I have been running some performance test on one of my websites and I have been trying to encrypt my password for safety reasons. Every method I have tried is easily reversible if someone has access to my scripts. Does anyone know how to do this properly? LoadRunner documentation is quite poor. I have tried
Using parameters: (actual password can be seen in paramaters)
"Name=Username", "Value={Username}", ENDITEM,
"Name=Password", "Value={Password}", ENDITEM,
Using masked strings, can be also reversible.
"Name=Username", lr_unmask("5c5c433589e471556dd55bdac0336170f7c36ea3b32869fec2ee1ffa15"), ENDITEM,
Any help would be greatly appreciated, thanks
Use a public encryption algorithm. Supply the decryption key for the data as part of a run time parameter (see run time settings for parameters). Encrypt your parameter data with the key in question. This way you can store your data encrypted, using a key which is only known by you before execution.
WebHttp protocol doesn't have an encryption feature. For encryption you can use the TruWeb protocol (https://admhelp.microfocus.com/truweb/en/latest/help/Content/TruWeb/TW-masking.htm) or implement your own way to use an encryption algorithm.
EDIT: Alternatively you can store values in VTS -
https://admhelp.microfocus.com/lr/en/12.60-12.61/help/WebHelp/Content/VTS/c_getting-started.htm
Related
I'm looking for a tool or method to prove the authenticity of resources download from the web and stored locally. To be clear: I don't mean the SHA or MD5 checksums to verify a downloaded file. What I need is a way to download and store a web resource in such a way that I can later prove that said resource indeed originated from that web server.
In particular for the following scenario: A website published an article about a client. He would like to sue for defamation of character. I need a way to store the article without them having the possibility of simply removing it and denying they ever published it. So preferably this would be a tool that is backed by publications making it credible in court.
I have thought about storing the TLS certificate, keys and the encrypted data. That would rely on the root CA, but I think that would in itself not be a problem. I could do this using a custom program and a library like OpenSSL, but I think this is such a common problem, there probably is a relatively standard tool for it. Also, I am not entirely sure to what extent this would constitute reliable evidence. And can someone point to publications that would back this method?
Maybe I am using the wrong search terms, but everything I find is about aforementioned SHA or MD5 checksums. Any help is much appreciated.
If I understand correctly you need something like signature with timestamp. Yes?
You not only need checksum from document (article, text value, whatever) but also proof that this article really existed in time.
When using digital signature you can store such timestamp in 3rd party certified providers. You sign document and send checksum to 3rd party provider. Later you can ask provider to verify that this exact document is valid & was indeed created at given time.
https://en.wikipedia.org/wiki/Trusted_timestamping
As this can cost (fee for provider to store the timestamps) you can create checksums from many documents (like take all documents from one hour), store all of them in a single file, create checksum from that file and sign it with timestamp. This way you create one timestamp for documents batch, not for each document.
In my program, I have a simple login prompt so that only certain users may enter a program, as well as make the program function differently depending on the user. What I would like to do is have the information for the user login information (username, password, etc.) securely stored without going through an online database. I know that using a text file to store this information is a very bad idea, and I'm sure there is an easier way to do this than to make an array of this login information internally inside my program. Could you all give me some suggestions of a way to do this?
Hashes are what you need. Paste a hash-making function into your code, MD5 functions are available online for all major platforms. Then store your pairs of hashes in your config file. Devise a clever way to combine a password with your admittance options into another hash so that the file is edit-proof. This way, you can distribute the account configuration and if you don't make a trivial cryptographic mistake, it will work just as you want.
Example of the config file line (hashes truncated to 6 chars for clarity):
1a2b3c print;search;evaluate 4d5e6f
Here, 1a2b3c is obtained as MD5(username.Text+verysecret), the verbs are the account's rights and 4d5e6f is obtained as MD5(line[1]+verysecret+password.Text) where line[1] is the split result of the config line where the verbs are stored and the rest is the user's password.
Note how the password gets automatically salted by the verbs and how the verbs are protected against editing because that would invalidate the password hash. The verysecret constant is something hidden in your executable code that will prevent anybody from computing the hashes and unlocking the program.
Hashing is not an asymmetric cipher or key pair; a motivated attacker can crack your program to bypass protection altogether anyway, so going to further lengths is useless.
If you are cheap to find an asymmetric scheme, but cunning enough, you can change a few initialization constants in that MD5 function. This will make the cracking of your code harder, especially against the making of a counterfeit account file.
EDIT: When authenticating, don't just if(hashfromconfig == computedhash)... Script kiddies know how to hook into the string comparison function. Write if(MD5(hashfromconfig) == MD5(computedhash))... instead... Then the string comparison will work just as before, only it will not see your precious key hash that goes into a wannabe-counterfeit file. Ideally, have several versions of the MD5 function scattered across your code and named differently. Use if(foo(hashfromconfig) == bar(computedhash))... for a nice effect.
"without going through an online database." - do you mean on the client side?
"securely stored" and "client side" are pretty much mutually exclusive terms in this scenario.
There is absolutely no way to securely store data without touching online (server-side) source of some kind. If you are touching server-side source, it might as well be a DB.
I am working on an application in c# .Net where data needs to be encrypted and Since data privacy is my ultimate motive , I am doing it using AES Encryption and I use PasswordDervieBytes for determining the Secret Key. Now Since it uses SHA1 which is broken , I would like to know whether there is an in-built function which uses SHA256 for obtaining my secret key. I also know that RFC2898 can be used but then it also uses SHA1... So, Is there an In-built function which uses SHA256 algorithm ? Thank You in advance for your valuable answers !!
There is a SHA256Managed class that will hash the input. It will not encrypt it...
On one side I have:
http://forums.enterprisedb.com/posts/list/2481.page
Here we declare field as BYTEA and we can decrypt it and encryption is on db level.
On the other side:
https://www.owasp.org/index.php/Hashing_Java
Here as varchar and we only compare hashes to authorize.
Finally Spring gives http://static.springsource.org/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/crypto/password/StandardPasswordEncoder.html + char secret value applied is the same for every password?
Which is the best approach? (I lean towards Spring since as I understand it encapsulates similar logic as OWASP in few lines of code?)
PostgreSQL encoding:
Your application probably will depend on PostgreSQL and maybe you have to rewrite this part if you want to use it with another DBMS.
If the PostgreSQL is on another machine you should consider using some form of secure communication between the application and the DBMS because the passwords are transferred between them as plain text.
OWASP vs Spring:
They are very similar.
Both use salt.
Spring use a secret (Owasp not).
Of course you could modify Owasp to use a secret if you need that or you can use the StandardPasswordEncoder without secret.
Spring's encode() returns only one string which contains the salt too (as usual in unix/linux) while Owasp requires an additional database attribute for the salt value.
Spring is simpler and maybe it's better maintained than the Owasp web article from 2008.
Owasp mixes functionalities: it encodes/checks the passwords and contains a lot of JDBC code too.
Spring just encodes/checks the passwords and your responsibility is the password storage. But maybe your framework does that for you or you could write it for yourself.
I'd use StandardPasswordEncoder. It's more simple and does the same as Owasp.
select HASHBYTES('sha','what is it')
Result --0x2327A09C2FDAD132E436B5CC12E9D5D283B5BA69
is it possible to convert back hashbytes to string '0x2327A09C2FDAD132E436B5CC12E9D5D283B5BA69' as a input
want to get out put as 'what is it'?
Absolutely not. A hash is, by definition, one way.
What you're looking for is encryption, which you can do using the EncryptByCert and DecryptByCert functions, explained in detail here.
No. That's the whole point of a hash.
You use them for something like a password, such that every time someone tries to log in you compute the hash of the password they tried to log in with (plus a salt) and compare that with your stored value. This way even if someone (like a disgruntled employee) finds a backup tape for the database where your passwords are stored and an encryption key, they still wouldn't be able to log into your system and act on live data.
A hash function is defined as "one way" meaning that you convert text into a digest (the result you see above). If you are using this for password encryption the accepted usage would be to run a users input (from their password form) through the hash function and verify that it matches the stored digest.
If you wish to have decryption of a provided text input you will want to look into other cryptographic solutions such as Symmetric-key or Asymmetric-key algorithms.
Of course if you are doing any of this you are going to want to sanitize your input.
Hashing as the previous posters mentioned, is definitely a one way operation. It takes a (potentially large) input, and processes the input quickly in such a way that the output is a small but very unique (based upon input) output. Both by design and by nature of having a small sized output, a hash cannot be undone as the original input has been lost in the conversion. Common hashing algorithms include the Message Digest family (usually MD5) and the SHA family you mentioned in your question.
Again as the previous poster mentioned, if you're looking for a 2-way operation, encryption is what you are looking for. Further more, if you want the same user to both encrypt and decrypt a string, stick with symmetric encryption. Some common algorithms used in practice today are AES, DES, and Blowfish.
If you have a minimal perfect hash then at the very least you should be able to brute force the original input. But presumably this is not what you're asking about, if that is right then see all of the other answers :)