Post by Armstrong on Jul 14, 2003 17:31:24 GMT -5
There are few changes in viper's passport system in its database, which are as follows
br]1. UserID is changed to VisaID. I've adopted Alex's concept of "Visa." VisaID makes more sense because Visa carries user name (both registered and guests) and profile. Just don't get confused between VisaID and UserID, VisaID is the new name for UserID.
2. Two new tables have been added "Visa" and "Passport".
3. Fields in Visa tablebr]---- VisaID: Same as UserID, just to indentify the visa account or can be used as guest name in viper.
---- MSNRC: MSN Reg Cookie. Info for your msn registered name.
---- PT: Passport ticket.
---- PP: Passport profile.
---- TimeStamp: Time stamp to when this visa was last updated.
---- PassportID: Identity to a particular passport in passport table. If visa is outdated, then Visa manager will use this to update the visa; not to mention, "Visa Manager Object" will also update all the other visas using the same passport automatically.
4. Fields in the Passport tablebr]---- PassportID: Unique and user-friendly name to identify a passport.
---- Key: It's one half of the key used to encrypt and decrypt the password.
---- Passport: Complete passport address like "me@passport.com"
---- EP: (Encrypted Password) The password is encrypted in RSA 256-bit encryption and I've adjusted the algo to inflate the password during encryption process which makes it nearly impossible to cr*ck it through brute force or plaintext attacks (nano-technology is very fast but you can't expect it to be in public hands very soon).
---- Sig: (Signature of the encrypted pass) It's just to check whether the encrypted pass has been tempered with or it is corrupted.
5. Objects for managing the above tables (this is subject to change until the release of these objects)br]---- Visa Manager Objectbr]---- ---- a. Adds new function "GetVisaEx(VisaID)" in Alex's component -- You don't have to store the password in plain text, you just use the visa id to update the visa. Storing a password in plain text is not a good idea, anybody can read the password... its just too easy.
---- ---- b. You can keep this object running in the back to keep a check on the expiry of the visa. If the visa is expired you can just set it to update the visa.
---- ---- c. You can use it to get the stored visa information from viper's database for your own application or script.
---- Password Manager Object: It's just a dialog to enter your passport record and associate it with a particular VisaID.
I'll add the "Visa Manager Object" in viper so viper users don't have to worry about it. Other scripts and app coders can use the "Visa Manager Object" to manage visa's for their apps. It's just an extension to Alex's MsnIrcX object, which adds RSA 256bit encryption to the password and uses viper's database to manage the data. You may or may not choose to use Viper's database, "Visa Manager Object" have very flexible options.
6. A word on it's securitybr]RSA 256bit encryption is very strong encryption and inflating the password during the encryption process also compounds the difficulty to decipher the encryption password through brute force and plain text attempts. Here I'll talk about possible cr*cking methods from least effective to most effectivebr]
#1 Brute force and plaintext attacks to cr*ck the encryption: This way it may take years to cr*ck 256bit encryption on current public systems. A good cr*ck won't even consider this option on a normal computer.
#2 The cr*cker uses your key in the database to cr*ck the encryption: This encryption consists of 2 keys. Userkey is provided by you (which is in the database on your PC) and Appkey is hidden in the compiled binary. They need to know both keys to decrypt the password.
#3 The cr*cker knows your key and uses hex editor to find out the Appkey in the compiled binary: Trust me Appkey won't be visible in hex editor, I've taken appropriate steps to hide the key. I'll also explain how you can hide the key from hex editors with the source example.
#4 The cr*cker uses a memory debugger to get the Appkey: I've taken step to confuse a cr*cker, but there is no cr*ck-proof solution to hide information from a memory debugger. A cr*cker an trace the instruction to get the key or get the password from the memory of the app. But to get the password from the memory they need a full access to your computer with their program. And to decrypt the password they need to know your key too. As said before, Appkey on it's own can't be used to decrypt the password.
Number "#4" is the most effective way to cr*ck the password, but it's not a thing of an average Joe. It can be made more secure by adding protection against all the known memory debuggers and increase encryption to a higher number like 1024-bit; but it's not a security App for Department of Defense, so I won't go that far. There is no such thing as 100% secure, esp. when the exe/dll can get in the hands of cr*ckers. The main idea is to make it enough difficult to make it impossible for an average Joe to decipher the password, and make it enough hassle to keep away an advance cr*cker. And keep in mind some security is better than no security and this encryption is better than lot of commercial programs, but you need to know the weaknesses of the security.
Final word: I've tried to address all the possible threats to security in this system, and I've explained how the process works - it's strengths and weaknesses... I think I did my job here, now you can also workout how to keep your password secure. If your passport account is really important, I suggest you don't store password for that account on your PC and make another account for chat.
The examples are vague but it presents the basic idea, just try to grab the main ideas. If it's too vague than someone with better writing skills can rewrite it in more reader friendly way.
I'm working on Visa Manager and Passport Manager object. I'll upload it asap. This is just to give a head start for anyone who wants to use it.
*** Just for Viper Users ***
Here is the new database and next viper version will use it, so the errors might be due to database if it's not updated. But you don't have to worry about it untill the next release.
vipercentral.vze.com/dl/vbot.mdb
br]1. UserID is changed to VisaID. I've adopted Alex's concept of "Visa." VisaID makes more sense because Visa carries user name (both registered and guests) and profile. Just don't get confused between VisaID and UserID, VisaID is the new name for UserID.2. Two new tables have been added "Visa" and "Passport".
3. Fields in Visa table
br]---- VisaID: Same as UserID, just to indentify the visa account or can be used as guest name in viper.---- MSNRC: MSN Reg Cookie. Info for your msn registered name.
---- PT: Passport ticket.
---- PP: Passport profile.
---- TimeStamp: Time stamp to when this visa was last updated.
---- PassportID: Identity to a particular passport in passport table. If visa is outdated, then Visa manager will use this to update the visa; not to mention, "Visa Manager Object" will also update all the other visas using the same passport automatically.
4. Fields in the Passport table
br]---- PassportID: Unique and user-friendly name to identify a passport.---- Key: It's one half of the key used to encrypt and decrypt the password.
---- Passport: Complete passport address like "me@passport.com"
---- EP: (Encrypted Password) The password is encrypted in RSA 256-bit encryption and I've adjusted the algo to inflate the password during encryption process which makes it nearly impossible to cr*ck it through brute force or plaintext attacks (nano-technology is very fast but you can't expect it to be in public hands very soon).
---- Sig: (Signature of the encrypted pass) It's just to check whether the encrypted pass has been tempered with or it is corrupted.
5. Objects for managing the above tables (this is subject to change until the release of these objects)
br]---- Visa Manager Objectbr]---- ---- a. Adds new function "GetVisaEx(VisaID)" in Alex's component -- You don't have to store the password in plain text, you just use the visa id to update the visa. Storing a password in plain text is not a good idea, anybody can read the password... its just too easy.---- ---- b. You can keep this object running in the back to keep a check on the expiry of the visa. If the visa is expired you can just set it to update the visa.
---- ---- c. You can use it to get the stored visa information from viper's database for your own application or script.
---- Password Manager Object: It's just a dialog to enter your passport record and associate it with a particular VisaID.
I'll add the "Visa Manager Object" in viper so viper users don't have to worry about it. Other scripts and app coders can use the "Visa Manager Object" to manage visa's for their apps. It's just an extension to Alex's MsnIrcX object, which adds RSA 256bit encryption to the password and uses viper's database to manage the data. You may or may not choose to use Viper's database, "Visa Manager Object" have very flexible options.
6. A word on it's security
br]RSA 256bit encryption is very strong encryption and inflating the password during the encryption process also compounds the difficulty to decipher the encryption password through brute force and plain text attempts. Here I'll talk about possible cr*cking methods from least effective to most effectivebr]#1 Brute force and plaintext attacks to cr*ck the encryption: This way it may take years to cr*ck 256bit encryption on current public systems. A good cr*ck won't even consider this option on a normal computer.
#2 The cr*cker uses your key in the database to cr*ck the encryption: This encryption consists of 2 keys. Userkey is provided by you (which is in the database on your PC) and Appkey is hidden in the compiled binary. They need to know both keys to decrypt the password.
#3 The cr*cker knows your key and uses hex editor to find out the Appkey in the compiled binary: Trust me Appkey won't be visible in hex editor, I've taken appropriate steps to hide the key. I'll also explain how you can hide the key from hex editors with the source example.
#4 The cr*cker uses a memory debugger to get the Appkey: I've taken step to confuse a cr*cker, but there is no cr*ck-proof solution to hide information from a memory debugger. A cr*cker an trace the instruction to get the key or get the password from the memory of the app. But to get the password from the memory they need a full access to your computer with their program. And to decrypt the password they need to know your key too. As said before, Appkey on it's own can't be used to decrypt the password.
Number "#4" is the most effective way to cr*ck the password, but it's not a thing of an average Joe. It can be made more secure by adding protection against all the known memory debuggers and increase encryption to a higher number like 1024-bit; but it's not a security App for Department of Defense, so I won't go that far. There is no such thing as 100% secure, esp. when the exe/dll can get in the hands of cr*ckers. The main idea is to make it enough difficult to make it impossible for an average Joe to decipher the password, and make it enough hassle to keep away an advance cr*cker. And keep in mind some security is better than no security and this encryption is better than lot of commercial programs, but you need to know the weaknesses of the security.
Final word: I've tried to address all the possible threats to security in this system, and I've explained how the process works - it's strengths and weaknesses... I think I did my job here, now you can also workout how to keep your password secure. If your passport account is really important, I suggest you don't store password for that account on your PC and make another account for chat.
The examples are vague but it presents the basic idea, just try to grab the main ideas. If it's too vague than someone with better writing skills can rewrite it in more reader friendly way.
I'm working on Visa Manager and Passport Manager object. I'll upload it asap. This is just to give a head start for anyone who wants to use it.
*** Just for Viper Users ***
Here is the new database and next viper version will use it, so the errors might be due to database if it's not updated. But you don't have to worry about it untill the next release.
vipercentral.vze.com/dl/vbot.mdb
rofl, looks to complex for me to brainstorm something like VisaID 
