Make Custom File Type - Developers

[QUOTE=Eleventeen;19622586]Exactly, but sending the request has all the sound data, so I could trace that.[/QUOTE] If you were able to produce the valid request, you wouldn't need to sniff it. You can prevent man in the middle attacks by using key pairs. Anyway, my point is, either you don't encrypt at all or you employ a proper key-based encryption scheme. For example, if he didn't want to type in the passkey all the time but still wanted to encrypt the file, he could make the key a hash of his system. That way the program would only be able to decrypt the data if it was running on [B]his[/B] system, or in a VM completely emulating it (requiring you to know everything about his system, acting as the key.) Alternatively, you could prompt for a master password every time he started the program to decrypt the file containing his settings. Or, as blank suggested, if he is using a secure OS, he could use the system keyring. tl;dr don't waste time on encoding. Security by obfuscation is not security.

There's no way to really do this correctly. It will eventually come down to keeping a key secret. Personally, I think the best way to do this is to use layered cryptography (And NOT 'rot13 base64 xor rot13' like some of you have been suggesting). What I am referring to is to generate a random key, then encrypt THAT different key material. Example: Create a format that says what key material to use, like system specific material, a password, or a mixture if desired. For example, there are 3 entries of type 'systemdata' for three different computers that the user wants to be authenticated with. The program would generate the system material, and try to decrypt each key. If one decrypts sucessfully, Great! It's authed and can decrypt the passwords. If not, then it moves on to password authentication. It generates a key from that password just as it did when making the keystore, and if that key can decrypt, it auths and decrypts the passwords. If not, then the key for the passwords is never found, and so no passwords for you. Some that probably went over some of your heads, as it seems a lot of you seem to know nothing at all about correct implementation of cryptography (Or of cryptography at all for that matter), so I might very well write a program to explain all of this in a day or two, as it is 2:53 am at the time of this post, and tomorrow I have a new router to install, my father's birthday, and of course work. But, who knows, I might be called in to come in late again tomorrow, so I may very well be able to begin it later.

Why not just hash the password rather than diddling around with two way encryption?

[QUOTE=turby;19624590]Why not just hash the password rather than diddling around with two way encryption?[/QUOTE] I think he's making a password store.

Well encrypt the password file with the master password itself, duh

[quote]Because anyone would be able to just open a text file and read the usernames and passwords I wish to make a custom file type in which only my program is able to open and read.[/quote] If your only problem is people reading files in texteditors. Just shift around some characters in a way only your program knows or do some Xor or something. THe stuff the guys above me suggested sounds really nifty and sophisticated but is way off the road for something as simple as your request. Just make the data unreadable or something. You could start by converting the characters to simple binary or hex or dec codes and then multiply them by 10 or your birthday or whatever. I'm pretty sure your program isn't supposed to uphold against the attack of some Chinese Security Agency hackers or something.

[QUOTE=zman115;19621342]lets stop this train for a bit, can someone first help me with how to take passwords that are entered then encrypt them?[/QUOTE] It seems to me all you need is a login form right? User enters username and password and it lets them in if they are correct? Unfortunately that is going to be useless for a desktop application, you'd need some form of encryption for it to be worthwhile, and then you probably wouldn't be using usernames and passwords.

Just write it in binary.

[quote=eleventeen;19625806]just write it in binary.[/quote] [code]010110010110010101100001011010000010110000100000011011100110111100101110[/code] [editline]03:12PM[/editline] [QUOTE=Eleventeen;19621239]Then I open up my ollydbg and I crack his encryption.[/QUOTE] If he did use an encryption/decryption method, he's not exactly going to store the key in his program... [editline]03:15PM[/editline] [QUOTE=windwakr;19620272]-snip- Too many :downs: people here.[/QUOTE] Why would that make you snip your post, unless you'd said something :downs: too.

[QUOTE=Hivemind;19626080]If he did use an encryption/decryption method, he's not exactly going to store the key in his program..[/QUOTE] If the program can get it, then I can get it.

[QUOTE=Eleventeen;19626224]If the program can get it, then I can get it.[/QUOTE] Yes... but the user supplies the keyfile, which you would not have access to. If it's some form of public private key encryption the program database would only have the public key, which would be useless to you. If they key is just a password the same applies, the key would be entered via some login form by the user, so you'd only get the key you entered into the form. I can't start up TrueCrypt and get access to everyone in the world's encryption keys, because they are stored on their own computers.

Wow this topic got popular while I was asleep. Anyways... For Encrypting/Decrypting you want to create your file, then Encrypt it using some algorithm, passing the algorithm a key. Then decrypt it using an algorithm, and passing it the key. If it were my application, and I had multiple users that need to log-in I would use a remote database. When a user logs in it verifies the user through SQL Query, and so on.

[QUOTE=Anthoni_c;19626435]Wow this topic got popular while I was asleep. Anyways... For Encrypting/Decrypting you want to create your file, then Encrypt it using some algorithm, passing the algorithm a key. Then decrypt it using an algorithm, and passing it the key. If it were my application, and I had multiple users that need to log-in I would use a remote database. When a user logs in it verifies the user through SQL Query, and so on.[/QUOTE] A one way hashing system would be best a remote database, that way the password is never stored in decryptable form anywhere.

[QUOTE=Eleventeen;19626224]If the program can get it, then I can get it.[/QUOTE] No, you can't. Proper OS security would mean that you cannot read arbitrary memory from other users' processes, and guess his password as he is entering it into a text box or whatever. So while you would be able to find out everything about the encryption method used if you were sitting with a debugger and network sniffer, you'd still have no damn clue what the password entered was, and if a proper crypto system is used, that means you cannot have access to the data. This is why Pidgin doesn't encrypt passwords. It's useless. If you're not admin, you don't have access to the users' Application Data folder, and if you are admin, while you may not be able to read an encrypted file in the other users' AppData, nothing would stop you from attaching to the process and getting the pass from there, so there's no point in encrypting it in the first place.

I've started writing a VERY simple Encryption DLL for VB, I will post it here when it is done. Screenshot of What I've got so far: [URL="http://img9.imageshack.us/i/encrpyt.png/"][IMG]http://img9.imageshack.us/img9/871/encrpyt.png[/IMG][/URL]

Guys it's actually very simple. As long as the user has entered a mixed password (user's responsibility) and you use a strong encryption algorithm (your responsibility) and you attempt to never store your key (your responsibility) then your data is as safe as possible. If you complain and want it safer, then invest your knowledge into studies, else accept reality. [QUOTE=Anthoni_c;19627313]I've started writing a VERY simple Encryption DLL for VB, I will post it here when it is done. Screenshot of What I've got so far: [URL="http://img9.imageshack.us/i/encrpyt.png/"][IMG]http://img9.imageshack.us/img9/871/encrpyt.png[/IMG][/URL][/QUOTE] Progress is always good as long as it leads towards quality. Good job and keep working.

Thank You, and it's coming along pretty good. It should be done in an hour.(If I can pull myself away from MW2 :/) [B]Progress:[/B] [URL="http://img685.imageshack.us/i/progressq.png/"][IMG]http://img685.imageshack.us/img685/4289/progressq.png[/IMG][/URL] [B] *Encrypted Latin ;P Update[1]: [/B]I have to DL VB2008 to make sure it works on 08, I coded it in 2010. [B]Update[2]: [/B]The VB08 Web Installer is not working properly, I am just going to go ahead and release the DLL. [B]Update[3]: [/B]Released! Link Below. Includes the Example App. [B][URL="http://www.box.net/shared/9f70fq0i7l"]Download Here[/URL][/B]

Once again no one is really answering the OP, everyone is just arguing at each other and proving points.

Welcome to the Programming section.

[QUOTE=compwhiziitothemax;19629656]Once again no one is really answering the OP, everyone is just arguing at each other and proving points.[/QUOTE] Actually the very first reply was a correct answer to his question; people are arguing because some people are completely clueless when it comes down to crypto, and are giving incorrect advice (or wrongly denying other people's correct advice).

Why not just use a plain-text file, and store MD5 hashes of the password inside? Even if someone opens the file, and sees the hashes, it won't benefit them. Once you find the hash, you never need the original password, since you can just compare the hash of the password entered, to the hash of the password stored. Sure, MD5 isn't the most secure thing, but for most purposes, it works. Please, correct me if I'm wrong, it just seems like everyone is making the problem 10 times more complicated than it is.

[QUOTE=Anthoni_c;19629057][B][URL="http://www.box.net/shared/9f70fq0i7l"]Download Here[/URL][/B][/QUOTE] Where is the source for EchoCipher.dll?

[QUOTE=Shanethe13;19630428]Please, correct me if I'm wrong, it just seems like everyone is making the problem 10 times more complicated than it is.[/QUOTE] Not really, you're just making it 10 times simpler than it is. It seems like the OP is trying to make an application similar to the Firefox password manager, meaning a single password unlocks a store of many other passwords. If it only showed hashes, it would be useless, since you can't use hashes to log in to, say, a bank site. EDIT: Of course, if he isn't, then yeah, it is that simple.

I didn't release the source because that would make it easier for someone to decrypt the text. ;) Also, it appears you need .NET Framework 4.0 Beta to run the DLL. :/ Sorry.

[QUOTE=Anthoni_c;19630769]I didn't release the source because that would make it easier for someone to decrypt the code. ;)[/QUOTE] That smiley means you're joking, right?

Oh my god, please people please learn what you're talking about BEFORE you go telling people how to do it. I'm going to link this once again because you're clearly not listening. (and it's way easier than writing it all out again) [url]http://developer.pidgin.im/wiki/PlainTextPasswords[/url]

[B]@gparent: [/B]I really just don't want to release it because the code is messy and the encryption algorithm isn't that great. I'll release the source when I make a better one. One worth giving it, it's own topic, and written in C++.

This doesn't even encrypt. The key is just used to add noise. Proof-of-concept "decryptor" (in Python) [code]from sys import stdin SHIFT = 120 def decrypt(inp): out = [] for n in xrange(0, len(inp), 2): out.append(chr(ord(inp[n]) - SHIFT)) return ''.join(out) if __name__ == '__main__': print decrypt(stdin.read())[/code]

[QUOTE=blankthemuffin;19631300]Oh my god, please people please learn what you're talking about BEFORE you go telling people how to do it. I'm going to link this once again because you're clearly not listening. (and it's way easier than writing it all out again) [url]http://developer.pidgin.im/wiki/PlainTextPasswords[/url][/QUOTE] Yes. Everyone read this and believe it, or else you're wrong. :downs:

Would it be possible to convert the username and password into bianary, multiply it by a number that the user chooses then save it to a text file that is hidden. Then the person enters their username, password, and chosen number and then bam there in?