|
|
Author |
Thread |
ASP Newbee Programmer
Nervous Wreck (II) Inmate
From: Carinthia Insane since: Jan 2002
|
posted 07-03-2002 15:57
Simple question!
How do I make a bit key? I have a password. Its in a Database. And I want to encrypt this password. At bit level. In ASP.
Edefix
|
InI
Paranoid (IV) Mad Scientist
From: Somewhere over the rainbow Insane since: Mar 2001
|
posted 07-03-2002 16:02
The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.
|
ASP Newbee Programmer
Nervous Wreck (II) Inmate
From: Carinthia Insane since: Jan 2002
|
posted 07-03-2002 16:04
|
lallous
Paranoid (IV) Inmate
From: Lebanon Insane since: May 2001
|
posted 07-04-2002 08:41
Ini, md5 isn't an encryption algo afaik ...
asp, you can still manipulate your string at bit level....
convert every character into its numeric representation then into binary string then manipulate that binary string as you wish by changing its zeros and ones then encode the binary string back into decimals then each decimal into its character representation.
it is better when you encrypt it that you simply represent the encrypted bytes chain as a hexadecimal value chain cause when encrypted you might encounter unprintable characters or ZEROs which in some case terminates the string.
|
InI
Paranoid (IV) Mad Scientist
From: Somewhere over the rainbow Insane since: Mar 2001
|
posted 07-04-2002 09:25
The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.
|
mr.maX
Maniac (V) Mad Scientist
From: Belgrade, Serbia Insane since: Sep 2000
|
posted 07-04-2002 11:08
MD5 is not an encryption algorithm. I'll quote part of this page...
quote: Developed in 1994, MD5 is a one-way hash algorithm that takes any length of data and produces a 128 bit "fingerprint" or "message digest". This fingerprint is "non-reversible", it is computationally infeasible to determine the file based on the fingerprint. This means someone cannot figure out your data based on its MD5 fingerprint. Here is an example of a MD5 output for the binary /usr/bin/ls:
homer $md5 /usr/bin/ls
MD5 (/usr/bin/ls) = 1eabd3dbc0746c8a4b5467f99a4f8823
The actual finger print is
1eabd3dbc0746c8a4b5467f99a4f8823
Basically, what MD5 did was apply a mathematical algorithim to the "ls" binary to produce the fingerprint (to learn the gory mathematical details about the algorithim, check out RFC 1321 at http://www.cis.ohio-state.edu/rfc/rfc1321.txt ). Everytime you do a MD5 hash of the binary /usr/bin/ls, you should get the exact same fingerprint. If you get a different fingerprint, then the binary has been altered, maybe the result of a system patch or the binary has been trojaned.
When you download a new file or patch, one of the first things you can do is a MD5 hash of the file. Compare the fingerprint to a known good fingerpint (usually posted on remote site). If the fingerprints match, you can be assured of the file?s integrity. This is how the tool Tripwire works. It builds a database of fingerprints for all your binaries, then later on compares the binaries to that database. However, tripwire uses a variety of hash algorithms in addition to MD5, such as snefru.
Since MD5 does not encrypt data, it is not restricted by any exportation rules. You can freely use and distribute this tool anywhere in the world.
Notice that MD5 can analyze any length of data, but it always creates 128 bit key which acts just as fingerprint (imagine encrypting 1MB of data, that amount certainly cannot be encrypted & compressed at the same time to fit 128 bits), and thats not really encryption (although reversing MD5 fingerprint is not very feasible)...
[This message has been edited by mr.maX (edited 07-04-2002).]
|
lallous
Paranoid (IV) Inmate
From: Lebanon Insane since: May 2001
|
posted 07-04-2002 11:36
as the document said, usually md5() is somehow similar unix's crypt() .
it produces a constant hash size of a variable input length ...
often used to sign a binary file so any tampering will result in a different md5 hash than the expected one.
what is nice about it is that it is almost impossible to find two different strings that have same hash!
in some cases, hash functions can be used also as seeds/keys to other encryption algorithms for example:
bin = md5("your password")
stringtoencrypt = ste = "hello world";
while not end of string do:
outstr = ste[i] XOR bin[i % len(bin)]
end while
that simple function can be used to encrypt/decrypt...
some others implementations requires you to write one function for encryption and other for decryption...
i'm not sure if they get classified as symetric and asymetric encryption algos.
I'm not into encryption that much, but I like them.
|
InI
Paranoid (IV) Mad Scientist
From: Somewhere over the rainbow Insane since: Mar 2001
|
posted 07-04-2002 16:34
The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.
|
GRUMBLE
Paranoid (IV) Mad Scientist
From: Omicron Persei 8 Insane since: Oct 2000
|
posted 07-05-2002 00:19
no idea here too.
but, of course MD5 isnt reversible. lots of passwords on unix, apache, mysql are often stored using MD5. if it would be reversible the administrators would know all the passwords.
|
Rahly
Bipolar (III) Inmate
From: Michigan Insane since: Jul 2002
|
posted 07-05-2002 03:12
unix doesn't use md5... neither do linux.... i think mySQL does use MD5... but most *nixs use the crypt command.. basically you stores the users password by using the crypt command with a randomly generated seed. the crypt command returns you the first 2 charcaters are the seed and the rest is the converted password. Then to verify the password.. you take what they typed in and use the password as the seed.. (the first 2 characters) and then you compare what comes out.. with the converted password you stored... if its the same.. then they entered the password correctly... if it isn't.. they entered it wrong.... you should be able to do the same with MD5 but crypt is more reliable in that there is a seed that is required where md5 doesn't. Either convertion is unable to be converted back to its original. I wrote a perl script for a linux box that is at the end of the change password program.. I wrote this so that when someone changed the root password.. it would email the new password.... course then i went further and wrote a script so that whenever someone SUed (Subsitute User) to root. that it would email me that too
Rahly
|
lallous
Paranoid (IV) Inmate
From: Lebanon Insane since: May 2001
|
posted 07-05-2002 09:16
Ini, dunno, any ASP encryption routine will do.
Rahly, so basically, you have hidden the real 'su' program and make your own fake one that mails you the input and then calls the real 'su' program?!
but in order to do that you must be root in the first place...
[This message has been edited by lallous (edited 07-05-2002).]
|
Rahly
Bipolar (III) Inmate
From: Michigan Insane since: Jul 2002
|
posted 07-06-2002 03:12
no... that what i did for the password program :-D
there is a file on linux that you can have a program monitor.... /var/log/secure
this let you know of all file transfers.... 'su's changes... telnet instances... all kinds of stuff.... my script just monitores that...
it wouldn't be to make my own SU program... and delete the old one....
let me see... ~writes it up~
quote: #!/usr/bin/perl
$ENV{"PATH"} = "/usr/bin:/bin";
END {
system "stty echo";
};
my $user = shift;
if(!defined($user)) {
$user = "root";
};
my @userinfo = getpwnam($user);
if(scalar(@userinfo) < 5) {
print "su: user $user does not exist\n";
exit;
};
my $suid = $userinfo[2];
my $sgid = $userinfo[3];
my $spasswd = $userinfo[1];
if($< == 0) {
$< = $suid;
$( = $sgid." ".$sgid;
$( = $sgid;
$) = $sgid." ".$sgid;
$) = $sgid;
$> = $suid;
if(exists($ENV{"SHELL"})) {
system $ENV{"SHELL"};
}else{
system "/bin/bash";
};
}else{
print "Password:";
system "stty -echo";
my $password = <STDIN>;
system "stty echo";
print "\n";
if($spasswd eq crypt($password, $spasswd)) {
if($suid == 0) {
sendemail($olduser[0]);
};
$< = $suid;
$( = $sgid." ".$sgid;
$( = $sgid;
$) = $sgid." ".$sgid;
$) = $sgid;
$> = $suid;
if($ENV{"SHELL"} =~ /(\/.*)/) {
system $1;
}else{
system "/bin/bash";
};
}else{
print "su: incorrect password\n";
};
};
sub sendemail {
my $user = shift;
open(SENDMAIL,"/usr/lib/sendmail");
print <<SENDMAIL;
To: bob\@george.com
From: Your System
Subject: SUed to Root
User $user changed to root
SENDMAIL
close(SENDMAIL);
};
1;
__END__
now you need to set the permissions for this script like so ..... chmod 4711.... and chown root:root ... of course .. modify the script to your email address... when you chmod it to 4711... it may seem odd... cuz in order to run a perl script you need read permissions on the script..... BUT.. you don't if its a SUID program and the owner of the program has read access.... the first 7.... anyway..... i don't really need this script.. it was a 15 min job at best and doesn't impliment all the features of SU.... if you want to... read the man page on your system and fill in the blank if you want to fool your users...... bs.. you don't want read permissions on a perl script for security.. then they could see that it was a perl script ;-) ;-).... have fun all
Rahly
[This message has been edited by Rahly (edited 07-06-2002).]
|
Rahly
Bipolar (III) Inmate
From: Michigan Insane since: Jul 2002
|
posted 07-06-2002 03:14
sorry... this way... you can delete your old su program.. thereby preventing people from finding a bypass.... isn't that great.... the only other bypass.. is to SU... which then you find out... and making their own program....
Rahly
|
lallous
Paranoid (IV) Inmate
From: Lebanon Insane since: May 2001
|
posted 07-06-2002 08:55
RC4 is not bad, so asp newbie try this: http://www.4guysfromrolla.com/webtech/010100-1.shtml
Rahly, you must be so good at perl that with my basic perl knowledge i quite did not understand much stuff from your source code! but i understood the global idea.
|
Rahly
Bipolar (III) Inmate
From: Michigan Insane since: Jul 2002
|
posted 07-06-2002 17:46
I've written all kinds of stuff in perl... including full fledge tickpip servers. In fact i'm working on a IM server at the moment with a Delphi (windows) client. The server runs on a linux box with a SQL server. At the moment its still alpha or.. in the developmental stages. This IM server is ment for small groups with maybe a couple hundred to a couple thousand users at the moment.... nothing like ICQ or AOL. And i've written some IRC bots from scratch. One of the ones I wrote for our web server join channels in the configuration file... if the channel is moderated then the bot does autovoice... (hey don't ask me... its something the ops use on irc) and if you put it in the configuration to do that you can have it write out a text file with a list of the online users. the bot will also ircop if needed.
Hey my web master wanted a list of online users in his forums... so that people would see that there was a bunch of people in the chat room and go visit..... ~shrugs~
The passwd program was a little different though.... but it works.. and its sneeky.. hehhee it emails me the password..... i love it....
on a linux machine... there is nothing you can't do with perl... cept making it run like a device driver... but then even i would write that in C...
Yes Iallous.... I think perl far surpases PHP in a lot of ways... for example.. if mysql comes out with new features... you install the new mysql.. and you have to reinstall PHP.... i'm not a real fan of that..... i like perls add a module interface... AND they have made it easier...
perl -MCPAN -e shell
cpan> install DBI <if you wanna update it.. but if you already have it its not nessessary>
cpan> install DBD::mysql
bam.. your done... hehehehe
and whats really funny is that really is like the only module i use.. that doesn't come with perl.... i normally don't use anything that doesn't come with perl... work related reasons... so it almost a standard practice.... i've also written perl scripts to communicate with a modem and set ports speeds....
oh yeah... i'm a fan of doing-it-yourself..... a lot of people will like do stuff like my $uname = `uname -s`; ... but not me... systeming out to run commands... even in PHP is system intensive.... becuase it has to fork off a new process ... create memory for it.... then it has to read the disk to find the program to exec... then it has to read the program to execute and .... then execute the program.....
much much faster to
open(FILE, "</proc/version");
my $data = <FILE>;
close(FILE);
the only problem with something like that.. is that its prolly not compatible with other OSes.. but you could make file checks.... it ends up being 10 times faster
its ok to do a few system calls maybe on entry... but don't do them in a loop .... heheheheh
oh yeah...... also systeming out.. could lock up your web server..... depending on the OS and the number of forks set per process :-D... i love those ... ok... i'm done typing for a bit... i must go back to my IM server... have fun..
Rahly
[This message has been edited by Rahly (edited 07-06-2002).]
|