[REQ] wcx_ftp.ini encryption
Moderators: white, Hacker, petermad, Stefan2
-
ghisler(Author)
- Site Admin
- Posts: 48097
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
TC 7.5 will use AES-256 from CryptoAPI with SHA256 (implemented inside of TC), I'm currently working exactly on this function. I haven't received any reply yet from the maker of the AES plugin, so sadly this function will be available only in Windows XP and later.
Perhaps someone else can take over the AES plugin if the author is no longer maintaining it. Only small changes will be needed, I can send detailed instructions if anyone would like to take over. The plugin uses Delphi, though, so the developper would need to be able to recompile the project with Delphi.
Perhaps someone else can take over the AES plugin if the author is no longer maintaining it. Only small changes will be needed, I can send detailed instructions if anyone would like to take over. The plugin uses Delphi, though, so the developper would need to be able to recompile the project with Delphi.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
I think this is answered here:octane wrote:AES, well. Where will you store the encryption-key or will there a "master-password" for this SecStore?
ghisler(Author) wrote:The user will need to type it in every time a stored password is used (it may be remembered for a certain time)
Who the hell is General Failure, and why is he reading my disk?
-- TC starter menu: Fast yet descriptive command access!
-- TC starter menu: Fast yet descriptive command access!
-
ghisler(Author)
- Site Admin
- Posts: 48097
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
Currently my implementation works like this:
1. User uses Ctrl+F - New or Edit dialog
2. There is a new checkbox "Use master password to protect your passwords"
3. User enters FTP site password, checks the option in 2, and clicks OK
4. User is asked for master password
5. TC looks for ini file value AESVerify which contains a random value encrypted with the password in the form byte1 byte2 byte3 byte4. If the value is found, it is decrypted with the master password. If byte1=byte3 and byte2=byte4, then the password is OK. If not, TC shows an error.
6. If AESVerify is not found, TC asks user to confirm master password, then creates AESVerify value and stores it.
7. The ftp password is encrypted with the master password. For each password, a different random seed value is created and stored with the encrypted password. This is done so even if a user uses the same ftp password for two configurations, the encrypted data will be different.
8. The master password is remembered in memory, but not as a string, but instead in an array of pointers where each pointer points to one character. In addition, each character is XORed with a random value (different random value for each character). This way the password isn't stored in plain text in memory, except for a very short time when the AES key is derived.
9. The key is currently remembered until Total Commander is minimized. I also plan to add a user-configurable timeout. It would also be nice to "forget" the key when the screen saver kicks in - does anyone know how to detect that?
10. The AES master key is derived via SHA256 of the password and a seed value. In addition, that key is then encrypted 1000 times with another, random AES key which is stored in the wcx_ftp.ini. This method (which was implemented in some other password safe tool) is used to make brute force attacks very slow.
11. The password edit box doesn't react normally to WM_CHAR messages. Instead, I install a WH_KEYBOARD_LL (and if this isn't possible, WH_KEYBOARD) hook. Since the last-installed hook will be called first, this will override any keyloggers which have installed a hook before TC.
Any other suggestions to make that more secure?
1. User uses Ctrl+F - New or Edit dialog
2. There is a new checkbox "Use master password to protect your passwords"
3. User enters FTP site password, checks the option in 2, and clicks OK
4. User is asked for master password
5. TC looks for ini file value AESVerify which contains a random value encrypted with the password in the form byte1 byte2 byte3 byte4. If the value is found, it is decrypted with the master password. If byte1=byte3 and byte2=byte4, then the password is OK. If not, TC shows an error.
6. If AESVerify is not found, TC asks user to confirm master password, then creates AESVerify value and stores it.
7. The ftp password is encrypted with the master password. For each password, a different random seed value is created and stored with the encrypted password. This is done so even if a user uses the same ftp password for two configurations, the encrypted data will be different.
8. The master password is remembered in memory, but not as a string, but instead in an array of pointers where each pointer points to one character. In addition, each character is XORed with a random value (different random value for each character). This way the password isn't stored in plain text in memory, except for a very short time when the AES key is derived.
9. The key is currently remembered until Total Commander is minimized. I also plan to add a user-configurable timeout. It would also be nice to "forget" the key when the screen saver kicks in - does anyone know how to detect that?
10. The AES master key is derived via SHA256 of the password and a seed value. In addition, that key is then encrypted 1000 times with another, random AES key which is stored in the wcx_ftp.ini. This method (which was implemented in some other password safe tool) is used to make brute force attacks very slow.
11. The password edit box doesn't react normally to WM_CHAR messages. Instead, I install a WH_KEYBOARD_LL (and if this isn't possible, WH_KEYBOARD) hook. Since the last-installed hook will be called first, this will override any keyloggers which have installed a hook before TC.
Any other suggestions to make that more secure?
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
BOOL WINAPI SystemParametersInfo( SPI_GETSCREENSAVERRUNNING, ... )ghisler(Author) wrote:9. [...]It would also be nice to "forget" the key when the screen saver kicks in - does anyone know how to detect that?
should give the info - at least passively, for Win2k and up. Here is a workaround for NT4 / Win95 (using a hook; search for SPI_GETSCREENSAVERRUNNING).
MSDN Lib link
Example in C
Example in VB6
Example in Python
Maybe a more active notification can be achieved by monitoring some system message,
like WM_SYSCOMMAND Notification ( MSDN Link ) with parameter SC_SCREENSAVE:
Example:MSDN Lib wrote:A window receives this message [...]
SC_SCREENSAVE
Executes the screen saver application specified in the [boot] section of the System.ini file.
Code: Select all
LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{ switch (message)
{ case WM_SYSCOMMAND:
{ switch (wParam)
{ case SC_SCREENSAVE:
[...]
Who the hell is General Failure, and why is he reading my disk?
-- TC starter menu: Fast yet descriptive command access!
-- TC starter menu: Fast yet descriptive command access!
2ghisler(Author)
Your approach sounds very promising - especially when looking at the problems recently found in Truecrypt and FileVault. A few questions/remarks:
1. Which function do you use to delete data in memory?
2. It would be great if you would provide a password storing mechanism for plug-ins. Something like a key chain seen in other operating systems such as Linux or OS X.
Your approach sounds very promising - especially when looking at the problems recently found in Truecrypt and FileVault. A few questions/remarks:
1. Which function do you use to delete data in memory?
2. It would be great if you would provide a password storing mechanism for plug-ins. Something like a key chain seen in other operating systems such as Linux or OS X.
-
ghisler(Author)
- Site Admin
- Posts: 48097
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
2StatusQuo
Thanks for the hints, but none of them worked. The SystemParametersInfo didn't return true on Windows 2000 when password protection of the screen saver was off, and the SC_SCREENSAVE notification is only sent to the program which currently has the focus, no other programs.
I did find a solution which works, though: When TC doesn't have focus, check with a timer whether there is a 'WindowsScreenSaverClass' window. This is for the case when there is no password protection, then the screen saver runs on the same desktop. Otherwise call OpenDesktop('Screen-saver',... and if it works, enumerate the windows on that desktop and check that they aren't on the same desktop as TC (this is necessary due to a bug in Windows).
2Lefteous
1. I simply overwrite it withv zeroes before freeing the memory.
2. I'm considering this too, but I need some way to prevent that plugin A stores some passwords, and then plugin B reads them and sends them to a cracker.
2m^2
What would you suggest then? You can't really expect that a user re-enters the password every time, this would be even more annoying as the Vista security dialogs.
Thanks for the hints, but none of them worked. The SystemParametersInfo didn't return true on Windows 2000 when password protection of the screen saver was off, and the SC_SCREENSAVE notification is only sent to the program which currently has the focus, no other programs.
I did find a solution which works, though: When TC doesn't have focus, check with a timer whether there is a 'WindowsScreenSaverClass' window. This is for the case when there is no password protection, then the screen saver runs on the same desktop. Otherwise call OpenDesktop('Screen-saver',... and if it works, enumerate the windows on that desktop and check that they aren't on the same desktop as TC (this is necessary due to a bug in Windows).
2Lefteous
1. I simply overwrite it withv zeroes before freeing the memory.
2. I'm considering this too, but I need some way to prevent that plugin A stores some passwords, and then plugin B reads them and sends them to a cracker.
2m^2
What would you suggest then? You can't really expect that a user re-enters the password every time, this would be even more annoying as the Vista security dialogs.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
2ghisler(Author)
You might consider using SecureZeroMemory depending on how you currently zeroing the data.I simply overwrite it withv zeroes before freeing the memory.
GreatI'm considering this too
Last edited by Lefteous on 2008-02-25, 20:37 UTC, edited 1 time in total.
I suggest that forgetting in these situations should be optional.
IMO a button to forget password will do just fine for great majority of users.
ADDED: Actually my contact with Vista is the reason for this suggestion. Reentering the password every time I connect to ftp server after minimizing TC would be almost as annoying as what MS wants to sell us.
IMO a button to forget password will do just fine for great majority of users.
ADDED: Actually my contact with Vista is the reason for this suggestion. Reentering the password every time I connect to ftp server after minimizing TC would be almost as annoying as what MS wants to sell us.
-
fenix_productions
- Power Member
- Posts: 1979
- Joined: 2005-08-07, 13:23 UTC
- Location: Poland
- Contact:
Why not to make this re-entering optional?
If someone sets this in INI file it will be his fault only. The default settings should be "as less bothering as it possible".
Personally: I have KeePass locked each time its minimized. I can accept asking for master password every-time it is focused because I am using this app rarely. I think that some people will accept it for the prize of being safe.
PS. Will there be any possibility for the user to see what passwords he put for any FTP server?
If someone sets this in INI file it will be his fault only. The default settings should be "as less bothering as it possible".
Personally: I have KeePass locked each time its minimized. I can accept asking for master password every-time it is focused because I am using this app rarely. I think that some people will accept it for the prize of being safe.
PS. Will there be any possibility for the user to see what passwords he put for any FTP server?
"When we created the poke, we thought it would be cool to have a feature without any specific purpose." Facebook...
#128099
#128099
Sure. You know Revelation.fenix_productions wrote:PS. Will there be any possibility for the user to see what passwords he put for any FTP server?
