Is it possible to duplicate output from the perl crypt function using ColdFusion decrypt?
I am not familiar with encryption programming, but as I understand it crypt uses the DES algorithm unless otherwise indicated. Coldfusion can use the DES algorithm, but I don't know what other parameters to use.
Allow me to clarify my situation. I am working with a vendor supplied application written in perl. My local toolset is mainly ColdFusion. I would like to enhance the vendor supplied login function with a 'lost your password/reset password' function. I would prefer not to change the vendor source code, which I have access to, since it get upgraded regularly and I don't want to have to keep applying the changes. The best solution, for a host of reasons, is to emulate the perl crypt() function output in ColdFusion so I can build the password reset function externally to the vendor application. It is admittedly an awkward and confusing situation.
I do not know if the emulation approach is feasible; if not it is back to the drawing board.
Just in case you didn't know, perl's crypt() function (and the crypt() function in the standard C library) is a one-way hashing function usually used for storing passwords. It's not an encryption function and there is no known decryption function.
As such, you're probably not looking for a function called decrypt(). I don't used Coldfusion, so I can't help you find the proper function.
Related
For reference I only know python so that's what I've been working with.
I've recently been looking into making my own hashing algorithm to further my understanding on how they work, I'm not looking into creating the most cryptographically secure hashing algorithm, just something that is a bit more secure than validating passwds in plain-text.(in other words I don't care if this algorithm has copious amounts of collisions.
From what I understand about hash functions is that they use ???? to obfuscate the input password. Where I'm getting caught up is how the function takes a user input, like "password1" and translates that into numbers the system can work with, then, what exact methods do they use to obfuscate them?
Apologies if this is a stupid question but I cant find any material on this that isn't way beyond my understanding or basic enough where they gloss over what happens inside the hash algorithm.
I am building a Matlab application to be deployed as a compiled executable file.
This application will need to read/write files in a library.
These files contain data and I want to protect them from being read by whomever uses this application. Without any protection, these files would be saved as mat files and could be loaded into Matlab workspace.
I've tried to search for some solutions for encryption. I found some people suggesting AES, but this method seems to have an intrinsic problem of safely storing the encryption key (which I didn't understand exactly why).
Given that I simply want to avoid the user of the application to have access to those data files, what would be the best approach for doing so? If AES is actually a good solution, is it safe to write the encryption key in the code to be compiled?
It sounds like what you're looking for is functional encryption.
In functional encryption, a user holding
the master secret key msk can generate a function key skf
corresponding to a function f; then, anyone having a ciphertext Enc(x)
and a function key skf can compute f(x), but learns nothing else about
the input x.
Note that Enc(x) is the encrypted data and f(x) is some function of the unencrypted data.
Source: https://eprint.iacr.org/2013/229.pdf
Unfortunately, even cutting edge implementations of functional encryption are still impractically slow and not easily generalized to a MATLAB program.
When compiling an application, the MATLAB code files are encrypted; but not, as you’ve discovered, any extra files that you include.
If the data is not too large, consider saving it within a .m file rather than a .mat file. In other words, write a simple MATLAB function that returns your data, and has it hard-coded within the file. As this is now a code file, it will be encrypted as part of the compilation process.
You can even use the built in function matlab.io.saveVariablesToScript to auto-generate this file for you.
I am kinda playing with the SHA-1 algorithm. I want to find out differences and variations in the results if I change few values in the SHA-1 algorithm for a college report. I have found a piece of java code to generate hash of a text. Its done by importing
java.security.MessageDigest
class. However, I want to change the h0-4 values and edit them but I don't know where can I find them? I had a look inside the MessageDigest class but couldn't find it there. Please help me out!
Thanx in advance.
I don't believe you can do that. Java doesn't provide any API for its MessageDigest Class, which can allow you change the values.
However, there are some workarounds (none of which I've ever tried). Take a look at this answer to the question "How to edit Java Platform Package (Built-in API) source code?"
If you're playing around with tweaks to an algorithm, you shouldn't be using a built-in class implementing that algorithm. The class you mention is designed to implement standard algorithms for people who just want to use them in production; if you're using SHA-1 (or any cryptographic algorithm) instead of playing around and tweaking it, it's never a good idea to change the algorithm yourself (e.g. by changing the initial hash value), so the class does not support modifying those constants.
Just implement the algorithm yourself; from Wikipedia's pseudocode, it doesn't look like it's all that complicated. I know that "don't implement your own crypto, use a standard and well-tested implementation" is a common mantra here, but that only applies to production-type code -- if you're playing around with an algorithm to see what effect tweaking it has, you should implement it yourself, so you have more flexibility in modifying it and seeing the effect of the modifications.
Basically adding to #Rahil's answer but too much for comments:
Even without API access, if MessageDigest were the implementation you could use reflection. But it's not.
Most of the java standard library is just commonly-useful classes in the usual way, e.g. java.util.ArrayList contains the implementation of ArrayList (or ArrayList<?> since 6), java.io.FileInputStream contains the implementation of FileInputStream (although it may use other classes in that implementation), etc. Java Cryptography uses a more complicated scheme where the implementations are not in the API classes but instead in "providers" that are mostly in their own jars (in JRE/lib and JRE/lib/ext) not rt.jar and mostly(?) don't have source in src.zip.
Thus the java.security.MessageDigest class does not have the code to implement SHA1, or SHA256, or MD5, etc etc. Instead it has code to search the JVM's current list of crypto providers to find an implementation of whatever algorithm is asked for, and instantiate and use that. Normally the list of providers used is set to (the list of) those included in the JRE distribution, although an admin or program can change it.
With the normal JRE7 providers, SHA1 is implemented by sun.security.provider.SHA.
In effect the API classes like MessageDigest Signature Cipher KeyGenerator etc function more like interfaces or facades by presenting the behavior that is common to possibly multiple underlying implementations, although in Java code terms they are actual classes and not interfaces.
This was designed back in 1990 or so to cope with legal restrictions on crypto in effect then, especially on export from the US. It allowed the base Java platform to be distributed easily because by itself it did no crypto. To use it -- and even if you don't do "real" crypto on user data in Java you still need things like verification of signed code -- you need to add some providers; you might have one set of providers, with complete and strong algorithms, used in US installations, and a different set, with fewer and weaker algorithms, used elsewhere. This capability is now much less needed since the US officially relaxed and in practice basically dropped enforcement about 2000, although there are periodically calls to bring it back. There is still one residual bit, however: JCE (in Oracle JREs) contains a policy that does not allow symmetric keys over 128 bits; to enable that you must download from the Oracle website and install an additional (tiny) file "JCE Unlimited Strength Policy".
TLDR: don't try to alter the JCE implementation. As #cpast says, in this case where you want to play with something different from the standard algorithm, do write your own code.
A friend of mine needs to implement some statistical calculations in hardware.
She wants it to be accomplished using VHDL.
(cross my heart, I haven't written a line of code in VHDL and know nothing about its subtleties)
In particular, she needs a direct analogue of MATLAB's betainc function.
Is there a good package around for doing this?
Any hints on the implementation are also highly appreciated.
If it's not a good idea at all, please tell me about it as well.
Thanks a lot!
There isn't a core available that performs an incomplete beta function in the Xilinx toolset. I can't speak for the other toolsets available, although I would doubt that there is such a thing.
What Xilinx does offer is a set of signal processing blocks, like multipliers, adders and RAM Blocks (amongst other things, filters, FFTs), that can be used together to implement various custom signal transforms.
In order for this to be done, there needs to be a complete understanding of the inner workings of the transform to be applied.
A good first step is to implement the function "manually" in matlab as a proof of concept:
Instead of using the built-in function in matlab, your friend can try to implement the function just using fundamental operators like multipliers and adders.
The results can be compared with those produced by the built-in function for verification.
The concept can then be moved to VHDL using the building blocks that are provided.
Doing this for the incomplete beta function isn't something for the faint-hearted, but it can be done.
As far as I know there is no tool which allow interface of VHDL and matlab.
But interface of VHDL and C is fairly easy, so if you can implement your code(MATLAB's betainc function) in C then it can be done easily with FLI(foreign language interface).
If you are using modelsim below link can be helpful.
link
First of all a word of warning, if you haven't done any VHDL/FPGA work before, this is probably not the best place to start. With VHDL (and other HDL languages) you are basically describing hardware, rather than a sequential line of commands to execute on a processor (as you are with C/C++, etc.). You thus need a completely different skill- and mind-set when doing FPGA-development. Just because something can be written in VHDL, it doesn't mean that it actually can work in an FPGA chip (that it is synthesizable).
With that said, Xilinx (one of the major manufacturers of FPGA chips and development tools) does provide the System Generator package, which interfaces with Matlab and can automatically generate code for FPGA chips from this. I haven't used it myself, so I'm not at all sure if it's usable in your friend's case - but it's probably a good place to start.
The System Generator User guide (link is on the previously linked page) also provides a short introduction to FPGA chips in general, and in the context of using it with Matlab.
You COULD write it yourself. However, the incomplete beta function is an integral. For many values of the parameters (as long as both are greater than 1) it is fairly well behaved. However, when either parameter is less than 1, a singularity arises at an endpoint, making the problem a bit nasty. The point is, don't write it yourself unless you have a solid background in numerical analysis.
Anyway, there are surely many versions in C available. Netlib must have something, or look in Numerical Recipes. Or compile it from MATLAB. Then link it in as nav_jan suggests.
As an alternative to VHDL, you could use MyHDL to write and test your beta function - that can produce synthesisable (ie. can go into an FPGA chip) VHDL (or Verilog as you wish) out of the back end.
MyHDL is an extra set of modules on top of Python which allow hardware to be modelled, verified and generated. Python will be a much more familiar environment to write validation code in than VHDL (which is missing many of the abstract data types you might take for granted in a programming language).
The code under test will still have to be written with a "hardware mindset", but that is usually a smaller piece of code than the test environment, so in some ways less hassle than figuring out how to work around the verification limitations of VHDL.
Are there any implementations of these hashing algorithms in pure lua? I've found a couple for MD5 and SHA1 but none for these two which are the ones I'll be needing for a project. In the interests of portability, I need something in pure lua. Anyone know of anything?
Lua's lmd5 library states: A message digest library for Lua based on OpenSSL. It supports MD2, MD4, MD5, SHA1, SHA2, RIPEMD160, MDC2. Though I have never used it. But there are some libraries listed here. You might one of them useful.
Here's another library which might be what you seek.
If you use LuaJIT I have written an implementation of SHA256 here but it uses FFI ctypes: https://github.com/catwell/cw-lua/tree/master/sha256
Otherwise there's one here in pure Lua 5.2 which I have not tested: http://lua-users.org/wiki/SecureHashAlgorithm (already cited by Dream Eater).