Advanced password system

Discussion forum for all Windows batch related topics.

Moderator: DosItHelp

Post Reply
Message
Author
Adrianvdh
Posts: 177
Joined: 16 May 2013 13:00

Advanced password system

#1 Post by Adrianvdh » 25 Oct 2013 05:26

Hi everyone! :)

All I can say now is, Ahhh!!! after taking a hour to read all that and look at the code I am completely stuck.
But don't worry. I just have a simple question.

I need to create a advanced password system. It has an on and off switch. So the user can switch the password on an off via a basic UI. So I have coded most of it I guess I could say but. Where would I safely store the on/off value? I can store it in the reg can I? But a user could just use regedit and switch the password off. The encryption technique is looking good. But I don't understand the table stuff. So ya what code from Magialisk should I use and how? He has posted so many replies that I have no Idea, which post code should I use and how?

Or does anybody know of an advanced password system with this encryption technique built in?

Thanks Adrianvdh

foxidrive
Expert
Posts: 6033
Joined: 10 Feb 2012 02:20

Re: Advanced password system

#2 Post by foxidrive » 25 Oct 2013 07:31

This is a new topic - split from here: viewtopic.php?f=3&t=4579&start=15

Adrianvdh
Posts: 177
Joined: 16 May 2013 13:00

Re: Advanced password system

#3 Post by Adrianvdh » 25 Oct 2013 12:19

Hi, I created that topic, so? I need someone to explain how that encryption, the second fancy piece that Magialisk gave.
and where would I safely store the true and false values?

Adrianvdh
Posts: 177
Joined: 16 May 2013 13:00

Re: Advanced password system

#4 Post by Adrianvdh » 28 Oct 2013 14:27

No anyone?

Magialisk
Posts: 104
Joined: 25 Jul 2013 19:00

Re: Advanced password system

#5 Post by Magialisk » 30 Oct 2013 17:03

Adrianvh I don't fully understand what it is you're trying to do. You have a program that has a "switch"? If the switch is "ON" the program won't run unless you input a password and if the switch is "OFF" the program will run without asking for a password? Something like that? And you need to protect the switch so that the user can't turn it off? What exactly is this switch, just a text file/registry value it looks for, like a license?

The trouble you're always going to have is a user reading the code, so you can't simply access a plaintext file/registry and then do "IF data=Adrianvdh dont ask for password". Otherwise the user will just go out to whatever file/registry location you're reading and type in "Adrianvdh" to get around your check. That seems to be what you're afraid of in your original post? On the same note, when you do ask for a password how are you checking that in the code? "IF password=123456 then RUN" is obviously no help either. This is why I brought encryption into that other thread of yours.

To make use of any of my encryption code you would first take some value like "Adrianvdh" and encrypt it. Then in your program you would write code that says:
1.) Go read the license/switch location
2.) prompt the user for a key/password
3.) Encrypt "Adrianvdh" with the user-supplied key/password
4.) Compare what I read in (1) and the result of (3). Only run if they're equal.

The only way (4) will pass is if the key the user entered is the same one you used when you wrote the program. This technique prevents a user from learning anything of value by reading your source code. They know the plaintext "Adrianvdh" and they know where the license is stored so they can go read the ciphertext too , but none of that allows them to derive the key/password. This all relies on keeping the key/password secret of course, so if you hardcode it into the program the user has everything they need to work around your system.

It sounds like your desire is to completely remove the password check altogether, but only when the switch/license is found? In that case you would make the switch/license the key, and change the program so it does this:
1.) Go read the license/switch location
2.) Encrypt "Adrianvdh" with the value I just read
3.) Compare the result to "2Rbs(4n61Em". Only run if they're equal.
4.) Ask for a password if (3) did not run
5.) Encrypt "Adrianvdh" with the password
6.) Compare the result to "7sM9qY4c8". Only run if they're equal.


This assumes the password is not the same as the license/switch, ie: they're two different encryption keys. None of the keys/passwords are ever written into the program, so again the user can learn nothing from the code itself.

In any case, if you can help me better understand what it is you're trying to do / protect, I'm sure I can help. Most of the examples in that other thread were just proofs of concept to show what "can" be done for various well-known encryption algorithms in batch. Everything from simple substitution ciphers with weak keys to FIPS-197 compliant AES with a 256-bit key. I can see where it would be difficult to just try to lift code from that thread and drop it into your own program, but I can give you the full working functions and dependency code like the random number generator if that's what you need.

Post Reply