Re: Encryption routine

[Jim Idle]

Tony G wrote: Your notes are either incorrect or invalid on a few counts... From: Jim Idle Tony G wrote: Rather than using ENCRYPT(), or social engineering to discourage people from using passwords at all, it's very easy to do this with a .NET program called from BASIC: CLASS = "NebulaRnD.Security.TripleDES" INFO = "I am a password" KEY = "34M5945hjW4hvde87tsDcgkuy" And there is the classic problem I referred to earlier. You have secured it with tripledes alright, but all I need do is run the strings command on your program and you just gave me the key. Personally, when working with secure code I always assemble and calculate key data at run-time, specifically so that open strings can't be read as you describe. Yes, it's a problem with implementation but not with the solution in general. All implementations of any solution can have problems no matter how stable the foundation is. That's where experience usually helps to add value. No - once you assemble it in memory in any way, I can write a program to harvest it. This is all in the standard literature, it isn't me making it up ;-). That's why a lot of places the need really good security buy black box hardware that handles the encryption and so on. It is the closest you can get. I could also write a very simple program to whip through system memory and find the key when it is in memory (might need fairly high privileges, but the program is probably running as the same user group as me...). Yeah, and a truck driving through the wall of your computer room could compromise security too. C'mon Jim, are you just being contrarian? No mate. This is all knowledge that is available in spades on lots of security oriented web sites. It is way more complicated than is thought. You scorn the idea of someone writing a memory scanner without  weighing the risk:reward ratio. If this is the local library, then who cares if someone checks a book out in my name. But if I can access the banking records of 1 million customers, then I am sure lots of people in the world would pay very handsomely for the info. Hence my advice here is mostly aimed at the banking community, where the security is important. This stuff has happened in the past and it will happen again if people are not diligent. If the data is not worth someone trying to discover, then why are you encrypting it. The balance is always that you need ot consider how badly someone wants the data you are trying to hide. A system that has a vulnerability that allows rogue software to scan through memory has a lot more issues than securing individual data values. That would be every computer system on the planet if it isn't properly secured. Suffice to say, nothing is safe in an environment compromised as you describe. Again, this is an implementation issue, not a fault with the solution. No, I am sorry but you are wrong here - again, don't take my word for it, just read any papers on security. I can also replace your .Net assembly with one of my own that calls yours and emails me the keys as CALLdotNET (I want to shoot the person that made the 'dot' lower case), does not have a way to verify the assembly is the one you think you are calling. Heck man, if you want to go down that route then why not replace executables in /bin and /lib too? That's what I am talking about. Well, we agree with that lower case thing anyway. However, assemblies can be signed by authors with strong keys (which I do whether I need it or not) and keys can be registered on a system through Code Access Security which should stop unauthorized assemblies from executing at all. This is complicated by another implementation issue where CALLdotNET expects assemblies to be in a specific directory rather than in the Global Access Cache (GAC). Yes - .Net has the right mechanisms in place, but jBASE doesn't. Anyway... if someone has such a lack of security in their environment where assemblies can be substituted at the whim of some bad guy then there is no such thing at all as trustworthy code and implementation of encryption falls to the bottom of the list of things to do to ensure security. This stuff is way way more intricate to get correct than most people give credence to. Calling external programs in almost any way means you might as well not bother encrypting it, unless you just want to hide it from random prying eyes. Jim Great, you've told us: 1) ENCRYPT is worthless. Unless done properly, then it is actaully worse than useless. People say "It is all encrypted - no worries" and stop thinking about how people might steal their data. 2) Using outside methods is inherently insecure. Yep. 3) You can write code to scan memory for secure data and replace object code. As well as putting people in awe of your skills, Oh ha ha. You should leave sarcasm to the English I think ;-) The use of the term 'I' wasn't intended to inspire pejoratives, it is the 'I' as in 'I the experienced hacker'. It's no use you saying that what I said isn't true, when it clearly is and is well documented on the web and formal papers. Just because it seems like it is unlikely doesn't mean it doesn't happen. In fact it quite often means it will happen :-) all of this might leave people believing the platform is inherently insecure. In particular, I'm sure a lot of Temenos sites have a new appreciation for their software. In fact the reason I started this was because I am pretty sure that there are a lot of programmers that are writing pretty insecure systems and a lot of companies thinking that their data at rest encryption is the bee's knees. It isn't that there cannot be good solutions, but they take more than 20 minutes and the back of an envelope to think through. The only really secure system is one that is unplugged from the network, has no users and it is better that it is turned off and that the hard drives are destroyed - in fact it might be better to just not turn it on in the first place. In other words, find a solution that is as reasonably secure as is practical given the importance of the data you are securing. It drives me nuts when I have to sign up to a web site so I can download something and they want a secure password that is >8 characters, has two numbers and punctuation  and I need 4 security questions. But I don't mind it at my bank's web site. Jim --~--~---------~--~----~------------~-------~--~----~ Please read the posting guidelines at: http://groups.google.com/group/jBASE/web/Posting%20Guidelines IMPORTANT: Type T24: at the start of the subject line for questions specific to Globus/T24 To post, send email to jBASE@googlegroups.com To unsubscribe, send email to jbase-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/jBASE?hl=en -~----------~----~----~----~------~----~------~--~---