65 posts
Location
Hesse, Germany
Posted 30 August 2016 - 06:36 PM
The Login System
So recently I have been busy coding an OS (or GUI, depending on how you define it) and I thought I would make the login script public :)/> .
What it does:
Spoiler
Nothing extraordinary. it allows an infinite amount of users as every user gets a password file with it's password saved in it.
Where does it save it?
Spoiler
it saves it at /usr/pwd/<username>.
Please keep in mind that this program doesn't encrypt the passwords and it doesn't come with a User creating script.
To create a user, make a file in /usr/pwd/ with the name of the user and type the password into the file.
To do:
Spoiler
I removed this projec off my todo as it fits my needs, I will MAYBE add more stuff if I have time for it.
Pastebin: pastebin get 40P2MDBY
Also, look at this thread for updated as the login script doesn't have an auto update function.
Also, this script is designed to be used in an OS, not standalone. That's why it is in APIs and Utilities and not in Programs.
Have fun with this program and tell me any errors you get with it. (I am aware that putting no username and password into the program will cause it to give an error, but I catch the error with pcall() and it simply restarts the script.
-Alex
Edited on 31 August 2016 - 05:34 PM
323 posts
Location
Boston, MA
Posted 30 August 2016 - 08:49 PM
Don't "encrypt" it. Hash it. While hashing is technically a way of encrypting things, it's not the traditional key system - it's irreversible.
Use something like GravityScore's SHA algorithm in lua. SHA stands for Secure Hashing Algorithm, and it will work perfectly for you.
Here's how you do it:
In your user creation script, hash the password, and saved the hashed password (its gonna look something like this: a94a8fe5ccb19ba61c4c0873d391e987982fbbd3)
When you log in, hash the password you receive from the user, and check it from the one in the file (so that way, if someone opens the file with the password in it, it's not in plaintext)
You can also salt the passwords by adding a random string at the end, and saving that alongside the password (when I use this in CC, I save passwords as a table, so that way its easier to use in the program)
If you need help with that, let me know. :)/>
Edited on 30 August 2016 - 06:49 PM
65 posts
Location
Hesse, Germany
Posted 30 August 2016 - 08:53 PM
So I've never actually tried hashing, so please help me with that :)/>
EDIT:
So the problem I see is that there is close to no need for encrytions because the guys who make CC Programs here are not into hacking and the people who are into hacking are mostly not on the forums. Also, most of the guys who are into hacking aren't very good at cc and think they can hack cuz they can make redstone wire light up.
I've never had to deal with "hackers" on CC, so I wouldn't do it. However, I think Hashing is more of a fun to code than for the end user security.
Edited on 30 August 2016 - 07:15 PM
726 posts
Location
Rem is best girl
Posted 30 August 2016 - 08:55 PM
So I've never actually tried hashing, so please help me with that :)/>
Have you ever heard of sha256? :D/>/> Thats hashing.
Anavrins has a good one thats fast and is easly accessable on his profile links
Edited on 31 August 2016 - 12:13 AM
3057 posts
Location
United States of America
Posted 30 August 2016 - 10:17 PM
I don't know about you, but I've seen plenty of "hackers" in CC. Several people on the very few computercraft servers I've joined have decided to do something hackish just because they can. For example, crashing the computercraft thread until the server reboots.
Hashing is semi-pointless. As far as I'm concerned, you can store the password in plaintext. It really doesn't matter, since if the attacker has access to your computer, there's nothing you can do - you're already screwed. The argument against this is that your password might be used in multiple locations. In which case encryption would be still be pointless, but hashing might offer additional protection.
726 posts
Location
Rem is best girl
Posted 30 August 2016 - 10:21 PM
hashing might offer additional protection.
Until someone makes a big database of all hashes making it possible to reverse a hashed string :)/> (I cant find any text editor that lets me open 4gb files so for now there isnt any :/)
65 posts
Location
Hesse, Germany
Posted 30 August 2016 - 10:34 PM
Oh okay. But how's that possible, crashing the CC thread from inside MC? I mean you could overload the _G table until bad stuff happens, but I think that wouldn't crash mc.
726 posts
Location
Rem is best girl
Posted 31 August 2016 - 12:00 AM
1) No, just no…
2) Dont ask :)/>
3) It doesnt crash mc. It can either:
- Crash (Restart) the cc thread for either malacious use or for helpful uses when like that error code thing :/ Restarting e cc thread from inside fixes it or use it to start the cc thread when i do a rednet broadcast that just under the java heap space :)/>
- Crash teh server and we dont like that (You wold usually get banned for doing that tho)
65 posts
Location
Hesse, Germany
Posted 31 August 2016 - 02:25 AM
Whatevwr, I am not into hacking anyways.
323 posts
Location
Boston, MA
Posted 31 August 2016 - 02:50 AM
hashing might offer additional protection.
Until someone makes a big database of all hashes making it possible to reverse a hashed string :)/> (I cant find any text editor that lets me open 4gb files so for now there isnt any :/)
That's why you salt your hashes.
726 posts
Location
Rem is best girl
Posted 31 August 2016 - 07:45 AM
hashing might offer additional protection.
Until someone makes a big database of all hashes making it possible to reverse a hashed string :)/>/> (I cant find any text editor that lets me open 4gb files so for now there isnt any :/)
That's why you salt your hashes.
r
Then made with alk salts >:D/> (Notepad wont let me open a 10Tb file.)
7083 posts
Location
Tasmania (AU)
Posted 31 August 2016 - 10:31 AM
Hashes may translate back to multiple strings - and if salts are used correctly, the opposite is also true! Ten terabytes wouldn't even
begin to cover the sort of table size you'd need.
https://en.wikipedia.org/wiki/Rainbow_table#Defense_against_rainbow_tablesThis is putting aside the obvious "if you're even thinking about using a text editor for hash reversal, ur doin it rong".
726 posts
Location
Rem is best girl
Posted 31 August 2016 - 10:39 AM
[quote name='Bomb Bloke' timestamp='1472635877' post='258743]
This is putting aside the obvious "if you're even thinking about using a text editor for hash reversal, ur doin it rong".
Oh ye, i know thats not how you want to do that xD.
DONT FAIL ME NOW MYSQL
1583 posts
Location
Germany
Posted 31 August 2016 - 05:14 PM
I don't know about you, but I've seen plenty of "hackers" in CC. Several people on the very few computercraft servers I've joined have decided to do something hackish just because they can. For example, crashing the computercraft thread until the server reboots.
Hashing is semi-pointless. As far as I'm concerned, you can store the password in plaintext. It really doesn't matter, since if the attacker has access to your computer, there's nothing you can do - you're already screwed. The argument against this is that your password might be used in multiple locations. In which case encryption would be still be pointless, but hashing might offer additional protection.
Although you could encrypt the data on the pc and only decrypt it when logging in. The only way to attack this is to somehow crash the CC thread while the computer is logged in, and then manage to access it, without the owner seeing anything.
Edited on 31 August 2016 - 03:14 PM
6 posts
Posted 31 August 2016 - 05:28 PM
A simple hash is not the proper way to go about saving a password. Even salting won't save you if your user picks a weak password in a common dictionary (or a permutation thereof). You need to use a computationally-intense key derivation function with thousands of iterations to ensure that trying many many passwords is impractical for even those who have lots of computing power. For example, custom circuits can calculate SHA-256 (don't even use SHA-1 or, even worse, MD5) hashes in the
billions trillions per second. This means that if there's a weak password, it's likely to be broken by someone just trying a whole bunch of different passwords. Look up
https://en.wikipedia.org/wiki/Key_derivation_function for the proper way to store passwords. These are made deliberately slow so brute-forcing is not an option.
65 posts
Location
Hesse, Germany
Posted 31 August 2016 - 05:48 PM
I was trying to publish a program, but this discussion got way more interesting. The problem is I have absolutely NO idea on how hashing works or is implemented in CC, so If someone would just provide me a way of doing "hashed_pw = hash.256(string)" and I get the hashed string back, I would've implemented it.
275 posts
Location
Turkey
Posted 31 August 2016 - 05:52 PM
I was trying to publish a program, but this discussion got way more interesting. The problem is I have absolutely NO idea on how hashing works or is implemented in CC, so If someone would just provide me a way of doing "hashed_pw = hash.256(string)" and I get the hashed string back, I would've implemented it.
Check out how AdmiOS does it using Anavranis's SHA256 APIAnd here is how i check the passwd (same file, different lines)Edited on 31 August 2016 - 03:53 PM
65 posts
Location
Hesse, Germany
Posted 31 August 2016 - 07:35 PM
To everyone in this topic: I'll probably NOT add encryption/hashing as this was more of a simple script and I need time to program other things (getting into CompuTech's Cobalt API, nice work bruh!) and coding my OS, so sorry, If anyone wants hashing, I please you to do it yourself.
275 posts
Location
Turkey
Posted 31 August 2016 - 07:43 PM
To everyone in this topic: I'll probably NOT add encryption/hashing as this was more of a simple script and I need time to program other things (getting into CompuTech's Cobalt API, nice work bruh!) and coding my OS, so sorry, If anyone wants hashing, I please you to do it yourself.
If there were a GitHub repo or something like that, i think i could make it work.
But for just a simple login system, that would probably be too much.
323 posts
Location
Boston, MA
Posted 31 August 2016 - 07:56 PM
Hey, thanks for using Cobalt! This topic inspired me to write a tutorial on how to do this:
http://www.computercraft.info/forums2/index.php?/topic/27496-how-to-securely-store-passwords/If BombBloke or someone sees an issue or something incorrect, PLEASE let me know. I wanted to write a simple tutorial so no one saves in plaintext. :P/>
65 posts
Location
Hesse, Germany
Posted 01 September 2016 - 12:54 AM
Okay, thanks, CompuTech. I had the know-how on how to do it, but I simply lacked time. But good thing you posted it.
749 posts
Location
BOO!!
Posted 05 November 2016 - 08:50 PM
You can't undo SHA? In that case, what's the next most secure form of encryption?
2427 posts
Location
UK
Posted 05 November 2016 - 09:37 PM
You can't undo SHA? In that case, what's the next most secure form of encryption?
You don't need to.
Password systems it's important to not be able to as it prevents the server owner from reading passwords or anyone else who gets the password database through other means.
A simple overview of how password systems work with "oneway-encryption"
I create my password the first time I use a service, this is password goes through an algorithm which changes it in such a way that it is near impossible to reverse (it will take longer to undo than the heat death of the universe). This altered password is then stored.
Next time I login, I type in my password and it goes through the same algorithm as when I created my account. The changed password is then compared with the one which was stored, if they both are the same in their changed state then they must have been the same in their unchanged state (even though we don't know what that was). Should I type in something other than my password it will still go through the algorithm but will give a different result which won't match the stored one that was made when I signed up.
Edited on 05 November 2016 - 08:39 PM
749 posts
Location
BOO!!
Posted 06 November 2016 - 01:57 PM
But what about encrypting strings for other reasons?
2427 posts
Location
UK
Posted 07 November 2016 - 10:50 AM
But what about encrypting strings for other reasons?
For transmission I would use:
https://www.youtube....h?v=GSIDS_lvRv4Edit: having just listened to a lecture in uni about encryption, create a session key (which is actually a privet key below) and send that via public key encryption. Then use session key for all transmissions as it's faster to encrypt/decrypt
For storage where you need to reverse the encryption,
no idea what's best, but above youtube link would work here too.Privet key encryption, google it.
Edited on 07 November 2016 - 11:15 AM