[REQ] wcx_ftp.ini encryption

[Stitscher]

Support

[tbeu]

I'm currently testing the Windows Crypto API.

To save the passwords with encryption for Blat Mailer and MKS Source Integrity plugins I use the Crypto API, too. Will the master password for encryption of FTP passwords be configurable by the user or set by TC?

[timsky]

I think it should be configurable by the user.

[ghisler(Author)]

As I know windows crypto API is weak.

This is NOT true in general. It has been weak in old versions of Windows (9x/ME) without the later versions of Internet Explorer, but newer versions support triple DES, and even AES on WinXP and Vista...

Will the master password for encryption of FTP passwords be configurable by the user or set by TC?

Of course it has to be configured by the user. The user will need to type it in every time a stored password is used (it may be remembered for a certain time). Otherwise if the password would be stored, then not only TC could decrypt it, but also any other program too...

[timsky]

2ghisler(Author) How soon can you add this feature?
AES encryption would be better

[ghisler(Author)]

AES encryption would be better

Why?
You would be limited to use your passwords on XP and Vista PCs only.

3Des is 168 bits encryption. If you use normal characters in lowercase and uppercase A-Z, a-z plus the digits 0-9 and 2 other characters for your password, one character of that password will give you only 6 bits of strength. To reach the strength of 3DES, you password (or better, pass phrase) would have to be 28 characters long! A normal password of 8 characters would give you only 48 bit strength! Therefore it doesn't make much sense to use 256 bit AES in this case...

[m^2]

3Des is 168 bits encryption.

Effectively 112.
Even though AES is considered safer, there was no news about money loss caused by it's "weakness", 3DES is 2^56 times more secure. Enough for me.
I think that compatibility with older windows versions is more important than pushing already good security a bit farther.

[ghisler(Author)]

It's 112 bits when you use it with two different DES keys: Encrypt with first, decrypt with second, encrypt again with first. Microsoft supports both variations, the one with two DES keys (112 bits), and the one with 3 DES keys (168 bits).

[m^2]

It's 112 bits when you use it with two different DES keys: Encrypt with first, decrypt with second, encrypt again with first. Microsoft supports both variations, the one with two DES keys (112 bits), and the one with 3 DES keys (168 bits).

In general TDES with three different keys (3TDES) has a key length of 168 bits: three 56-bit DES keys (with parity bits 3TDES has the total storage length of 192 bits), but due to the meet-in-the-middle attack the effective security it provides is only 112 bits[/url]

[timsky]

2 ghisler(Author) Can user decide which encryption algorythm to use? I prefer AES Somebody who use non XP or Vista will choose 3DES.

[ghisler(Author)]

I will consider that.

[Hacker]

Support++ again, for possibility to use AES.

Roman

[timsky]

2ghisler(Author)
Mmm.... is there any progress?

[cos]

No support.

Why would ANY one want to hide a ftp connection, and if password is so sensitive, just don't save it.

Actually i want an option that stores and shows the password in PLAIN

I have no secrets, just working with so many ftp accounts and i need to pass them over to customers as well as to my colleagues it's so unpleasant to always use Snadboy's revelation to reveal it.

[Flint]

Why would ANY one want to hide a ftp connection

Not FTP connection, but its password.

and if password is so sensitive, just don't save it.

And remember several dozens of different 10-character length passwords for different servers? Isn't it easier to remember one password for encrypted wcx_ftp.ini?

I have no secrets

... but not I. I don't want my web-site to be opened for modifying by every person all over the Internet. A little bit strange, huh?