|
in reply to Re: How to hide a password in a script?
in thread How to hide a password in a script?
davido:
While I really appreciate your comments, this is a situation that cannot be satisfied by an encrypted solution. This is something that is on a fairly well protected network (1), gives access to a read-only user (2), and deals with a proprietary software client which doesn't support externally encrypted authentication methods(3). Finally, the reason for obfuscation, as opposed to encryption, is that the "stored" password has to be de-obfuscated in order to be passed to an expect program to log into another device (with the read-only account). So, disguising the password, and the disguising the code that disguises the password is sufficient for this particular situation. I understand and acknowledge the risks, and if the situation were different would most likely consider a (permanently) encrypted solution. However, for this particular situation, that simply won't work. Thus, the choice to go with obfuscation. We DO have a "Red Team" that likes to "play", but for the most part, they seem to be more concerned with the windows boxes in our environment, and this particular script resides on a Solaris box. Bottom line, encryption was considered as the preferred option, specifically SSH public key authentication, however, the device we're trying to connect to doesn't support it.
In response to 'Update2', it's all a game anyway. ;) For this particular situation, I'm not too interested in completely prohibiting *someone* from getting the data (password). But I definitely want to make them work for it. ;)
So, again, some tips on how to play "the game" would be much appreciated. :D Or at least directions to do some studying. |
Re^3: How to hide a password in a script?
by beable (Friar) on Aug 06, 2004 at 09:10 UTC
|
Here's why it won't work: no matter how you obfuscate the password and the code to unobfuscate it, the program will still be able to generate the password. And that's where "Red Team" will strike. Observe:
sub run
{
do_something();
my $data = get_data();
system("externalprogram -p $data");
}
sub get_data
{
$data = unobfuscate();
return $data;
}
Along comes "Red Team" and tries to crack the system. They read the manual for "externalprogram" and find out that the "-p" flag is for the password, so they edit the run() subroutine to this:
sub run
{
do_something();
my $data = get_data();
print "DING DING DING! PASSWORD = $data DING DING!\b";
system("externalprogram -p $data");
}
If they have access to the script which generates the password, they can find out what the password is, no matter how you obfuscate it.
Probably the best you can do is to chmod go-rwx script. Then they'll have to crack the user account or root to read the script.
| [reply]
[d/l]
[select] |
|
|
beable said -->
"Probably the best you can do is to chmod go-rwx script. Then they'll have to crack the user account or root to read the script. "
That's a given. ;)
| [reply] |
Re^3: How to hide a password in a script?
by Anonymous Monk on Aug 06, 2004 at 17:20 UTC
|
"and deals with a proprietary software client which doesn't support externally encrypted authentication methods"
davido wasn't suggesting that the client did any encryption. All encrpytion is down by the script, nothing external. For example:
$encrypted_passwd = 'ABS5SGh1EL6bk'; # crypt('secret', 'AB');
$submitted_clear_text_passwd = ...from user input, client socket or whatever...;
$submitted_encrypted_passwd = crypt($clear_text_passwd, substr($encrypted_passwd, 0, 2));
if ($submitted_encrypted_passwd ne $encrypted_passwd)
{
# wrong password
...
exit;
}
...
(Except use MD5 instead of crypt().)
| [reply] |
|
