Introduction
I came along this scenario while trying to find out a way to build a Decentralized and synchronized database structure which is open to everyone. Since both source code and database are public, I need to find out if there's a way to achieve a secure user authentication system. And if not, I'd like to know why not (it's not so obvious).
My idea is the next:
Suppose that I make it compulsory for users to have a password with numbers, capital letters and symbols (making it random so it does not appear in any dictionary). If I then use a hashing method with the greatest uniqueness, the possibility to crack this password will be very little.
Main problems:
Cracking dictionaries may content also those random-strange passwords.
Even if possibilites of cracking are few, crackers have all the time they want.
There must be an alternative:
Maybe I have to change the traditional user/password method, and make up something different. One solution could be sending each time a temporary access link to the user's mail (for which no one but himself knows password), but this is not a nice/comfortable way to access a website.
Thanks for reading. If you thing that I am trying something stupid, let me know and I'll be pleased (but I'd also appreciate a demonstration of my stupidity). Really, thanks.
Edit: I know I could use a third party service, like OpenId... but this is also a curiosity question for me ;)
"making it random so it does not appear in any dictionary"
You can't assume that. There are dictionaries with passwords made up of symbols and different characters.
Did you try having a look at Kerberos?
I am not sure if I understood your question correctly but I think You need to implement something like Kerberos.
Related
On OSX a user can delete NSUserDefaults either using the defaults utility or deleting the plist. See man defaults. Is there a way this can be monitored, considering the app would like to catch and take appropriate actions if the user or any malicious program does this. Deleting either way does not invoke NSUserDefaultsDidChangeNotification at all and hence cannot be used.
If you need to secure settings, use the keychain. If you want to do so without incurring the pain and suffering of learning the keychain, there are several wrappers available that make string entries look like User Defaults.
There are two different things here: "if the user or any malicious program does this."
Regarding "if the user..." the answer is no. The user can do anything she wants. She can modify your program if she wants. It's her hardware. In order to prevent that, you have to develop effective DRM. You're not going to do that on top of NSUserDefaults. Apple can barely pull that off when they control every piece of the ecosystem. Basically, if you could solve this problem, Apple could use the same solution to prevent jailbreaks of iPhones.
If the idea is that you just want to obfuscate things a bit from the user, and aren't trying to deal with a motivated and skilled attacker, then NSUserDefaults is not the right tool. It has "user" right in the name. It's the user's stuff. Put your secret things in a hidden place. You'll have to come up with your own idea for that, since the only reason it would work at all is because it's a secret only you know. (This will be broken very quickly by a motivated attacker of course, but it will work for most of the users who any other system would work for; keep it simple.)
Regarding "any malicious program," that's a bit different, since you're protecting your user (a tractable problem) rather than trying to protect yourself from your user (an intractable problem). Storage in keychain would probably be a good choice. It has several built-in protections from malicious applications accessing it. You can also store your data on a server rather than on the box, which would protect against most malicious software (particularly assuming you sign your app, so malicious software can't modify it).
If what you're really trying to do is manage trials and licensing, there are several products on the market to help you obfuscate your keys, trial periods, etc. They spend their money developing and refining obfuscation and adapting as attackers break it. It's a full-time job. Unless you have a team to devote to it, I'd use one of the commercial products. It won't really fix your problem (those products are cracked all the time), but at least you can get back to real development.
If it's not sensitive then save it using NSUserDefaults. It it is sensitive the use the keychain. If you want to store information securely using NSUserDefaults (AES-356 bit encryption) then look into SecureNSUserDefaults(I have colleagues that use this but I haven't had a need to myself).
Otherwise, save your data (encrypted by your own means if you wish) using your own preferred data structure (dictionary or the like) to your app's documents folder.
Ultimately, anything that you store client side can be removed by the user. But you can try to stop it being deciphered and/or edited.
I'm creating a windows form app and the underlying code needs to be secure. In the code is database information and many equations which people should not be able to see.
What I'm asking is if I install the app on someone's computer, how easy is it for them to "break" into the application and view this sensitive information? If it's not difficult for them to find the code, are there ways to prevent this from happening? I would appreciate any input.
It's very easy to view code. Tools like ILSpy or .NET Reflector can practically show your code as you have written it in C# or VB.NET.
There are some possibilities, some free or cheap, some will cost you:
Obfuscation: This replaces names and sometimes logic in your excutable with other code that is hardly human readable. This is easy to do and there are tools like Confuser that do a good job, but the code is still there and can be read. It's only slowing attackers down.
Another option that I have evaluated myself is using hardware protection in the form of Dongles. Here the whole application is encrypted with a secret key that is stored on a smartcard. Portions of the code that are needed are decrypted on the fly at runtime and executed. Since the code is encrypted you can't read it easily. Solutions like Codemeter are pretty hard to beat (there are no real cracks for these if implemented correctly, which isn't hard. But this is not for free.
You always need to have the scope of your protection in mind. Who do you want to keep from getting your code?
The average guy who also has used .NET some times and knows how to google and download ILSpy? Obfuscate it mildly and he will be annoyed enough to leave it be.
Some other people who really know what they are doing but still without financial interest? Use some more drastic obfuscation like code restructuring and so on and they will probably not invest weeks of their time to just finding some formulas.
Some other company who is willing to put in the financial ressources and the knowhow of talented people to get your code to make a profit? Obfuscation will not help you. Maybe encryption will, maybe not.
We went with the Dongle solution since we also want to manage licensing in an easy way for the customers (of which most have very restricted online capabilities), while the code protection is a very nice additional feature.
You can use two-way cryptography before storing the information on the database. This question's answer has an explanation of how to do that very simply: Simple insecure two-way "obfuscation" for C#
About the equations, if they're hardcode in your app, and you don't deliver the source code of the app, the only way to retrieve it is using disassembly, wich, even with very simple tools, you have to be "computer savy" to do it.
stackoverflow community.
I am currently a middle school computer science teacher.
I was wondering what was the best tool to demonstrate how easy it is to crack their password. (could be a program that I can install)
I want each students to enter what they think is a "hard" password and the rainbowtable will solve it and display the time/password. (I've done my research and looked at rainbow tables)
Hopefully this community can help me :)
Thank you in advance.
P.s sorry if this question isn't posted in the correct location.
Well...I'm not going to touch password cracking algorithms with a 10 foot pole, even for an academic discussion.
But, you could demonstrate using sleight of hand by putting a packet sniffer such as wireshark (or ethereal) between the hosts and an LDAP server and just capture each of their passwords in clear text on their way down.
You could also install a keystroke logger on each of the machines and just have it simply log their passwords to a file.
Either would be "cheating", but that's another valuable point that you could make. It really doesn't matter how strong your password is if someone can get access to it. The usual way that people get access to other peoples' sensitive data is through sleight of hand and deception, not brute force.
Brute force, such as rainbow tabling a hash can still be used, of course "to break through the front door." But, if someone "leaves the window open", why go through the trouble and take the conspicuous route?
(P.S. I personally think it's unwise to be discussing cryptographic attack methods in a middle school setting. If you are going to do this at all, I think it would be very dangerous to expose the method you used. I wouldn't mention the method to any of your students at all or I guarantee you are going to inspire several of them to go running amok)
I'm looking for an easy to use serial-number registration system for a small Mac App I've created. Frankly, I'm not overly concerned about pirates, but I do want a way to have a screen show up with 'Register/buy' options, and have a serial number that is related to the username/email. So, perhaps some sort of MD5 with salt? I've always heard that lots of programmers use some sort of RPN to do it, but, frankly, I have no idea how to create a serial number that would be related to registration information.
Anyways, I'd really prefer a plugin module (kinda like sparkle :) ) that would handle the registration for me, but, in lieu of that, I'd happily take some nice documentation that will lead the way to creating something like this.
Thanks much!
So my question is simple and probably your answers will tell this is not possible...
Maybe on the first use of the dll file, I should see what is the MAC Address and put a restriction on that base? :)
Interesting question! You could manage a kind of white/black list (of course encrypted) in your DLL and handle the restriction code in DLL_PROCESS_ATTACH and then return TRUE or FALSE according to your needs.
You will need to search for specific technology or language and see what standard approaches do people use for this.
There is a trade off between how difficult it is to set up your product and the defence level. The tougher you make it for the bad guys, the tougher it will become to use your product.
You can use some sort of obfuscation and library encryption, which will work providing your user has a key (or password).