Re: Crypt function

[Randal L. Schwartz]

 James == James Kelty [EMAIL PROTECTED] writes:

James Can anyone point out a good book that details the functionality
James of perl and crypt()? I would like to have a cgi page that
James allows new member to sign up, hold the info in a flat file, but
James I would like to have the passwords encrypted. Any help would be
James much appreciated! Thanks alot!

The basic strategy is:

my $username = randal;
my $cleartext = guessme; # this is the password you want to protect

... adding user to password file

my $encrypted = crypt($cleartext, zz);
open PASSWORDFILE passwd or die;
print PASSWORDFILE $username:$encrypted\n
close PASSWORDFILE;

... time passes

my $username = param('username'); # randal
my $guess = param('password'); # testing to see if it's guessme

my $encryptedpassword;
open PASSWORDFILE, passwd or die;
while (PASSWORDFILE) {
  chomp;
  my ($u, $e) = split /:/;
  next if $u ne $username;
  $encryptedpassword = $e;
  last;
}
die missing user unless defined $encryptedpassword;

die mismatch password
  unless crypt($guess, $encryptedpassword) eq $encryptedpassword;

.. he's good!

That last line is the big one.  You store the *output* of crypt
into the file.  You then compare the result of running crypt *again*
to what's in the file.

As for that salt parameter, ignore it.  I just use zz or something.
In this day and age with fastcrypt implementations, having a varying
salt really doesn't add much to security.

Hope this helps... it took me a few minutes to compose. :)

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
[EMAIL PROTECTED] URL:http://www.stonehenge.com/merlyn/
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

Re: Crypt function

[ebgb]

On Wed, Jun 27, 2001 at 08:49:55AM -0700, James Kelty wrote:
 Can anyone point out a good book that details the functionality of perl
 and crypt()? I would like to have a cgi page that allows new member to
 sign up, hold the info in  a flat file, but I would like to have the
 passwords encrypted. Any help would be much appreciated! Thanks alot!


I normally use Digest::MD5 for this kind of thing.  The module, like most
others, is available from CPAN.

#!/usr/bin/perl -w

use Digest::MD5 qw(md5_hex);
use strict;

my $secret_password=foobarqux;
my $digest=md5_hex($secret_password);

This is not really encryption as it's a one-way function.  You can't reverse
the procedure to find the password from the digest so to authorise your users
you will need to perform the digest function on the password they've supplied
and compare it with the stored string.

Be wary of passing passwords over http as they can be sniffed, https would be 
preferred.

There's probably better ways of authenticating users.  I would be glad to learn
them from any of the real programmers on the list. :)

Regards.

EbGb.

Re: Crypt function

[Richard J. Barbalace]

Randal L. Schwartz [EMAIL PROTECTED] writes:
 my $encrypted = crypt($cleartext, zz);
 .
 As for that salt parameter, ignore it.  I just use zz or something.
 In this day and age with fastcrypt implementations, having a varying
 salt really doesn't add much to security.

Having a better salt (the two characters zz) helps prevent casual or
accidental browsing (say, by the sysadmin) from revealing that two
users have the same password.  While this only adds minimal security,
it's worth the minimal effort to avoid that problem.  You can use the
first (or last) two characters of the username for a simple salt:
  my $encrypted = crypt($cleartext, substr($username, -2, 2));

The brief documentation for crypt is available (among other places) at:
http://www.perl.com/pub/doc/manual/html/pod/perlfunc/crypt.html

[EMAIL PROTECTED] adds:
 I normally use Digest::MD5 for this kind of thing.  The module, like most
 others, is available from CPAN.
 
 #!/usr/bin/perl -w
 
 use Digest::MD5 qw(md5_hex);
 use strict;
 
 my $secret_password=foobarqux;
 my $digest=md5_hex($secret_password);
 
 This is not really encryption as it's a one-way function.  You can't reverse
 the procedure to find the password from the digest so to authorise your users
 you will need to perform the digest function on the password they've supplied
 and compare it with the stored string.

I'll second this recommendation.  To avoid the same password issue
described above, it's slightly better to append the username when
computing the hash, as in:
  my $digest = md5_hex($secret_password . $username);

You may want to require a minimum password length or check for
obvious passwords.  Also, consider using SSL for the CGI script to
prevent the password from being sniffed during transmission to your
server.  Consult with a security expert if you need more than basic
security on your site.

+ Richard J. Barbalace