A question on Encryption and decryption via password ?!

Question

Hello there.

I have noticed that all the encryption and decryption methods using password key  , simply need a string to be included in the code itself to do the job. What if someone decompiles the program and find that string ?!

Then the person would be able to decrypt all the desired data via having the password key we included in the code!!!

How to secure the password key? any tricky way ?

Thanks in advance

Answer 1

I have noticed that all the encryption and decryption methods using password key  , simply need a string to be included in the code itself to do the job. What if someone decompiles the program and find that string

See this:  https://en.wikipedia.org/wiki/Public-key_cryptography

The key used for decryption is private to the user and is not included in the application.

Answer 2

The "trickiest" thing I can think of is to take the key, convert it from a string to a byte array, then convert that to a base64 string. Reverse it to decrypt. If whatever you are doing is important enough to require encryption, you probably should look carefully at the link provided by Acamar.

Answer 3

I have noticed that all the encryption and decryption methods using password key  , simply need a string to be included in the code itself to do the job. What if someone decompiles the program and find that string

See this:  https://en.wikipedia.org/wiki/Public-key_cryptography

The key used for decryption is private to the user and is not included in the application.

I need to code a program which allows my users to upload  files through ftp.
So I need to include network credentials in the code (username and password) , but it doesn't seem right to include such important data barely in the code. That's why i thought of encryption.

I have read about public and private keys regarding encryption , but it doesn't solve my issue

I do not want to give any keys to users , program should do the uploading stealthy by itself , of course , in secure way.

Answer 4

The "trickiest" thing I can think of is to take the key, convert it from a string to a byte array, then convert that to a base64 string. Reverse it to decrypt. If whatever you are doing is important enough to require encryption, you probably should look carefully at the link provided by Acamar.

the problem is that anyway decompiling allows anyones to look into your code and find the method you use. No matter how much you make the procedure long or complicated , it just takes some more time to get a head of it

Answer 5

I do not want to give any keys to users , program should do the uploading stealthy by itself , of course , in secure way.

Even if you could adequately disguise the connection in the application code, anyone who knew how to sniff the network data would find the credentials.  You can prevent the details appearing as plain text in the code, and if you use a secret obfuscation technique that you devise for yourself instead of a standard encryption procedure that requires a key, then that might be adequate.  Of course, such an obfuscation couldn't be discussed here, because then it wouldn't be secret any more. 

Public/Private key encryption does not involve giving keys to users - it requires that you use their public key which, as the name implies, is published and available.

Answer 6

You can prevent the details appearing as plain text in the code, and if you use a secret obfuscation technique that you devise for yourself instead of a standard encryption procedure that requires a key, then that might be adequate

the problem is that anyway decompiling allows anyone to look into your code and find the method you use.

Answer 7

ftp sends username and password and data in plain text, it is not conducive to security.

Answer 8

ftp sends username and password and data in plain text, it is not conducive to security.

I'm shocked! I didn't know that it sends username and password along with data!!!!

What should I do then ?

Answer 9

ftp sends username and password and data in plain text, it is not conducive to security.

I'm shocked! I didn't know that it sends username and password along with data!!!!

What should I do then ?

I have always thought this is simply the wrong approach.

If you create a file that's [reasonably] secure - and that's the file that's uploaded/ downloaded - then I think you're in good shape.

Even if the file is intercepted midstream, it's of no real value to them.

---

Curiosity is the world's most valuable asset.

Answer 10

ftp sends username and password and data in plain text, it is not conducive to security.

I'm shocked! I didn't know that it sends username and password along with data!!!!

What should I do then ?

You should probably be using SFTP (SSH File Transfer Protocol) if you want secure connections.

---

Paul ~~~~ Microsoft MVP (Visual Basic)

Answer 11

ftp sends username and password and data in plain text, it is not conducive to security.

I'm shocked! I didn't know that it sends username and password along with data!!!!

What should I do then ?

I'd suggest you offer a more detailed description of what the program is doing as a start. Obviously nothing that is confidential, just the concept and maybe a description of the flow of the program.

Answer 12

ftp sends username and password and data in plain text, it is not conducive to security.

I'm shocked! I didn't know that it sends username and password along with data!!!!

What should I do then ?

I'd suggest you offer a more detailed description of what the program is doing as a start. Obviously nothing that is confidential, just the concept and maybe a description of the flow of the program.

one duty of program , which is my concern now, is uploading generated txt files to my server. but content of txt files should be encrypted so that it is not understandable for users by simply opening them , but for the program itself via decryption

Answer 13

ftp sends username and password and data in plain text, it is not conducive to security.

I'm shocked! I didn't know that it sends username and password along with data!!!!

What should I do then ?

I have always thought this is simply the wrong approach.

If you create a file that's [reasonably] secure - and that's the file that's uploaded/ downloaded - then I think you're in good shape.

Even if the file is intercepted midstream, it's of no real value to them.

---

Curiosity is the world's most valuable asset.

so what you say is that if content of my file being uploaded is encrypted , then there wouldn't be any security loss issue using ftp method to upload . right ?

Answer 14

...so what you say is that if content of my file being uploaded is encrypted , then there wouldn't be any security loss issue using ftp method to upload . right ?

We can spend a while (a long while) and I'll show first-hand if you want, but the data will NOT be a text file. It'll be a special binary file.

Tell me why you said that it has to be a text file? If the file is going to be used as a part of a website (like something that's referenced in a web page) then all of this is pointless anyway. Is that what you have in mind?

Explain more please?

*****

Insofar as answering your question:

It's fairly secure for most purposes, but nothing is bullet-proof. If you're trying to do something on that level, you're in the wrong forum - for the reasons that Acamar said.

---

Curiosity is the world's most valuable asset.

Answer 15

...so what you say is that if content of my file being uploaded is encrypted , then there wouldn't be any security loss issue using ftp method to upload . right ?

We can spend a while (a long while) and I'll show first-hand if you want, but the data will NOT be a text file. It'll be a special binary file.

Tell me why you said that it has to be a text file? If the file is going to be used as a part of a website (like something that's referenced in a web page) then all of this is pointless anyway. Is that what you have in mind?

Explain more please?

*****

Insofar as answering your question:

It's fairly secure for most purposes, but nothing is bullet-proof. If you're trying to do something on that level, you're in the wrong forum - for the reasons that Acamar said.

---

Curiosity is the world's most valuable asset.

my program should store some string-type data in my server and download them and read them again if necessary. I do want to encrypt strings before saving them as txt so that users can not understand the content

txt format is the easiest and lightest way to keep some strings , otherwise format of file doesn't matter.

Answer 16

my program should store some string-type data in my server and download them and read them again if necessary. I do want to encrypt strings before saving them as txt so that users can not understand the content

txt format is the easiest and lightest way to keep some strings , otherwise format of file doesn't matter.

Then plain old everyday no-frills easy to do string encryption should be quite fine for what you want.

I put together something that will take a serializable class and from that create an encrypted (optional) compressed file. The result is "moderately secure for most purposes", but it's not bullet-proof by any stretch.

If you're curious have a look:

https://social.msdn.microsoft.com/Forums/vstudio/en-US/8222cb3e-99e7-48a7-9bfa-aa1cd913d9fa/binary-serializationdeserialization-a-library-to-compress-and-encrypt-the-data?forum=vbgeneral

The method uses very good obfuscation (which is a key but is only as good as how it's set up to be obfuscated) including something that I think everyone should read:

An instance of the SecureString class. What it shows about strings is spot-on correct:

"An instance of the System.Stringclass is both immutable and, when no longer needed, cannot be programmatically scheduled for garbage collection; that is, the instance is read-only after it is created and it is not possible to predict when the instance will be deleted from computer memory. Consequently, if a Stringobject contains sensitive information such as a password, credit card number, or personal data, there is a risk the information could be revealed after it is used because your application cannot delete the data from computer memory. "

Right! There's no telling when it'll go away and we don't have control over that when.

I set my stuff up to handle either a string as the encryption key or a secure string but before I continue at all, let's talk some here. ;-)

*****

Is it really worth doing all of this? Really?

We've talked a lot here about that and I think you should take reasonable precautions, sure, but not overly worry about it.

Plain old string encryption (I'll even set something up for you if you want) won't take but a few minutes to set up and a few seconds to use.

It's not great security but for your use it should be fine. If you want me to set something up that makes it tough, I can and will but I'll have to set the encryption key. It'll be in memory which isn't a great idea (as you just read) but c'mon -- who are you dealing with here. ;-)

Your thoughts?

---

Curiosity is the world's most valuable asset.