; this file contains the
> > password for each system we use. Even though this file is saved with
> > read/write permission for the user only I don't think that is security
> > enough. I would like to be able to encrypt the file in such a way that
> > the Expect script will be able to decrypt the file when needed, get the
> > password information it needs and keep going. I wonder if Expect, Tcl or

> > Ksh have a module for that.

> > Thanks,

> > Fernando

> You could roll your own trivial cipher for the problem.
> I've done this before using character index in string and
> a simple constant value applied to the char and then transition
> the charcater to hex. Really basic rot13 type thing.
> So it looks like

> for {set i 0} {$i < [string length $my]} {incr i} {
>            if {[regexp "\[aeiou\]"  $my]} {
>                switch -exact -- [string range $my $i $i] \
>                 a {  set place($i)      [string index $my $i]
>                      set place($i,hex)    [format "%x" [expr $i + 1]]
>               } e {  set place($i)      [string index $my $i]
>                       set place($i,hex)   [format "%x" [expr $i + 2]]
>               } i {  set place($i)      [string index $my $i]
>                      set place($i,hex)    [format "%x" [expr $i + 3]]
>               } o {  set place($i)      [string index $my $i]
>                      set place($i,hex)    [format "%x" [expr $i + 4]]
>               } u {  set place($i)      [string index $my $i]
>                      set place($i,hex)     [format "%x" [expr $i + 5]]
>               etc..

> I find that allowing every possible character with variable length
> passwords using this method breaks it, so you may want to have something
> a little more sophisticated.
> Good luck

This is one-step better than simply embedding plaintext passwords and
relying on UNIX-level file permissions. Here's a similar function I
have used for a few years in low-security perl scripts:

#  Phrase Mangle
sub pmangle {
    $_ = shift;
    tr/A-Za-z0-9/N-ZA-Mn-za-m5-90-4/;
    $_;

Quote:
}

Sorry about the Perl in a Tcl group (is there a similarly-short way of
representing this is Tcl?), but this too is similar to the rot13 idea.
So, an id and password, say "admin / secret", would appear in the
script as "nqzva / frperg". Better than nothing: layfolk will not be
able to simply glance at the code and spot the key phrases. You
definitely want to enforce file-level permissions as well.

The best way to go about this is to never store sensitive data on a
shared machine or a machine that is vulnerable to compromise. Expect
is definitely your friend (the Expect.pm perl version is nice too).
Store your key data (passwords, certificates, etc) on a protected host
with limited user access, preferably behind a firewall. Have an
automated Expect script SSH-connect to the host where the script is
hosted, execute it, and supply the password information to it's stdin
(mentioned in an earlier message in this thread, I believe). There are
other ways. In general, it's a tricky issue.



Sun, 08 Aug 2004 04:06:30 GMT  
 Password encryption


: Here's a similar function I
:have used for a few years in low-security perl scripts:
:
:#  Phrase Mangle
:sub pmangle {
:    $_ = shift;
:    tr/A-Za-z0-9/N-ZA-Mn-za-m5-90-4/;
:    $_;
:}
:
:Sorry about the Perl in a Tcl group (is there a similarly-short way of
:representing this is Tcl?),

Hmm does this get you started?

proc caesar {s {n 13}} {
    set from {A B C D E F G H I J K L M N O P Q R S T U V W X Y Z}
    set n [expr {$n % [llength $from]}]
    set to [concat [lrange $from $n end] [lrange $from 0 [expr {$n-1}]]]
    set map {}
    foreach i $from j $to {
        lappend map $i $j [string tolower $i] [string tolower $j]
    }
    string map $map $s
 }

proc tmangle args {
        return [caesar $args]

Quote:
}

--
"I know of vanishingly few people ... who choose to use ksh." "I'm a minority!"

Even if explicitly stated to the contrary, nothing in this posting
should be construed as representing my employer's opinions.


Mon, 09 Aug 2004 02:27:08 GMT  
 Password encryption

                        .
                        .
                        .
Quote:
>#  Phrase Mangle
>sub pmangle {
>    $_ = shift;
>    tr/A-Za-z0-9/N-ZA-Mn-za-m5-90-4/;
>    $_;
>}

>Sorry about the Perl in a Tcl group (is there a similarly-short way of
>representing this is Tcl?), but this too is similar to the rot13 idea.

                        .
                        .
                        .
No and yes.

Perl's welcome here; 'least, *I* find this an effective way
of presenting your point, enough so that I'm willing to bet
others will, too.

No, Tcl doesn't have a direct equivalent of tr//, but Tcl
*does* make it easy to "shell out":
  set {$_} [exec tr A-Za-z0-9 N-ZA-Mn-za-m5-90-4 << $zeroth_argument]

A pure-Tcl tr is only a few lines more ... oooo; who wants to
be the first to put it in <URL: http://mini.net/tcl/460.html >?
--


Business:  http://www.Phaseit.net
Personal:  http://starbase.neosoft.com/~claird/home.html



Mon, 09 Aug 2004 03:22:31 GMT  
 Password encryption
        ...

Quote:
> No, Tcl doesn't have a direct equivalent of tr//, but Tcl
> *does* make it easy to "shell out":

TclX has tr.  I thought about adding this with the extra string
functions in 8.1.1, but instead made string map, which I think
is more useful.

--
  Jeff Hobbs                     The Tcl Guy
  Senior Developer               http://www.ActiveState.com/
        Tcl Support and Productivity Solutions
     http://www.ActiveState.com/Products/ASPN_Tcl/



Mon, 09 Aug 2004 04:41:23 GMT  
 Password encryption

Quote:

> A pure-Tcl tr is only a few lines more ... oooo; who wants to
> be the first to put it in <URL: http://mini.net/tcl/460.html >?

Meeeeee!  (It's now there.)

--
73 de ke9tv/2, Kevin KENNY      GE Corporate R&D, Niskayuna, New York, USA



Mon, 09 Aug 2004 06:26:56 GMT  
 Password encryption


:TclX has tr.  I thought about adding this with the extra string
:functions in 8.1.1, but instead made string map, which I think
:is more useful.
:

I find string map wonderful for quick translations of a few characters.
I find the unix tr command wonderful for doing bulk translations of entire
ranges of characters.

When I looked into this problem, I was disappointed that I couldn't give
string map a range of characters to map to another range... if it only
had that ability, it would handle most of my data mapping needs (the only
thing remaining would be my regular need to map strings into other strings -
I can do this with a series of regsub's, but that's not as efficient as
being able to specify a series of translations and having it done during
one pass through, say, a 30 megabyte string...  And yes, something would
have to be done to codify/document overlapping changes - shrug.)

--
"I know of vanishingly few people ... who choose to use ksh." "I'm a minority!"

Even if explicitly stated to the contrary, nothing in this posting
should be construed as representing my employer's opinions.



Tue, 10 Aug 2004 20:46:02 GMT  
 Password encryption
                        .
                        .
                        .
Quote:
>I find string map wonderful for quick translations of a few characters.
>I find the unix tr command wonderful for doing bulk translations of entire
>ranges of characters.

>When I looked into this problem, I was disappointed that I couldn't give
>string map a range of characters to map to another range... if it only
>had that ability, it would handle most of my data mapping needs (the only
>thing remaining would be my regular need to map strings into other strings -
>I can do this with a series of regsub's, but that's not as efficient as
>being able to specify a series of translations and having it done during
>one pass through, say, a 30 megabyte string...  And yes, something would
>have to be done to codify/document overlapping changes - shrug.)

                        .
                        .
                        .
<URL: http://mini.net/tcl/ExampleScripts > now includes
everything known about tr for Tcl.
--


Business:  http://www.Phaseit.net
Personal:  http://starbase.neosoft.com/~claird/home.html



Tue, 10 Aug 2004 23:18:51 GMT  
 Password encryption

Quote:

>I find string map wonderful for quick translations of a few characters.
> [...]
>(the only
>thing remaining would be my regular need to map strings into other strings -
>I can do this with a series of regsub's, but that's not as efficient as
>being able to specify a series of translations and having it done during
>one pass [...]

Do you mean something like this:

        string map {
            "&lt;"        "<"
            "&gt;"        ">"
            "&le;"        "<="
            "&ge;"        ">="
        } $whatever

or something else?

--Joe English




Wed, 11 Aug 2004 08:17:24 GMT  
 
 [ 16 post ]  Go to page: [1] [2]

 Relevant Pages 

1. Wanted: Password Encryption Algorithm

2. Password encryption (UNIX)

3. Password Encryption

4. How to do password encryption?

5. Password encryption

6. encryption (passwords)

7. RSA public key encryption

8. .WS and .SF encryption

9. Encryption Software

10. Encryption Software lucx

11. Strong encryption in the UK

12. Data encryption

 

 
Powered by phpBB® Forum Software