Thread: Encryption best practice?

  1. #1
    Registered User
    Join Date
    Jun 2006
    Posts
    22

    Encryption best practice?

    Hi,

    I'm looking to store user account details for email accounts in a client side file. What I need to know is what is best practice to encrypt that information so that its not human readable? Then unencrypt at a later stage.

    Also, if you can suggest any libraries that could help me out with this (OpenSSL)?

    Thanks
    Shiver

  2. #2
    Lurking whiteflags's Avatar
    Join Date
    Apr 2006
    Location
    United States
    Posts
    9,613
    Well I can tell you that encryption is the last thing in a long list of security masures. There is at least one person around who can crack whatever encryption you use.

  3. #3
    Registered User
    Join Date
    Jun 2006
    Posts
    22
    That I already know.
    I don't expect the password to be safe from everyone, I just dont want it to be human readable to anyone that just happens to open the file with notepad.

  4. #4
    (?<!re)tired Mario F.'s Avatar
    Join Date
    May 2006
    Location
    Ireland
    Posts
    8,446
    Use some library for encryption. Crypto++ for instance, if you are using C++...

    As for what kind of encryption you should use, you would have to provide a lot more information about the context in that you wish to hide this data, for anyone to even come close to give you some sound advice.

    Like citizen said, encryption alone is little guarantee of security. And you don't even consider the possibility of someone simply wiping your files. Also libraries these days offer the worst and the best of encryption all in the same lib file. You just need to use different functions.

    It's mostly really a matter of closing your eyes and pointing. Unless you have a premium concern. Doesn't seem you do, on this instance.
    Originally Posted by brewbuck:
    Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.

  5. #5
    Registered User
    Join Date
    Jun 2006
    Posts
    22
    Yeah, I totally get what you guys are saying and you're right, I'm not overly concerned with the encryption that eventually gets used.

    It will just be a means of storing a password and then recalling it when the application needs to authenticate, but not making it as obvious as opening it in notepad.

    What I was looking at was just Blowfish encryption so that I could unencrypt when needed.
    Just wanted to find out (for my simple needs), if that would be considered a good idea or perhaps there is a better way?

    If however you have any suggestions/documentation/information which may lead me down the right path to having a "reasonably" secure encryption in other projects, that would be helpful, but not really needed at this point.

    Thanks for the replies guys...

  6. #6
    Registered User
    Join Date
    Mar 2005
    Location
    Mountaintop, Pa
    Posts
    1,058

  7. #7
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,660
    > I'm looking to store user account details for email accounts in a client side file
    Sounds just like login to me.

    Study how Linux manages logins and do something similar.
    In essence, the password is never decrypted, what actually gets compared is
    if encrypt(inputPassword) == encryptedStoredPassword then allow login.
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.

  8. #8
    Registered User
    Join Date
    Jun 2006
    Posts
    29
    You can store the passwords binaricly... this will prevent normal people from reading them and will be easier to use

  9. #9
    Yes, my avatar is stolen anonytmouse's Avatar
    Join Date
    Dec 2002
    Posts
    2,544
    Whatever non-trivial encryption algorithm you use, it is going to be moderately difficult for the average user to retrieve and relatively simple for an expert with a debugger. So use whatever algorithm is easiest.

  10. #10
    User
    Join Date
    Jan 2006
    Location
    Canada
    Posts
    499
    In essence, the password is never decrypted, what actually gets compared is
    if encrypt(inputPassword) == encryptedStoredPassword then allow login.
    I'm not exactly sure how they can make encrypted junk that can never be decrypted, but I guess I could learn if I looked inside the Linux kernel source . Remember, in any case, Google is your friend.

  11. #11
    C++ Witch laserlight's Avatar
    Join Date
    Oct 2003
    Location
    Singapore
    Posts
    28,413
    I'm not exactly sure how they can make encrypted junk that can never be decrypted
    A cryptographic hash algorithm is used. Common examples would be MD5 and SHA-1.
    Quote Originally Posted by Bjarne Stroustrup (2000-10-14)
    I get maybe two dozen requests for help with some sort of programming or design problem every day. Most have more sense than to send me hundreds of lines of code. If they do, I ask them to find the smallest example that exhibits the problem and send me that. Mostly, they then find the error themselves. "Finding the smallest program that demonstrates the error" is a powerful debugging tool.
    Look up a C++ Reference and learn How To Ask Questions The Smart Way

  12. #12
    Registered User
    Join Date
    Jun 2006
    Posts
    22
    Thanks guys...

    I think I'll probably go with just a binary store for the time being.
    Then if I actually keep working on the app and other people use it, I'll do the encryption thing.

    At the moment, the app is just for me, so I suppose it doesn't matter much.

    I'll definately do the reading tho.

    Thanks again.

  13. #13
    Registered User
    Join Date
    Mar 2006
    Posts
    725
    Remember kids, SHA1 was recently broken. SHA2 hashes to a larger range of values and would probably be harder to bruteforce or collide.
    Code:
    #include <stdio.h>
    
    void J(char*a){int f,i=0,c='1';for(;a[i]!='0';++i)if(i==81){
    puts(a);return;}for(;c<='9';++c){for(f=0;f<9;++f)if(a[i-i%27+i%9
    /3*3+f/3*9+f%3]==c||a[i%9+f*9]==c||a[i-i%9+f]==c)goto e;a[i]=c;J(a);a[i]
    ='0';e:;}}int main(int c,char**v){int t=0;if(c>1){for(;v[1][
    t];++t);if(t==81){J(v[1]);return 0;}}puts("sudoku [0-9]{81}");return 1;}

  14. #14
    C++ Witch laserlight's Avatar
    Join Date
    Oct 2003
    Location
    Singapore
    Posts
    28,413
    Remember kids, SHA1 was recently broken.
    You need to read what the experts actually write. SHA-1 is broken in terms of collision attacks. For a collision attack, the attacker finds two messages that hash to the same hash, but cannot choose the hash output. If the attacker does not know what the original message is, a collision attack does not apply.
    Quote Originally Posted by Bjarne Stroustrup (2000-10-14)
    I get maybe two dozen requests for help with some sort of programming or design problem every day. Most have more sense than to send me hundreds of lines of code. If they do, I ask them to find the smallest example that exhibits the problem and send me that. Mostly, they then find the error themselves. "Finding the smallest program that demonstrates the error" is a powerful debugging tool.
    Look up a C++ Reference and learn How To Ask Questions The Smart Way

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Replies: 16
    Last Post: 11-23-2007, 01:48 PM
  2. help needed with edit control & encryption
    By willc0de4food in forum Windows Programming
    Replies: 2
    Last Post: 03-16-2006, 08:21 PM
  3. abt encryption algorithm
    By purIn in forum C Programming
    Replies: 9
    Last Post: 12-22-2003, 10:16 PM
  4. What's wrong with my Stream Cipher Encryption?
    By Davros in forum C++ Programming
    Replies: 3
    Last Post: 04-18-2002, 09:51 PM
  5. File Encryption & Read/Write in Binary Mode
    By kuphryn in forum C++ Programming
    Replies: 5
    Last Post: 11-30-2001, 06:45 PM