Announcement

Collapse
No announcement yet.

Encrypt/Decrypt a String and Store/Retrieve credential

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Encrypt/Decrypt a String and Store/Retrieve credential

    Discussion for routines to encrypt/decrypt a string and to store, retrieve, or delete user credentials i.e. passwords.

    Source code is here.
    LarryC
    Website
    Sometimes life's a dream, sometimes it's a scream

  • #2
    I have been informed CNG should be used and this is not secure



    How secure is CALG_RC4?
    Could this be modified to use most secure method?

    Works perfectly with everything I have thrown at it.

    Code:
    REM %ENCRYPTION_CONSOLE_OUTPUT = 1
    REM https://forum.powerbasic.com/forum/user-to-user-discussions/source-code/60774-encrypt-string
    #INCLUDE "EncryptDecryptString.inc"  'by Larry Charlton
    FUNCTION PBMAIN () AS LONG
      'Uses:  %ENCRYPT_ALGORITHM = %CALG_RC4
      LOCAL sOriginal,sEncrypted,sDecrypted,sPassword AS STRING
    
      sOriginal = "Hello, world!"
      sPassword = "Password"
    
      EncryptValue sOriginal,sEncrypted,sPassword   'encrypt sOriginal   ---> sEncrypted
      DecryptValue sEncrypted ,sDecrypted,sPassword 'decrypt sEncrypted  ---> sDecrypted
    
      IF sOriginal = sDecrypted THEN ? "Success" ELSE ? "Failed"
    END FUNCTION
    https://forum.powerbasic.com/forum/u...encrypt-string
    Last edited by Mike Doty; 9 Oct 2016, 12:43 AM.
    https://www.tesla.com/roadster

    Comment


    • #3
      OK, as this seems to be kinda general discussion about cryptography, and the thread's title specifically states "store/retrieve credentials" let us get the basics right first:

      -- You do NOT store passwords. Ever. --

      Storing passwords is like storing your home's key beneath your doormat: it's "hidden", but easy to retrieve with a bit of effort. Once you've found it, it unlocks everything. And as humans are bad at remembering strong passwords and/or lazy, they tend to reuse a password for multiple purposes.

      What you do to store a PW is to create a unique hash adding you're own salt. Each time the user logs in, you create the hash from the PW he typed and compare it to that hash.

      Make also sure to pick a good (=strong and slow) hashing algorithm. The current "favorite" is Bcrypt *). With the sheer power of modern hardware, brute forcing through weak algorithms is a cakewalk. What once required the computing power of super computers, these days your office machine is capable to do during lunch break.

      For a very insightful explanation why it's so important to pick the right hashing algorithm, read this very well written Ars Technica article: Anatomy of a hack: How crackers ransack passwords like "qeadzcwrsfxv1331"

      *) I'd really like to see a PB implementation of this one. One a more general note: if there ever will be another PB version, the one feature I'd like to see added is BASIC like (="easy") implementation of Windows's CryptoAPI. With everything moving "to the cloud", cryptography is one of the major foundations of future programming.

      Comment


      • #4
        Is there any finished project for Symmetric encryption on this BBS that uses current suggested methods?
        Is there any finished project for Public key encryption on this BBS using RSA?

        Bottom line appears this code is not current enough.

        'CNG Code in C++
        'https://msdn.microsoft.com/en-us/library/windows/desktop/bb204779(v=vs.85).aspx

        '1) Create hash with CNG
        'https://msdn.microsoft.com/en-us/library/windows/desktop/aa376217(v=vs.85).aspx

        '2) Signing data with CNG
        ' https://msdn.microsoft.com/en-us/lib...(v=vs.85).aspx

        '3) Encrypting data with CNG
        'https://msdn.microsoft.com/en-us/library/windows/desktop/aa376234(v=vs.85).aspx
        https://www.tesla.com/roadster

        Comment


        • #5
          I second Knuth's suggestion for either a compiler-provided 'easy' implementation, or even a BASIC-friendly wrapper to MS CryptoAPI (or other library like LibTomCrypt or LibgCrypt). Something friendly AND complete ... just like Jose's includes.

          Originally posted by Knuth Konrad View Post
          *) I'd really like to see a PB implementation of this one. One a more general note: if there ever will be another PB version, the one feature I'd like to see added is BASIC like (="easy") implementation of Windows's CryptoAPI. With everything moving "to the cloud", cryptography is one of the major foundations of future programming.

          Comment

          Working...
          X