←  Operating Systems

ComputerCraft | Programmable Computers for Minecraft

»

Password protected OS

greygraphics's Photo greygraphics 14 Jun 2016

Hey,

I created this small, password protected OS. It is called SecOS and cannot be terminated. Also, the password of the users are encrypted so that you cannot read them directly. However, you can edit them. They are (as far as I know) only decryptable with themselves as password.

Added commands:
  • mkusr (Create a new user in the /users directory)
  • passwd (Change the password of the user you log in)
Added APIs:
  • secure (A small API which allows for fast password encryption and check)
Added directories:
  • /users (The directory every user and password is stored)

Link: SaRwxwcn

Note: This file can unpack itself, simply type in "<Filename> <Filename>"

I hope you have fun with this. :)
Quote

SGunner2014's Photo SGunner2014 16 Jun 2016

Why are the passwords encrypted? Have you thought of hashing them instead?
Quote

greygraphics's Photo greygraphics 16 Jun 2016

View PostSGunner2014, on 16 June 2016 - 03:20 PM, said:

Why are the passwords encrypted? Have you thought of hashing them instead?
Yes I did, but hashed codes can be found in pre-made tables. I think this way it is more secure...
Quote

Goof's Photo Goof 16 Jun 2016

View Postgreygraphics, on 16 June 2016 - 07:11 PM, said:

View PostSGunner2014, on 16 June 2016 - 03:20 PM, said:

Why are the passwords encrypted? Have you thought of hashing them instead?
Yes I did, but hashed codes can be found in pre-made tables. I think this way it is more secure...
Use a salt with the password. That'd prevent lookup-tables from working properly, without also getting the salt.
Quote

greygraphics's Photo greygraphics 16 Jun 2016

View PostMikk809h, on 16 June 2016 - 07:14 PM, said:

View Postgreygraphics, on 16 June 2016 - 07:11 PM, said:

View PostSGunner2014, on 16 June 2016 - 03:20 PM, said:

Why are the passwords encrypted? Have you thought of hashing them instead?
Yes I did, but hashed codes can be found in pre-made tables. I think this way it is more secure...
Use a salt with the password. That'd prevent lookup-tables from working properly, without also getting the salt.

Ok, I will look into that, although I don't have much experience with encrypting text. :)
Quote

Blue's Photo Blue 16 Jun 2016

View PostMikk809h, on 16 June 2016 - 07:14 PM, said:

View Postgreygraphics, on 16 June 2016 - 07:11 PM, said:

View PostSGunner2014, on 16 June 2016 - 03:20 PM, said:

Why are the passwords encrypted? Have you thought of hashing them instead?
Yes I did, but hashed codes can be found in pre-made tables. I think this way it is more secure...
Use a salt with the password. That'd prevent lookup-tables from working properly, without also getting the salt.
But where would you securely store the salt?
Quote

Goof's Photo Goof 16 Jun 2016

View PostBlue, on 16 June 2016 - 07:26 PM, said:

View PostMikk809h, on 16 June 2016 - 07:14 PM, said:

View Postgreygraphics, on 16 June 2016 - 07:11 PM, said:

View PostSGunner2014, on 16 June 2016 - 03:20 PM, said:

Why are the passwords encrypted? Have you thought of hashing them instead?
Yes I did, but hashed codes can be found in pre-made tables. I think this way it is more secure...
Use a salt with the password. That'd prevent lookup-tables from working properly, without also getting the salt.
But where would you securely store the salt?
The salt doesn't have to be stored in a secret place.

You can save the hash of the password+salt in the same file, if you want to. (For example with the salt on the 2nd line)
Edited by Mikk809h, 16 June 2016 - 07:45 PM.
Quote

Anavrins's Photo Anavrins 16 Jun 2016

The current hash algorithm is not safe at all anyway.
Spoiler
All character is encoded individually, by multiplying with some value, and that value can of course be retrieved by calculating the greatest common divisor of all the numbers.
There is some good hashing algorithms on my profile page that you can use to securely store password, mainly PBKDF2-SHA2.
The salt doesn't need to be secret, but don't simply concatenate it the password, use HMAC-SHA2 or PBKDF2-SHA2 instead.
Edited by Anavrins, 16 June 2016 - 10:46 PM.
Quote

greygraphics's Photo greygraphics 17 Jun 2016

View PostAnavrins, on 16 June 2016 - 10:25 PM, said:

The current hash algorithm is not safe at all anyway.
Spoiler
All character is encoded individually, by multiplying with some value, and that value can of course be retrieved by calculating the greatest common divisor of all the numbers.
There is some good hashing algorithms on my profile page that you can use to securely store password, mainly PBKDF2-SHA2.
The salt doesn't need to be secret, but don't simply concatenate it the password, use HMAC-SHA2 or PBKDF2-SHA2 instead.

Well, thanks. As I mentioned earlier, I do not know much about encoding text.
I will look into it.

Um, and may I ask for an advice? If I take the algorith and make it multiply the numbers like this:
function encode(sInput)
    local encoded = ""
    local value = 0
  
    for i=1,string.len(sInput),1 do
	    value = value+string.byte(string.sub(sInput,i,i))
    end
  
    for i=1,string.len(sInput),1 do
	    encoded = encoded..tostring(string.byte(string.sub(sInput,i,i))*value^i*value)
	    --Actually I don't know how to do this X^n thing correctly
    end

    return encoded
end

Would it be more secure?
Edited by greygraphics, 17 June 2016 - 02:07 PM.
Quote

Anavrins's Photo Anavrins 28 Jul 2016

View Postgreygraphics, on 17 June 2016 - 01:59 PM, said:

Um, and may I ask for an advice? If I take the algorith and make it multiply the numbers like this:
...
Would it be more secure?
You learned the answer in grade school, it's trivial to invert multiplication and exponentiation with division and radix.
Quote