[Gambas-user] A couple of ?s about encryption

Tony Morehen tmorehen at ...3602...
Sun Aug 13 22:36:07 CEST 2017 

Don't use .hidden.  There is nothing secure about and its only used by 
the development/installation environments.  Hidden directories in 
general do nothing for security.

Don't worry about open source/GNU.  All encryption programs use the same 
well known algorithms.  It's passwords that guarantee security, not the 
algorithm.  BTW, like hidden files, there is no security from obscurity.

As far as shelling to a third-party encryption program like gpg or 
openssl, those programs are good and produce secure outputs, depending 
of course on the algorithm selected.  However, the act of shelling 
exposes you to several attacks like man-in-the-middle.  Not recommended.

So internal encryption is recommended and Gambas has the gb.crypt and 
gb.openssl components to lighten your workload.  Also, gb.desktop has 
several password-related functions that can save and retrieve passwords 
from your system's wallet/keyring.

gb.crypt includes several one way hash algorithms like md5 or sha-256.  
With these, you save the password hash and then compare hashes on future 
logins.  With these, you never save the actual passwords and the hashes 
are virtually impossible to decrypt.

For two way encryption, where you need to go from plain text to 
encrypted text back to plain text, look at gb.openssl.  It has methods 
for symmetric encryption (one password to both encrypt and decrypt text) 
and for asymmetric encryption(two passwords, one to encrypt and one to 
decrypt).  Public key private key encryption is an example of the 
latter.  Text encrypted with the private key can only be decrypted by 
the public key and vice versa.


On 2017-08-13 01:59 PM, mikeB wrote:
> eGreeetings,
> I am starting a project that involves encryption of passwords and user 
> names - storing and recalling them.
>
> 1st ? = i noticed Gambas can save and recall files from a ".hidden" 
> directory. If the files are encrypted before
> saving to a hidden dir - how secure is this?  In other words would an 
> experienced coder be able to find and
> copy these files? Would this be the secure/ recommended way/ place to 
> store these files?
>
> 2nd ? = shelling out to the "gpg" command line to encrypt / decrypt 
> the password files be a secure way of
> doing this or is there a better way (i.e. writing the encryption code 
> within the Gambas project)?
>
> 3rd ? = Now a GNU question from a real newbie on this subject. With 
> this type of program (Protected Passwords)
> how in the heck could it be released under GNU? Or should it be? Don't 
> understand how it could possibly be
> "protected" if the source code was available to all?
>
> Any suggestions, from the group, would be GREATLY APPRECIATED!
> mikeB
>
>
>
> ------------------------------------------------------------------------------ 
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Gambas-user mailing list
> Gambas-user at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/gambas-user

More information about the User mailing list