Vista Forums - View Single Post

06-19-2009

"Heinz" <Spacewalker4711(noSpam)@hotmail.com> wrote in message
news:#HFhzCQ8JHA.1248@xxxxxx

Quote:

> "Al Dunbar" <alandrub@xxxxxx> schrieb im Newsbeitrag
> news:ukFY0PO8JHA.5400@xxxxxx

Quote:

>>
>> "Heinz" <Spacewalker4711(noSpam)@hotmail.com> wrote in message
>> news:uaVlOON8JHA.1488@xxxxxx

Quote:

>>> "rahulji" <rahuljiv@xxxxxx> schrieb im Newsbeitrag
>>> news:064c21f4734641fa97b49da4a16693d4@xxxxxx
>>>> Hi,
>>>> I have a different requirement.
>>>> i wrote a script which will contain an username and password of an FTP
>>>> server to which it will upload the data.
>>>>
>>>> i want to encrypt these username and password using DPAPIs so that no
>>>> one
>>>> can read them.
>>>>
>>>> can anyone help in this regard?
>>>>
>>>> url:http://www.ureader.com/msg/1675127.aspx
>>>
>>> I think it depends on what you want to achieve:
>>> if your concern is that somebody can snif username and password from
>>> your LAN or on the internet then maybe you need something like VPN or
>>> SFTP
>>> if you want to prevent that somebody reads the VBS sourccode then you
>>> can :
>>> -compile the VBS to an (encrypted) .exe file (there are tools availlabe
>>> doing this)

>>
>> But, again, just how secure is that encrypted information? The executable
>> must contain the code required to de-crypt the encrypted portions of the
>> executable, so reverse engineering is possible.

>
> Well, tools like http://www.abyssmedia.com/scriptcryptor/index.shtml
> will "compile" and encrypt VBS code to an .exe using Blowfish (an
> industry-standard strong encryption algorithm).
> The tool uses a strong random password for encrypting the .exe - and when
> executed the exe decrypts itself "on the fly" (to memory, not to disk)
> This should be sufficient for most users I think and it's a good option
> for distributing confidential VBS sourcecode

Even SCRENC.exe is enough to confound most users, and scriptcryptor
certainly looks as if it does a better job.

I would still be concerned about using this to obscure something really
sensitive like a domain admin password, however. If the executable contains
the strong random password, the encrypted data, and the logic to use these
to do the decryption, I think there is enough there that it would fall to a
determined reverse-engineering exploit. Definitely not something the average
user is capable of, at least not until someone publishes a program that
anyone could run to do this.

/Al

06-19-2009	#6 (permalink)
Al Dunbar n/a posts	Re: Re:simple text encrypt / decrypt "Heinz" <Spacewalker4711(noSpam)@hotmail.com> wrote in message news:#HFhzCQ8JHA.1248@xxxxxx Quote: > "Al Dunbar" <alandrub@xxxxxx> schrieb im Newsbeitrag > news:ukFY0PO8JHA.5400@xxxxxx Quote: >> >> "Heinz" <Spacewalker4711(noSpam)@hotmail.com> wrote in message >> news:uaVlOON8JHA.1488@xxxxxx Quote: >>> "rahulji" <rahuljiv@xxxxxx> schrieb im Newsbeitrag >>> news:064c21f4734641fa97b49da4a16693d4@xxxxxx >>>> Hi, >>>> I have a different requirement. >>>> i wrote a script which will contain an username and password of an FTP >>>> server to which it will upload the data. >>>> >>>> i want to encrypt these username and password using DPAPIs so that no >>>> one >>>> can read them. >>>> >>>> can anyone help in this regard? >>>> >>>> url:http://www.ureader.com/msg/1675127.aspx >>> >>> I think it depends on what you want to achieve: >>> if your concern is that somebody can snif username and password from >>> your LAN or on the internet then maybe you need something like VPN or >>> SFTP >>> if you want to prevent that somebody reads the VBS sourccode then you >>> can : >>> -compile the VBS to an (encrypted) .exe file (there are tools availlabe >>> doing this) >> >> But, again, just how secure is that encrypted information? The executable >> must contain the code required to de-crypt the encrypted portions of the >> executable, so reverse engineering is possible. > > Well, tools like http://www.abyssmedia.com/scriptcryptor/index.shtml > will "compile" and encrypt VBS code to an .exe using Blowfish (an > industry-standard strong encryption algorithm). > The tool uses a strong random password for encrypting the .exe - and when > executed the exe decrypts itself "on the fly" (to memory, not to disk) > This should be sufficient for most users I think and it's a good option > for distributing confidential VBS sourcecode Even SCRENC.exe is enough to confound most users, and scriptcryptor certainly looks as if it does a better job. I would still be concerned about using this to obscure something really sensitive like a domain admin password, however. If the executable contains the strong random password, the encrypted data, and the logic to use these to do the decryption, I think there is enough there that it would fall to a determined reverse-engineering exploit. Definitely not something the average user is capable of, at least not until someone publishes a program that anyone could run to do this. /Al
My System Specs