I need to open and read an encrypted file in a C++ program. Do I need to keep the password in the program? Are the user able to get the password when the program is disassembled?
What's the best way to keep the user away from the password?
If you just put the password hard coded then, yes. With some dissassembly it is easy to get the password (you don't even need to dissassemble fully, only get the strings).
You can try to obfuscate the password somehow, such as computing a hash of something that creates the password (this is very simplistic).
In the end if you give someone an encrypted file and a program that opens that file you can't really hide that information from them.
Another simplistic solution (provides very basic security only - may be succeptible to hacker attack )
Create your password file in a directory on which users have no permission.
Provide users only execute permissions to the executable but use setuid so that they can run the executable as you.
In the exe read the password from the file kept in a directory that only you have permission to. (created in step 1).
Related
Using fstream, what file type would you recommend that I can read and write to for save files? I'm attempting to make a program where the user enters a username and a password and it'll output it to a file. I'd like a filetype that isn't very easy for the user to edit. (so not a .txt or .ini)
Thanks in advance
fstream doesn't really have a sense of a "file format" outside of being in text mode vs pure binary mode (there are some nuances with newlines for example). You would typically use some sort of intermediate library to generate or directly write XML files, JSON files, INI files, etc. SQLite is a popular library/format to store database tables in a file. Mozilla Firefox uses it for their bookmarks and history for example.
What you're talking about is security through obscurity. By using using some sort of encoding, perhaps ultimately binary so it wouldn't even be printable at all without a hex editor, it would obscure things a bit. If you used encryption it wouldn't be readable until decrypted, but you could always reverse engineer the program to determine the encryption/decryption keys and algorithms.
The most secure option is to not store the password at all, but a hash of the password. This means that even with reverse engineering the program, you wouldn't be able to directly extract the stored password. Instead, whenever the user attempted to enter a password, it would compare use the same hashing algorithm and compare the results.
This doesn't always work though, because sometimes you are storing the password to submit to a 3rd party, in which case you do have to ultimately recover the stored password into plaintext for transmitting to the 3rd party.
I hope this gives you some ideas!
I want to make a simple console application that will execute some usefull functions that I regularly use for my school (to check if a number is prime, to write factors of a number, solve a quadratic equation etc.).
But as I was making it I decided to add some details about the app to make the user interface prettier: to write the name of the app, version ...
I came to an idea to have an admin password which I can type in and then I can modify those extra details or change the password.
But if I have a password that I store like a const variable or a regular variable const string password = "blablabla;" every time I run the app it will have the same password "blablabla" so is there a way to somehow change the password and other extra data so the program saves the new values permanently?
I thought to save all those extra information in some file and then read them from it every time, but then if the file is changed then the data will be to and I don't want that. I want to change the data only with an admin password. I also thought I can encrypt those information but still thay can be easely changed.
I also thought that the program can open the source code and then modify those initialized values, but then I need to compile that file and I also don't want that.
I only want an .exe app that will run and can change those information permanently with an admin password.
Does anyone now if this can be done and how?
I'm writing this app in C++.
Thank you in advance
is there a way to somehow change the password and other extra data so the program saves the new values permanently?
In theory, you may be able to modify the constants in the data segment of the executable. How to do that is dependent on the executable format. But I would consider that a kludgy workaround and it would be difficult to prevent someone from modifying the executable without the password. What you really want is variables. And you have a good idea for how to initialize the variables:
I thought to save all those extra information in some file
A good idea. Simple solution, probably appropriate for the scope of your app.
if the file is changed then the data will be to and I don't want that. I want to change the data only with an admin password.
Then protect the file somehow. You could, for example not give anyone write permission to the file. Or if you're paranoid (this is just a small console app just for you, right?) encrypt it...
I also thought I can encrypt those information but still thay can be easely changed.
It won't be easy without the key. Sure they can modify the cryptotext, resulting in garbage data, but if you are concerned about that, realize that if they have write access to your files, they can just delete the program itself.
If you want to go this far though, consider storing your data in a full-fledged database which will have authentication and encryption already implemented.
You need to add Windows resources to your application and then update them run-time.
https://msdn.microsoft.com/en-us/library/ms648004%28v=vs.85%29.aspx
I am using visual studio to develop a windows form application in c++ to detect certain anomalies and log it.
The log file that I am intending to create will be of a common format such as .txt. I do not want users of the computer to modify this file that is I want only my program to modify it( I want users to read this file not modify it).
Is there any way to achieve this??
if you want to hide the content from other users then encrypt the file or use a binary format that only your program will be able to understand.
As long as the file resides on a publicly accessible area in the file system, then other users will be able to access it.
You can put the file in a specific user's Documents area, which might go some way to protecting the file from other users of that machine, but not from administrators.
You could even set the file attributes to "hidden" or something along those lines, to further make it hard for people to find it. But a complete access block is difficult (if not impossible).
After all this, you can also use NirMH's method to ensure that even if someone finds and attempts to read the file, then the encryption should make it difficult to crack it open. A binary format can still be read with a hex editor, if someone is really keen to read your file.
I'm writing a program that asks the user for a username and password. I also want to be able to save this information if they so choose, but I don't want to have my program create a simple plain text file that anyone can open. How can I have my c++ program write to an encrypted file and be able to access it when the program is launched later?
Try libgcrypt. For this sort of task, the key (generated from the user's password), will have to be entered every time. You don't want to save the key right next to the encrypted data.
You could also try some scripting with pgp or gpg, if you want to tackle it at a higher level.
I'm writing a project on arduino and I'm storing a password in a const char array. This password is written in the code and I would like to hide the password from malicious readers who have access to the .o files and .hex files.
Does anyone happen to know how to hide it?
I allready tryed by storing it in a const byte array instead of a const char array, but it doesn't seems to solve my problem...
The tricky part is that no matter what, since you need to use the password, (and I'm assuming you can't enter a key every time you boot) your code is going to contain both the lock, and the key to opening it. The real question is how good does this have to be?
If it doesn't have to be real good, you could xor the password by some value, and use that as the password in the source. You then xor it by the same value when you need to use it, and ta-da...
If you want something less trivial (and the arduino fits it), you could sign the password with your private key, and store your public key in the source. The algorithm to unsign the password is considerably more complex than a simple xor (thus harder to spot.)
No matter what, any self-contained system that needs to use plaintext passwords is compromisable.
You could store the password in EEPROM, which you can write to with avrdude or inside your code. In the latter case you will need to provide the password to your device at some point after flashing.
The password will still be accessible to anyone with physical access to the device, but not people who only have access to .o and .hex files.
I am not sure if the Arduino bootloader allows you to read and write EEPROM through avrdude, but if not, you could write an initial Arduino sketch that writes the password to EEPROM, then later overwrite it with your actual sketch that only reads it.
Just hash the password and store the hash. Than you hash the user input password to try and match them.
Now, if you need to store a password to another service and you can't help but use the plain password with their API, then you have few possible choices.