Solution to ignore "MDC missing" PGP decryption failure? - pgp

Working with a customer who seems to love legacy software.
They produce an encrypted file for us that does not contain any sort of sensitive information (but still insist on PGP), but the legacy software they use does not produce an encrypted file that has MDC. What's the quickest/easiest way I can decrypt their files without worrying about MDC-missing fails? Thanks very much!

Related

Is Linux-based hardware-specific password generation and/or file encryption/decryption possible?

This might be a question for Superuser but I would prefer a programmatic way to handle this if a tool doesn't already exist.
Basically I'm trying to find a method of generating a consistent, hardware/software installation specific password/key that can be used for file based encryption. By file based encryption, I mean decrypt a file. I want that file to only decrypt with a password that isn't stored anywhere, and can be consistently re-created from looking at the machine hardware/software.
Problem with digging into this is the starting point is "Linux file encryption" which is well covered by whole disk encryption. e.g. TruCrypt, etc... Disk encryption is overkill.
Any pointers, programmatic or otherwise are welcome. Thank you!
a password that isn't stored anywhere, and can be consistently re-created from looking at the machine hardware/software.
To say that your hardware and/or software will never change is usually an invalid assumption. How do you know that your next system patch won't change whatever "key" you are using to generate your password?
You might be better off with a system like Stanford PwdHash (there are also command-line tools available) that will generate a password based on a different but known password and a salt (typically, the domain name, but you can put whatever you want in that field).

[algorithm/md5]: what is the detailed verification process in file sharing?

I read the wiki-page of "Cryptographic Hash Function" today.
And I got to know that, md5 has been applied in verification of file.
There is something I can't figure out, here it is.
Suppose I want to download a file(.exe, .iso, whatever) from a website.
1.Does the server first transfer the md5 code of the file to me?
If so, how do I store the md5 code? store the code in a file?
2.When the downloading is done, how do I start the verification process?
Am I supposed to do the verification manually or the downloader (be it a chrome explorer download tool) does the verification automatically?
3.If the file I'm downloading is intercepted by some Hacker on the internet, then will the Hacker know what the file is ?
And how to prevent the interception?
thank you.
Further to previous answers, the purpose of the MD5 published on download websites has nothing to do with crackers (man-in-the-middle attacks). It's just to make sure you downloaded it correctly. If some bits were corrupted for whatever reason, the software mightn't run. Security is much more complicated to set up than one little hash, but luckily your browser knows how to deal with that: whenever you connect over TLS (SSL, https) it will set up a secure connection. Just by watching how much data is sent, even though he can't see what the data is, an attacker may be able to guess which file you're downloading.
MD5 checking is entirely manual. You download it or copy and paste it yourself.
Every operating system should come with an md5 program; Windows is probably the only one that doesn't. Google for one if you have the misfortune of needing to.
With md5 alone, he certainly can see what the file is. The only way to prevent the interception is to use encryption, which most sites provide using https URLs.
Edit: What is an MD5? It's just the value of a little calculation done with all the parts of the file. You send the file, and do the calculation yourself using the md5 program, and check that you get the same value as is listed on the website. The calculation is clever, and if one or more bits of the file are corrupted, the calculated MD5 value will change, so you know that the download didn't work and you need to download again.
The file and the MD5 hash of the file are transferred separately. You are expected to calculate the MD5 hash of the file for yourself and compare it with the downloaded version. If they match then the files are the same. Think of MD5 as a more elaborate version of a checksum.
If you want to prevent interception then you need to encrypt the file, which is a separate question. If you want to ensure the the file is truly the original and you haven't been fooled by a false copy, with false MD5 hash, then look at HMAC.
There are probably browser plugins that will let you do hash-verification automatically. I haven't researched any previously.
A website will usually provide a hash, in hex format, next to the download link.
Once you have downloaded the file, you 'feed' it to a tool which will calculate the hash of the file. Almost all programming languages will have the ability to do this, and there are many googable tools to do so.
If the hash that you generated yourself matches the one shown on the website you know that the file is not corrupt / is the correct one.
MD5 is the most common hash function used to do hash verification. It is not advised to use for security purposes anymore, but it is perfectly fine to verify a file's contents are correct (in 'casual' circumstances).
Digital signing is also used to ensure a file is correct and was generated by a known person/authority/site.

Securing SQL queries, insuring that no one person knows that password

What are some effective and secure methods of securing SQL queries?
In short I would like to insure that programmers do not see the passwords used by the application to perform queries. Something like RSA or PGP comes to mind, but don't know how one can implement a changing password without being encoded in the application somewhere.
Our environment is a typical Linux/MySQL.
This might be more of a process issue and less of a coding issue.
You need to strictly separate the implementation process and the roll-out process during software development. The configuration files containing the passwords must be filled with the real passwords during roll-out, not before. The programmers can work with the password for the developing environment and the roll-out team changes those passwords once the application is complete. That way the real passwords are never disclosed to the people coding the application.
If you cannot ensure that programmers do not get access to the live system, you need to encrypt the configuration files. The best way to do this depends on the programming language. I am currently working on a Java application that encrypts the .properties files with the appropriate functions from the ESAPI project and I can recommend that. If you are using other languages, you have to find equivalent mechanisms.
Any time you want to change passwords, an administrator generates a new file and encrypts it, before copying the file to the server.
In case you want maximum security and do not want to store the key to decrypt the configuration on your system, an administrator can supply it whenever the system reboots. But this might take things too far, depending on your needs.
If programmers don't have access to the configuration files that contain the login credentials and can't get to them through the debug or JMX interfaces then that should work. Of course that introduces other problems but that would potentially satisfy your requirement. (I am not a Qualified Security Assessor - so check with yours to be sure for PCI compliance.)

Are there any known standards or security flaws in password-protected ZIP files?

Just like the title says. I was hoping someone could direct me to documents/resources that show how to encrypt a zip file such that most (if not all) 3rd-party apps can open it.
I'm more interested in the security aspect rather than how to do it - any knowledge is welcome.
This is to casually protect files on my work computer (and network drive) from prying co-workers.
There aren't any big flaws in ZIPs password. There are tools that can crack a zip file password but they have to do it using brute force, usually starting with a dictionary attack. For protecting files locally or on a network, it should be fine as long as you pick a long enough password. I'd suggest using a phrase like 'givemelibertyorgivemedeath' or whatever. Long enough to make brute force attacks unfeasible but short enough to keep from being a pain to type everything you need to unlock a file.
WinZip has defined how to use AES encryption on zip entries.
It is a WinZip thing but many tools support WinZip's AES design, including InfoZip, WinRar (I think?), and DotNetZip. WinZip's approach has also been granted FIPS-197 certification.
It is much stronger than the old-style PKZIP "Weak" encryption.

What is the best way to encrypt a text file in C/C++?

A C/C++ based cgi web application will be creating a temporary text file on the server as long as the user is logged in. The text file will be deleted when the user logs off. I want to encrypt this text file and also the content of the file. The file will contain information like username and password.
What is the best way to do this?
EDIT: I see libraries being suggested. My problem is I cannot use anything but Standard C++ library.
Use a well known library such as openssl and follow well known examples and stay away from platform specific solutions.
I think you might be going about this the wrong way. If security, real security, is the goal then you're not going to want to store the password even in its encrypted form (because it can be decrypted if the key is stolen, as other people have said).
What you should do is store a hash of the password (with an appropriate salt). This means that no one (not even the site admins) can determine a user's password. They can merely accept a password and see if it's the right one or not by hashing the input with the same salt (you can't reverse a hash).
Also, this sort of situation lends itself nicely to databases, are you using one?
Google password hashing with salts and you can read about it from real security experts (I am not one).
An encryption standard that currently is considered as "safe" is AES (also called Rijndael). You can find a C++ implementation at Codeproject and in many other places.
Please note, that when using AES or any other symmetric encryption standard, you must store the encryption/decryption key inside your application. If anyone discovers the key, he can decrypt all files that you encrypted with this key.
If your application will run under Windows, you also might use DPAPI to store the encrypted information.
Revised answer.
You want code to encrypt and decrypt a file that can be used with your C++ code.
It would be absolutely incorrect to write your own code (like this one).
But, you say that you cannot use standard libraries.
Standard (and, maybe opensource) libraries are probably the most correct approach to implementing encryption in your applications. If you choose to not do that, it leaves you with only two options,
Implement your own version of a standard encryption algorithm (and risk weakness by any errors you make)
Use a 'system' call from your application and run a standard encryption (like bcrypt) that maybe (hopefully) available on your system.
I would still stick to picking up a standard library or integrating such an opensource code into my application. Please explain what prevents you from doing that.
Old: for some reason, i thought a PHP code was required... my error.
This article gives a PHP encryption symmetric program example using crypt to store password in a text file.
Possibly related Stackoverflow questions
discussion on the best C/C++ encryption library.
discussion on plain text storage of password.

Resources