I have encrypted a file with openssl, now I would like to read the encrypted file (actually parse that file) without decrypting it. Basically I want to see if the encrypted file contains a certain word. How can I do that? I searched different blogs and posts and the only solution I could come up with is to decrypt the file (which creates a new READABLE file), search the word in the decrypted file and then remove it. Since I don't like having to create a decrypted copy of the file and then remove it, is there any way that I can parse/read the file without decrypting it? I should probably mention that I am using c++, but I don't think it really matters, am I correct?
Thanks in advance for all the help you can give me.
There is no way to parse a file that is encrypted (at least if you are using a reasonable, not trivially breakable - pretty much everything beyond a Ceasar cipher or a XOR cipher counts as "not trivially breakable" in this context).
In other words, you will need to find a way to decrypt the content - one solution is of course to decrypt to memory, or to stdout and use a pipe to read from the file.
An example (written here as a general idea, the exact code may need some adjusting):
FILE* p = popen("openssl des3 -d -in myfile.encrypted", "r");
int ch;
while((ch = fgetc(p)) != EOF)
{
... process a character at a time ...
}
pclose(p);
I have encrypted a file with openssl, now I would like to read the encrypted file (actually parse that file) without decrypting it... to see if the encrypted file contains a certain word.
To preserve semantic security, you need to use a homomorphic encryption scheme. OpenSSL does not support those cryptosystems, so its probably not possible using OpenSSL.
If you don't care about semantic security, then you can probably use any number of schemes. Mats gave you a couple of them. But they will leak information like a sieve and are probably trivial to break with simple techniques like frequency analysis.
You might want to read up on Fully Homomorphic Encryption and Somewhat Homomorphic Encryption schemes. If the scheme is built on a lattice, then the NTRU library might offer the scheme or a useful primitive. Shoup's NTL library might also offer the scheme or primitives. (I don't know because I don't use FHE or SHE schemes).
You should also talk to the folks on security.stackexchange.com or crypto.stackexchange.com.
Related
I am doing this small university project, where I have to create a console-based text editor with some features, and making files password protected is one of them. As I said, it's a university project for an introductory OOP course, so it doesn't need to be the most secure thing on planet. I am planning to use a simple Caesar cipher to encrypt my file.
The only problem is the password. I'll use the password as the encryption key and it will work, but the problem is handling the case where the password is wrong. If no checks are placed then it would just show gibberish, but I want to make it so that it displays a message in case of a wrong password.
The idea I have come up with is to somehow store the hash of the unencrypted file in that text file (but it shouldn't show that hash when I open the file up with notepad) and after decrypting with the provided password, I can just hash the contents and check if it matches with the hidden hash stored in that file. Is it possible?
I am using Windows, by the way, and portability is not an issue.
In general, you can't theoretically design a data format where nothing but plain text is a valid subset of it, but there can also be metadata (hash or something else). Just think about it: how do you store something other than text (i. e. metadata) in a file where every single byte is to be interpreted as text?
That said, there are some tricks to hide the metadata in plain sight. With Unicode, the palette of tricks is wider. For example, you can use spacelike characters to encode metadata or indicate metadata presence in the way that the user won't notice. Consider Unicode BOM. It's the "zero-length space" character. Won't be seen in Notepad, serves as metadata. You could so something similar.
They already mentioned alternative data streams. While one of those could work to keep the metadata, an alternative data stream doesn't survive archival, e-mailing, uploading to Google Drive/OneDrive/Dropbox, copying with a program that is not aware of it, or copying to a filesystem that doesn't support it (e. g. a CD or a flash drive with FAT).
I've been trying to pick up C++ and computer security in my own free time and I've been attempting some CTF challenges.
The challenge was about finding out the number of words (N) in a text file (x.txt), and using N as a key to encrypt the text file (x.txt) using AES-256 CBC and outputting a new text file (y.txt) with the encrypted contents.
I have no problems getting the number of words from the text file, but I was just wondering if anyone knows how to perform the encryption stated?
I've been reading up on OpenSSL for this but I can't proceed further. I assume the IV would be zero in this case?
Thanks in advance.
I assume the IV would be zero in this case?
An IV or Initialization Vector, is the "seed" for encryption. It is needed so that plaintexts that are similar don't look similar when encrypted. It is meant to never repeat between different encryption runs and is not secret. A zero IV (or any other fixed IV) would thus defeat the purpose.
A typical approach with AES-CBC is during encryption to generate a random IV and store it together with the ciphertext. Then during decryption read it in and use it to initialize the decryptor.
To know more about the OpenSSL API's to use, refer to OpenSSL Wiki - Symmetric Encryption.
I'm currently learning about AES too. Here are some resources I found useful:
How to perform AES encryption:
It boils down to 4 steps per round:
Substitute bytes (using the S-box)
Shifting the rows
Mixing the columns
Adding the round key
There's a really good video about how to perform each AES round by Professor Paar. Here is a link to his AES video. His whole channel is really a gold mine with regards to learning crypto. Note: You will need to hard code the S-box or include it somehow.
One thing Prof. Paar doesn't explain in the video is key expansion (aka how to get each round key). You can find a java implementation of key expansion on Professor Wagner's page here. It should be relatively straight forward to refactor into C++. Just remember to include the round constant table.
So I was looking at ways to lock file folders with a password in windows, and this type of security is not really supported.
Given I know C++ I was wondering if I could simply do this myself.
It would be simple enough, in the case of a text file, to copy the entire contents of the file into a C-string. I could then use basic logic to prompt for a password, if it matches, use an fstream overload and insert the whole string into a text file.
Then, simply wipe the file when I'm done using it.
I basically know how to do this, and the result would be a string containing the document compiled into a .exe which I assume would be unreadable. The thing is, I've never really studied encryption or computer security so I'm wondering how secure this would be, or if there is a better way to do this?
Could it be done on photo or video files as well, if so, how?
How hard would it be to reverse (decompile) the process?
What types of things could I do to make reversal more difficult, ie. using multiple strings, or mixing in random characters?
I'm not looking to hide super-sensitive files, I'm just curious about encryption basics.
Never implement crypto yourself - it is destined to fail. Use well reviewed libraries such as OpenSSL. A good example of using AES for file encryption: Encrypting and decrypting a small file using openssl
Using such simple approach will let you encrypt any file. And it will be secure. Why settle for weak encryption if you can have strong encryption?
If you don't want to write a program, just get, for example, OpenSSL and use the terminal: openssl des3 -salt -in file.txt -out file.des3
I'm working on a text based adventure game in C++ and I would like to store quests in a text file,but I don't want the player to read it.
Is there an easy way to encrypt it?
Another way to "hide" content of your file to player is to encrypt the file.
You can use openssl for instance.
In this thread you can have an idea on the usage.
Velthune's OpenSSL suggestion is fine but it is arguably overkill. I would try something simple like XOR encryption instead.
Of course XOR encryption is not secure, but neither is the OpenSSL approach, since your program must store the encryption key somewhere in the executable file in order to be able to do the decryption.
There is no way to truly secure the file's contents against a determined user and still have it be accessible to a program that runs on the user's machine.
So, I'd suggest XOR encryption as a simple form of obfuscation that will deter someone from changing the file casually, yet won't make your program dependent on an external library.
I have a proprietary application which uses an xml config. Currently I use boost::property_tree to read the xml file.
I would like to deploy both executable and xml file on a more public system and want to avoid anyone, including that system's administrator, from reading the xml.
Ideally, I would like to maintain the clear text xml on my system so I can easily manually modify it. Then I would call some encrypt command on the file, deploy it on the more public machine and have the executable decrypt it on the fly. I'd use the same key and just hardcode it into the source of the executable.
Is this a reasonable approach? What is the easiest way to implement this? Is there a better way?
Since you're already using boost, you could always serialize it. If you use binary archives, the file will be essentially unreadable. I guess my follow-up question would be: do you also want it to be secure? Or just unreadable?
If the code runs on the client's machine, then in principle you can never prevent the data from becoming known, because it has to be on the client's machine. You can try to obfuscate, but ultimately the client will have to be able to read the data, so it has to know it.
If you were to simply embed an encryption key in your program, the client could just scan through the file and extract the key. If you work a bit harder you can make Skype, but even that has been deconstructed.
It all depends on the seriousness of your need to protect the data. If it's absolute, then you cannot do it, but if you just want to keep the casual visitor out, you could try and make it a bit harder... tell us some details if you're serious about this.
If your goal is to prevent someone from casual inspection, then that is a reasonable approach.
If you must ensure (for some weird reason) that the configuration cannot be read, it is a foolish errand, because the program can read it, so a user who is determined to do so can do it as well. Either by disassembling the program, or simply by doing a memory dump from the debugger. Having that said, a simple, lightweight encryption will be good enough, because even the toughest encryption will be broken in the same way.
You might also consider whether using an explicitly human-readable format such as xml is well-suited if you don't want people to read it.
I had a very similar case. I used a compression algorithm to store the file 'encrypted'. zlib can be used for C++. You can easily encrypt and decrypt your file, both from command-line and from code. To add some more 'security' you can xor the compressed file with a password.
This a both simple to implement and easy to use. Of course I won't use such method if my clients are hackers, or have a financial incentive to read the XML.