This is a read-only snapshot of the ComputerCraft forums, taken in April 2020.
ComputerCraftAsk a Pro
CCJJSax's profile picture

Unauthorized change of password decryption

Started by CCJJSax, 15 August 2016 - 07:10 PM
CCJJSax #1

CCJJSax's profile picture

259 posts

Posted 15 August 2016 - 09:10 PM
First of all sorry I don't have any worthwhile tangible code here, this is more conceptual than anything at this point.

I am making a password system using encryption using PixelToast's encryption api. I am having this save the password and encrypting it with that password. That password will decrypt things like emails as well. I'm doing this so even server admins with access to the raw files won't be able to read them. I will have a change password function that will go through all encrypted files and re encrypt them with this new password.

Said admins will theoretically be able to use the same encryption to change the password, but doing so would basically corrupt the encrypted emails because it didn't ever get re encrypted with the new password. I am essentially trying to think of a way to recover those falsely encrypted emails.
Admicos #2

Admicos's profile picture

275 posts

Location Turkey

Posted 15 August 2016 - 10:14 PM
don't encrypt, hash (and salt) your passwords and compare the hashes for the password
KingofGamesYami #3

KingofGamesYami's profile picture

3057 posts

Location United States of America

Posted 16 August 2016 - 12:26 AM
I'm not sure I'm understanding you correctly. If I am, you're asking for a way to break your encryption without the password… which isn't possible, short of a brute force attack (IF you used it correctly).
CCJJSax #4

CCJJSax's profile picture

259 posts

Posted 16 August 2016 - 12:30 AM
KingofGamesYami, on 16 August 2016 - 12:26 AM said:
I'm not sure I'm understanding you correctly. If I am, you're asking for a way to break your encryption without the password… which isn't possible, short of a brute force attack (IF you used it correctly).

Not exactly. The server owner has access to the password file. If he changes the encrypted password there then it would mess it up.
Bomb Bloke #5

Bomb Bloke's profile picture

7083 posts

Location Tasmania (AU)

Posted 16 August 2016 - 03:59 AM
So what's the problem? Sounds like it's working as it should. You either have the correct password and can read the files, or you don't have it and you can't.

You would ideally code things such that a password mismatch is recognised, of course. If an admin changes a user's password, then the next attempt to decrypt their files should result in a failure (as the new password is in use, and they were encrypted using the old one), and lead to a prompt for the old password.

If that can't be provided then the files should be lost. That's the whole point of encryption - to allow access only to those who should have it.
Edited on 16 August 2016 - 02:00 AM
CCJJSax #6

CCJJSax's profile picture

259 posts

Posted 16 August 2016 - 05:09 AM
It is a good idea to have an old password system. That is probably what I'd do but I was worried about corruption if the admin changed it directly in the file.

But thank you. I think I'll go with that.