Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   C++ (http://www.velocityreviews.com/forums/f39-c.html)
-   -   How can I serialize sensitive info (eg password) on a user's computer? (http://www.velocityreviews.com/forums/t741798-how-can-i-serialize-sensitive-info-eg-password-on-a-users-computer.html)

Alexander 01-10-2011 06:35 PM

How can I serialize sensitive info (eg password) on a user's computer?
 
I need to store a user's password on the computer in some way so that
it can't be copied on another computer and reused with the same
program.

I'm interested in deploying on Windows and Linux; if the answer is
platform-dependent, please respond me for the platform you're informed
about.

Robert Hairgrove 01-10-2011 06:50 PM

[OT] How can I serialize sensitive info (eg password) on a user'scomputer?
 
On 01/10/2011 07:35 PM, Alexander wrote:
> I need to store a user's password on the computer in some way so that
> it can't be copied on another computer and reused with the same
> program.
>
> I'm interested in deploying on Windows and Linux; if the answer is
> platform-dependent, please respond me for the platform you're informed
> about.


And your question about C++ was...?

You could fetch the MAC address of the network card (if there is one) or
some other piece of data which is unique to that computer and hash it
with the password.

Öö Tiib 01-10-2011 11:36 PM

Re: How can I serialize sensitive info (eg password) on a user's computer?
 
On Jan 10, 11:54*pm, Andy Champ <no....@nospam.invalid> wrote:
> On 10/01/2011 18:35, Alexander wrote:
>
> > I need to store a user's password on the computer in some way so that
> > it can't be copied on another computer and reused with the same
> > program.

>
> > I'm interested in deploying on Windows and Linux; if the answer is
> > platform-dependent, please respond me for the platform you're informed
> > about.

>
> You can't. *Seriously, this problem is theoretically impossible. *If the
> password can be decoded using some information on that computer to be
> used by the program, then it can be decoded by a cracker and misused.
>
> The only thing you can do is to make the decode operation hard enough
> and obscure enough that it isn't worth somebody's time to do it. *Now if
> what you are doing is trying to stop MI5 from reading something on your
> computer - forget it.


Why so impossible? They somehow do it. Usually they take a password
from user, concat some unique to particular PC information to it,
calculate something like SHA-256 hash from the result, then store the
hash. Original password is rather hard even for your MI5 to reverse
engineer from it.

Joshua Maurice 01-11-2011 12:21 AM

Re: How can I serialize sensitive info (eg password) on a user's computer?
 
On Jan 10, 10:35*am, Alexander <alva...@gmail.com> wrote:
> I need to store a user's password on the computer in some way so that
> it can't be copied on another computer and reused with the same
> program.
>
> I'm interested in deploying on Windows and Linux; if the answer is
> platform-dependent, please respond me for the platform you're informed
> about.


I need more information. Specifically the use case. Also, as others
have said, security is hard. You cannot protect against every kind of
attack. If the kind of attacks is sufficiently constrained, then it's
possible to have a rather foolproof system. An example is protecting
communication against only man in the middle attacks. On the flip
side, if you're trying to prevent copying information off a DVD, but
you allow the user to have full access to the DVD and the DVD player,
then it's an almost hopeless cause.

Who knows the cleartext password? What does the password control, aka
is this some sort of software licensing protection?

Joshua Maurice 01-11-2011 03:28 AM

Re: How can I serialize sensitive info (eg password) on a user's computer?
 
On Jan 10, 3:36*pm, Öö Tiib <oot...@hot.ee> wrote:
> On Jan 10, 11:54*pm, Andy Champ <no....@nospam.invalid> wrote:
> > On 10/01/2011 18:35, Alexander wrote:

>
> > > I need to store a user's password on the computer in some way so that
> > > it can't be copied on another computer and reused with the same
> > > program.

>
> > > I'm interested in deploying on Windows and Linux; if the answer is
> > > platform-dependent, please respond me for the platform you're informed
> > > about.

>
> > You can't. *Seriously, this problem is theoretically impossible. *If the
> > password can be decoded using some information on that computer to be
> > used by the program, then it can be decoded by a cracker and misused.

>
> > The only thing you can do is to make the decode operation hard enough
> > and obscure enough that it isn't worth somebody's time to do it. *Now if
> > what you are doing is trying to stop MI5 from reading something on your
> > computer - forget it.

>
> Why so impossible? They somehow do it. Usually they take a password
> from user, concat some unique to particular PC information to it,
> calculate something like SHA-256 hash from the result, then store the
> hash. Original password is rather hard even for your MI5 to reverse
> engineer from it.


For SHA-256, aka one of the SHA-2 hash functions, it is currently
somewhat hard for MI5 to find a weakness. However, IIRC it's not a
provably secure cryptographic hash, just like its predecessor SHA-1,
and there are known weaknesses to SHA-1. It's not entirely out of the
question for someone to find a weakness for one of the SHA-2 hash
functions. When doing a one-way hash of a password, I'd rather use a
provably secure cryptographic hash function. Speed isn't of the
essence, so one can take the speed hit in exchange for the knowledge
that breaking your hash is at least as hard as some NP-complete
problem.

Also, why only 256 bits? There's SHA-512, one of the SHA-2 hash
functions. It's not like you're encoding and decoding messages over
the internet in real time. If it's for a password, go the distance and
get the best you can.

However, I doubt this will help in any significant way for the OP's
problem (it would help if he more thoroughly defines it), so I mention
this only as commentary.

SG 01-11-2011 09:51 AM

Re: How can I serialize sensitive info (eg password) on a user's computer?
 
On 10 Jan., 19:35, Alexander wrote:
> I need to store a user's password on the computer in some way so that
> it can't be copied on another computer and reused with the same
> program.


This is not a C++ question. Also, if you repost this in sci.crypt (or
some similar group), you might want to put a little more effort into
describing what exactly it is that you are trying to do.

Vaclav Haisman 01-11-2011 10:02 AM

Re: How can I serialize sensitive info (eg password) on a user'scomputer?
 
Alexander wrote, On 10.1.2011 19:35:
> I need to store a user's password on the computer in some way so that
> it can't be copied on another computer and reused with the same
> program.

I don't think that is possible unless you want to salt the password with only
locally available data.

>
> I'm interested in deploying on Windows and Linux; if the answer is
> platform-dependent, please respond me for the platform you're informed
> about.

For Windows, take a look at CryptProtectData() function[1]. On Linux, it is
more complicated as there is at least one for each major GUI provider. I know
of GNOME Keyring[2] and KDE Wallet (KWallet)[3].


[1] <http://msdn.microsoft.com/en-us/library/aa380261%28v=vs.85%29.aspx>
[2] <http://live.gnome.org/GnomeKeyring>
[3] <http://docs.kde.org/development/en/kdeutils/kwallet/index.html>

--
VH

Jorgen Grahn 01-11-2011 08:48 PM

Re: How can I serialize sensitive info (eg password) on a user'scomputer?
 
On Mon, 2011-01-10, Alexander wrote:
> I need to store a user's password on the computer in some way so that
> it can't be copied on another computer and reused with the same
> program.


You never, ever, store a user's password to disk! You let the user
enter it, then immediately use it, and then immediately forget it.

Read about how Unix handles passwords -- it's far from trivial.

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .

Robert Hairgrove 01-11-2011 09:28 PM

Re: How can I serialize sensitive info (eg password) on a user'scomputer?
 
On 01/11/2011 09:48 PM, Jorgen Grahn wrote:
> On Mon, 2011-01-10, Alexander wrote:
>> I need to store a user's password on the computer in some way so that
>> it can't be copied on another computer and reused with the same
>> program.

>
> You never, ever, store a user's password to disk! You let the user
> enter it, then immediately use it, and then immediately forget it.
>
> Read about how Unix handles passwords -- it's far from trivial.
>
> /Jorgen
>


I think you meant to say that you never store the password in plain text
anywhere. Obviously, you will have to authenticate the next login
somehow ... how are you going to do that if there is no information
about the password stored somewhere on the computer?

In most cases, the password is stored after being hashed, encrypted or
otherwise obfuscated according to some clever algorithm, and the
hashed/encrypted version of the next login is compared to that.

Jorgen Grahn 01-12-2011 03:58 PM

Re: How can I serialize sensitive info (eg password) on a user'scomputer?
 
On Tue, 2011-01-11, Robert Hairgrove wrote:
> On 01/11/2011 09:48 PM, Jorgen Grahn wrote:
>> On Mon, 2011-01-10, Alexander wrote:
>>> I need to store a user's password on the computer in some way so that
>>> it can't be copied on another computer and reused with the same
>>> program.

>>
>> You never, ever, store a user's password to disk! You let the user
>> enter it, then immediately use it, and then immediately forget it.
>>
>> Read about how Unix handles passwords -- it's far from trivial.
>>
>> /Jorgen
>>

>
> I think you meant to say that you never store the password in plain text
> anywhere. Obviously, you will have to authenticate the next login
> somehow ... how are you going to do that if there is no information
> about the password stored somewhere on the computer?


Well, I never said store *no* information, did I?

But this is a side issue -- my main point is that Alexander should not
write code to deal with passwords before he knows computer security!
We have seen too many fiascos already.

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .


All times are GMT. The time now is 10:41 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.