Encrypting/Decrypting Password from a Config File

[Luc The Perverse]

Conclusion: Cracking MD5s isn't as easy as some people make it sound,
sometimes for as pragmatic reasons as the fact that the webservers are
being overloaded with work and cannot respond in time.

The difference using the Java cryptography toolkit is the difference of a
single string!

When using a safer algorithm is trivial, I don't see why you wouldn't.

While I am unfamiliar with any such program, it is at least theoretically
possible that an intelligent hacking program could be enlisted to search all
CLASS files for use of the MD5 checksum algorithm, and then be delivered to
a programmer somewhere to develop exploits (perhaps as part of an ambitious
but unrealistic "hack every java program" venture)

There is a level of responsibility that comes when you give the user the
illusion that some functionality that he or she is using has been secured.

 

[Oliver Wong]

The difference using the Java cryptography toolkit is the difference of a
single string!

When using a safer algorithm is trivial, I don't see why you wouldn't.

If design A is better or equal to design B in all aspects, and is better
than design B in at least one aspect, then you should always take design A.
That's agreed. I never meant to imply "always use MD5 in your Java
applications" or anything like that. The only message in the conclusion you
quoted above is that there exists at least one person in the universe who
claims that cracking MD5 hashes is easier than it actually is. By itself,
that's a rather weak statement, but I supported it with a repeatable
experiment in which I tried cracking a hash of my name on the "MD5 cracking
websites" listed on the Wikipedia article on MD5, and pointing out that the
results I got were that every single site failed to crack the hash.

While I am unfamiliar with any such program, it is at least theoretically
possible that an intelligent hacking program could be enlisted to search
all CLASS files for use of the MD5 checksum algorithm, and then be
delivered to a programmer somewhere to develop exploits (perhaps as part
of an ambitious but unrealistic "hack every java program" venture)

Yes, although I also feel that some people make decompilation of Java
bytecode sound easier than it really is, in principle, you could look for
references to Sun's cryptography API, and the string that references MD5 (is
it "MD5"?) in the constant pool, and you'd be able to assume that the class
file you've got probably uses Sun's implementation of MD5.

There is a level of responsibility that comes when you give the user the
illusion that some functionality that he or she is using has been secured.

True. However, most users out there really don't care about security.
I've never checked the source code for my PGP binaries for example. Many
people tell their significant other their passwords. They also use the same
password for everything. Etc. Those that actually care probably will refuse
to use a program written by someone else unless it's open source, in which
case they can directly see what algorithms you're using.

- Oliver

 

[Luc The Perverse]

True. However, most users out there really don't care about security.
I've never checked the source code for my PGP binaries for example. Many
people tell their significant other their passwords. They also use the
same password for everything. Etc. Those that actually care probably will
refuse to use a program written by someone else unless it's open source,
in which case they can directly see what algorithms you're using.

You're absolutely right!

Most naive users believe the government can crack ANY encryption scheme, and
don't care what anyone says to the contrary (I blame movies). Other than
them, they are not really concerned. Hackers and viruses are slowly gaining
"acceptance" as viable threats, but most people continue on oblivious.

This is of particular interest to me wishing to develop [for profit]
encryption systems. The public sentiment will work against it, but I
believe that through proper marketing it may be possible to penetrate a
not-too-narrow "paranoid" market.

And there are LOTS of people out there who want to keep secrets from their
spouses/children/parents/roommates etc.

The trick is just making the software easy enough to use that people are not
intimidated by it.

I consider this a challenge!

I imagine financially the project will fail, but I hope to learn a lot.
Only having been in this group briefly, which prompted me to start [again]
studying Java - I have been convinced to write my app in Java. (Well,
rewriting my SHA-256 checksum duplicate file finder in Java from C is
probably what really convinced me.)

 

[Roedy Green]

When using a safer algorithm is trivial, I don't see why you wouldn't.

Consider that the Homeland Security, FBI, NSA and CIA etc. are not
exactly going to hand over their code cracking algorithms as open
source. You have to presume those types are orders of magnitude more
advanced and have special purpose hardware.

Personally if I wanted to send messages I did not want that sort of
group snooping on, One Time Pad would the only thing I would consider.

A way to crack AES would be a state secret.

 

[Roedy Green]

Most naive users believe the government can crack ANY encryption scheme, and
don't care what anyone says to the contrary (I blame movies).

Jalal Feghi, author of Digital Certificates, Applied Internet Security
says the military in 1997 could crack a 40 bit keys in milliseconds,
a 56 bit key (e.g. DES) in seconds, a 64 bit key in minutes, an 80 bit
key in centuries, and a 128 bit key in millennia.

 

[Luc The Perverse]

Personally if I wanted to send messages I did not want that sort of
group snooping on, One Time Pad would the only thing I would consider.

I think sources like random.org are likely polled and recorded for all their
output. You would need your own trusted entropy source.

A way to crack AES would be a state secret.

Remember, US code breakers broke a one time pad because they found it wasn't
truely random.

I say, OTP + AES (well as I previously mentioned, I use Serpent instead of
AES, but same idea.)

I actually quite trust secret key algorithms like AES. What I think the
government really can crack virtually immediately are the asymmetrical
ciphers (RSA, Elliptical Curves etc.) ~IF~ there is an agency which can
crack things like AES, it is the NSA not the FBI - and I never do anything
that would endanger national security.

The FBI has its own methods. While I don't think they have exotic code
breaking algorithms/systems - I do think that they have exceptionally
advanced surveillance equipment, which they can easily use to get your
keyrings/passwords etc. And if suddenly you start sending a bunch of
encrypted messages, either they will break it if they can, or suddenly your
secret keys become not so secret.

I will just say, I have no desire to try to defeat the government. If my
president suceeds in overthrowing the current government and establishing a
theocracy, I will flee to a more liberal country. Until then I will just
try to get by.

 

[Roedy Green]

Remember, US code breakers broke a one time pad because they found it wasn't
truely random.

The key to doing One Time Pad is you must implement the algorithm
yourself or at least go over the source with a fine tooth comb and the
compiled version as well, to make sure there is no code there that
does not need to be.

The easiest way to crack one time pad would be to offer free
implementations that snoop.

Similarly for your random source. If you bought a black box, for all
you know inside is a computer generating pseudo random numbers.

You want to be able to take it apart and make sure it is truly what it
claims. See http://mindprod.com/jgloss/truerandom.html

 

[Roedy Green]

I will just say, I have no desire to try to defeat the government. If my
president suceeds in overthrowing the current government and establishing a
theocracy, I will flee to a more liberal country. Until then I will just
try to get by.

I am a Canadian and I deeply distrust the Bush administration. So I
feel quite the opposite. I want those agencies foiled. They are for
the most part up to no good.

Routine surveillance is big brotherish. If someone is a high risk for
terrorism they deserve a court order wiretap and bugging.

 

[Luc The Perverse]

I am a Canadian and I deeply distrust the Bush administration. So I
feel quite the opposite. I want those agencies foiled. They are for
the most part up to no good.

Routine surveillance is big brotherish. If someone is a high risk for
terrorism they deserve a court order wiretap and bugging.

It's not terrorists that I am concerned about - nobody wants them scott
free.

A child was taken away from his parents when he kissed his girlfriend at
school (both in elementary school)

There are certain counties in my state where I cannot buy alchohol ever.
Pharmacists can legally confiscate plan B emergency contraception
prescriptions.

Don't get me started on the abstinence until marriage compaignes.

The best one of all! The president tries to ammend the constitution to
prohibit gays from marrying. This IS a new development right? I've
never heard of 100 years ago propositions for ammendments prohibiting blacks
or jews from marrying. Maybe those just aren't in history books - I don't
know.

There is something SERIOUSLY wrong with this country - when the whole
country is in an uproar because Clinton lied about a blowjob - but don't
care where CIA integrity is undermined, when the president tried to add
discrimination to the constitution, spead his own theological beliefs under
the guise of international anti AIDS campaigne, intervene in the Terri
Schiavo case.

Bush should be impeached for starting a war with Iraq over a vendetta.

This is my opinion. Maybe that is what you meant by "mistrust"

 

[steve]

It's not terrorists that I am concerned about - nobody wants them scott
free.

A child was taken away from his parents when he kissed his girlfriend at
school (both in elementary school)

There are certain counties in my state where I cannot buy alchohol ever.
Pharmacists can legally confiscate plan B emergency contraception
prescriptions.

Don't get me started on the abstinence until marriage compaignes.

The best one of all! The president tries to ammend the constitution to
prohibit gays from marrying. This IS a new development right? I've
never heard of 100 years ago propositions for ammendments prohibiting blacks
or jews from marrying. Maybe those just aren't in history books - I don't
know.

There is something SERIOUSLY wrong with this country - when the whole
country is in an uproar because Clinton lied about a blowjob - but don't
care where CIA integrity is undermined, when the president tried to add
discrimination to the constitution, spead his own theological beliefs under
the guise of international anti AIDS campaigne, intervene in the Terri
Schiavo case.

Bush should be impeached for starting a war with Iraq over a vendetta.

This is my opinion. Maybe that is what you meant by "mistrust"

[/QUOTE]
[/QUOTE]

thats why I live in China.
Because I know exactly where i am , as regards the government.

 

[Oliver Wong]

The key to doing One Time Pad is you must implement the algorithm
yourself or at least go over the source with a fine tooth comb and the
compiled version as well, to make sure there is no code there that
does not need to be.

That assumes you trust the compiler. So you'd have to write your own
compiler. You can't write your own compiler in Java though, 'cause you'd
have to compile that compiler, and you don't trust the compiler. You can't
write it in assembly language though, 'cause you'd have to trust the
assembler/linker. Maybe use a hex editor and write it directly in machine
code. But then you'd have to trust the hex editor.

So your best bet is to build a read-only USB key from scratch, where the
data on the USB key is the executable for your assembler, from which you can
write your one time pad algorithm in assembly.

That of course assumes you trust your CPU. Just because you send it one
set of instructions doesn't mean it might not execute a different set.

And even then, there's lots of devices in between your USB key and the
CPU that could nefariously insert malicious code along the way. The USB host
device, the data/control BUS, the offboard cache, etc.

While building your USB key, you can't buy ready made transistors and
such from radioshack, as they might be under control of the goverment too.

Oh, and you can't trust your senses. You may think you're sitting in
your basement, smelling dampness, and touching screw drivers and electronics
parts, but this might all be an drug induced hallucination as the men in
black peer into your dreams to try to find out your secrets.

At some point, you're going to have to trust something. As I mentioned
elsewhere in this thread, I haven't read the source code for my PGP
binaries, nor have I compiled them from source; I just downloaded the
binaries and use them. I trusted them. Maybe I was naive.

- Oliver

 

[Roedy Green]

That assumes you trust the compiler. So you'd have to write your own
compiler.

No, you don't have to write your own compiler, just check the output.

The runtime is another matter. You can't very well check it out, but
you can check out that your copy of the runtime is the same as
everyone else is getting. This means the bad guys out to get you a
have control of Sun's distribution, and they think you are important
enough to put a hook in it. All you have to do then it use a OLD jvm
written before you wrote your code. It would have a heck of a time
spoofing code it has never seen.

The way the bad guys would most easily foil you is via taking over
your OS and putting in keystroke loggers, screen loggers etc to spy on
the decoded text. To help defeat that your machine must be a virgin
that has never seen the Internet.

Since windows is so insecure, if you were serious you would use the
smallest hardware that could still tackle the job, perhaps an old
Apple ][ where there is little place to hide code.

 

[Oliver Wong]

No, you don't have to write your own compiler, just check the output.

Hmm, good point. But how do you check the input? A hex editor? You'd
have to trust the hex editor then. And you'd have to trust the OS that when
you request the contents of the file, it really does give you the contents
of the file.

Using an open source OS doesn't help that much, because even if you see
the source, you'll still have to compile it, at which point you have to
trust the compiler so you're back at square one.

The runtime is another matter. You can't very well check it out, but
you can check out that your copy of the runtime is the same as
everyone else is getting. This means the bad guys out to get you a
have control of Sun's distribution, and they think you are important
enough to put a hook in it. All you have to do then it use a OLD jvm
written before you wrote your code. It would have a heck of a time
spoofing code it has never seen.

Difficult, but theoretically possible. My post was pretty
toungue-in-cheek, and I was concerned more about the theoretical security
holes than the practical ones.

The way the bad guys would most easily foil you is via taking over
your OS and putting in keystroke loggers, screen loggers etc to spy on
the decoded text. To help defeat that your machine must be a virgin
that has never seen the Internet.

Since windows is so insecure, if you were serious you would use the
smallest hardware that could still tackle the job, perhaps an old
Apple ][ where there is little place to hide code.

You'd still have to trust the hardware though, e.g. make sure any ROM
doesn't have unwanted behaviour hardcoded into it. Or even making sure that
just the way the components were wired together don't introduce some sort of
secret behaviour, even if each of the individual components behave exactly
as expected.

And there's still the issue of trusting your own senses. Or trusting
your own mind.

- Oliver

 

[Roedy Green]

Using an open source OS doesn't help that much, because even if you see
the source, you'll still have to compile it, at which point you have to
trust the compiler so you're back at square one.

Did you ever see Gene Hackman in The Conversation?

 

[Oliver Wong]

Did you ever see Gene Hackman in The Conversation?

No, but scenes from the movie "Memento" came to mind as I wrote my post.

- Oliver

 

[Chris Uppal]

No, but scenes from the movie "Memento" came to mind as I wrote my
post.

Reminded me more of Ken Thompson's classic "Reflections on Trusting Trust".

http://www.acm.org/classics/sep95/

-- chris