IanN1990 Posted September 5, 2016 Posted September 5, 2016 (edited) Good Morning, There will not be any code in this question as its just theory-craft to get a foundation. My work is currently shared between my team, but at the rate things are progressing there is a chance this number could increase. So i am trying to ensure thing is the best it can be. The main aspect is automation of internal tools and intranets which requires storing usernames / passwords (as having to type these out every time would render a big aspect of the script pointless and password managers are not an option these applications are packaged / visualized). So i need a way to store information locally on a machine while allowing that to be decrypted when its needed and yet be impossible while its not (It has to be stored locally as i dont have a servers which can be rolled out for this task atm). Here is my idea. 1. User inputs their details 2. These details are hashed 3. The user inputs a 4 digit pass code (with some validation not to allow common ones like 1111, 1234, 1122 etc) 4. This pass code is used to generate unique salt (here is the clever bit) by depending on the number it will pick ethier the Unique MB, Bios, CPU, HDD or All hardware number. Splits this into two blocks and depending on the pin again is where it places the salt into the hash. 5. This is then stored in the registry (This is the idea i came up with when trying to get to sleep at 1am and spent the whole night tossing and turning :/ ) Example *My Details > Hashed Details > 2354 > Generated Salt _GetHardwareID(2) * Split in half > Insert Half Slat into String Postion 23 of Hashed Details > Insert Second half of Salt into String 54 of Hashed Details > Store in Reg When the user launches the application they would be able to access the information as they would know the pin but for anyone else they would need physical access to the machine and brute force. From research in this forum regarding topics like this and other links it has taken me is always assume they have access to A. Source code and B. everything else My big worry is there is only 10,000 combinations in a 4 digit passcode, minus lets say 1,000 from strick validation. If they had access to the physical machine, even if only for a short while and had access to the source code they could gather the hardware IDS, registry entry and then in their spare time using a reverse argothim running through 0000-9999. Assuming each "brute" take .5 seconds to complete someones details could be found in a day :/ Now the only other thing i can think of adding but i dont know if its just me being over the top. Depending on the number it will present you with a picture When using the tool, after the user puts in their pin-code they are presented with the same picture. So i could do it as 0-1000 = 1-12 1000-2000 = 13-14 etc That would give a combination of 61917364224 * the 9000 combination of a 4 digit code which is a 557256278016000. This would jump to 858306884765625000 if i used a 25 digit picture and 8.3993725665289699109108059025144e+702 if i change the intervals to 500 What does everyone think? *Disclaimer i have no background in security or decryption. This is just what i have picked up from researching. *_GetHardwareID() Edited September 5, 2016 by IanN1990
AutoBert Posted September 5, 2016 Posted September 5, 2016 (edited) On 9/5/2016 at 8:18 AM, IanN1990 said: being international and an employee base of upwards 2,000 people ... (It has to be stored locally as i dont have a servers which can be rolled out for this task atm Expand sounds nonsence. In such a big company you should invest in a new server and other secure hard- and software. Edited September 5, 2016 by AutoBert
IanN1990 Posted September 5, 2016 Author Posted September 5, 2016 (edited) Maybe i was being overly optimized in that statement Currently 8 people in my team use my work, which is set to grow to 25 with the inclusion of another team. So getting a dedicated server would be out of the question for such a handful of people though if that number was to grow, then more research would be put into this on how to do it better. Furthermore currently all my work is integrated with AD-Groups, so if someone is not part of a group they cant use the tool. The above is my introduction into encryption / decryption on a more serious level for those who do have details stored. Though your response has surprised me a little. Is my understanding way of the mark? as to gather information of one person you would need physical access to that persons machine (or know their windows password) and then brute/force a combination of 8.3993725665289699109108059025144e+702 ( assuming you could perform 10,000 checks a second, 3.154e+12 checks a year, it would take 2.6630857852025903331993677560287e+690 years to crack)? Edited September 5, 2016 by IanN1990
junkew Posted September 5, 2016 Posted September 5, 2016 Quote usernames / passwords Expand I assume if it are testenvironments this information is internally "public" or having a certain logic. It all depends on what kind of information and protection level you want. If its production environments I assume its a no go area to store it locally (at least I can get fired If i would do that in the company I work for). But basically your solution is to create a safe with one combination and if you are allowed to open the safe all userid/password combinations can be retrieved. I would first suggest to check with your internal company policies to make a risk/benefit analysis on what is acceptable. FAQ 31 How to click some elements, FAQ 40 Test automation with AutoIt, Multithreading CLR .NET Powershell CMDLets
IanN1990 Posted September 5, 2016 Author Posted September 5, 2016 I have had verbal confirmation from my line manager for this information being stored but i will get this in written form as you have me worried So the tool is intended for use in a production environment though the end-users would be either first, second or third line support. Yes, my idea is each person would have their own vault, which only they have access to. What i am really struggling to get my head around though is. Even if i made the second layer only 12 digits. Wouldn't it take at lest to 216 years to crack?
RTFC Posted September 5, 2016 Posted September 5, 2016 Storing keys, hashes, or any other sensitive data in the registy is a really bad idea, IMHO. Also, computing brute-force computing cost usually gives one a false sense of security. But as you appear to be interested in machine-/user-specific local encryption, you may find my CodeCrypter of use (link in sig, read the extensive FAQ). RT PS I'm about a quarter globe away from the nearest decent internet connection at the moment, so I won't be able to answer any follow-up questions you might have until I get back to civilisation. My Contributions and Wrappers Reveal hidden contents BitMaskSudokuSolver BuildPartitionTable CodeCrypter CodeScanner DigitalDisplay Eigen4AutoIt FAT Suite HighMem MetaCodeFileLibrary OSgrid Pool RdRand SecondDesktop SimulatedAnnealing Xbase I/O
junkew Posted September 5, 2016 Posted September 5, 2016 So its the users local environment where they probably have their own personal directory. This is already a "secure" environment. Seen multiple users in local space to write on digital sticky notes their user/pwd combinations. So anything thats more protected is probably safer. Search for crypt.au3 FAQ 31 How to click some elements, FAQ 40 Test automation with AutoIt, Multithreading CLR .NET Powershell CMDLets
IanN1990 Posted September 5, 2016 Author Posted September 5, 2016 (edited) So after some code writing and research, i have come around to how next to worthless my idea is. In theory having all these "confusing" encryption sounds good but in practice, its so easy to reverse engineer with the source code. RTFC - I had a look at your UDF. What about this idea. Script 1 - Main Script Script 2 - Password Vault Both scripts start at the same time, and the "vault" will seek out the Main script via sendmessages. Once both scripts have communicated with each other, the main script sends a hashed message to the Vault. If its correct, the vault sends back an encrypted message of "that" users details. I could also put a cool-down in this, so you can only try one attempt per minute to prevent bruteforcing (assuming they can figure out the sendmessages) So all the users details would be stored inside the Vault.Exe? How safe would be the information inside there as i assume you have alot better understanding then me Edited September 5, 2016 by IanN1990
junkew Posted September 6, 2016 Posted September 6, 2016 Not sure if I am completely following you your team makes something with userid's password that are not allowed to be seen by the enduser or are it userid's/ passwords from the actual user This application we use in our company https://www.imprivata.com/single-sign-on-sso but I allways feel when it ask(s) me to remember passwords its not smart to use as in the end somewhere they do not store the hashedvalue but the actual passwords. However in Chrome I also doubt if its secure to say yes to remember password. As soon as a virus/hacker is on the users local space running it can reverse engineer whatever it wants no physical access needed but as long as you are not working in NASA or nuclear environment its a balance between userfriendliness and security. For simple access to testenvironments your solution can work as I assume testers keeps this also somewhere in excel sheets with simple password protection or no protection at all on a groupfolder so anything you do on protection is better then doing nothing Maybe this is interesting to read https://www.schneier.com/academic/twofish/ https://www.cs.ox.ac.uk/files/6487/pwvault.pdf https://sourceforge.net/projects/passwordsafe/ FAQ 31 How to click some elements, FAQ 40 Test automation with AutoIt, Multithreading CLR .NET Powershell CMDLets
pluto41 Posted September 6, 2016 Posted September 6, 2016 Perhaps "McAfee Safeboot Endpoint protection" or "Microsoft Bitlocker" is a option for your company? It also asks for a password and does file encryption.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now