tags:

views:

78

answers:

4
Q: 

securty issue XOR

is this password check algorithm safe to use in low security environment like local network 

 static string keys = "qwertyuiopüõasdfghjklöäzxcvbnmQWERTYUIOPÜÄÖLKJHGFDSAZXCVBNM";
    static Int64 key = 0;
    public static bool check(string input)
    {
        string tmp = "";
        string encAnswer = "ỬốỒởỐỚ";
        for (int i = 0; i < input.Length; i++)
        {
            tmp += keys.IndexOf(input[i]).ToString();
        }
        key = Int64.Parse(tmp);
        string res = "";
        char c;
        for (int i = 0; i < input.Length; i++)
        {
            c = input[i];
            c = (char)(c ^ key);
            res += c;
        }
        if (res == encAnswer)
            return true;
        return false;
    }
+1  A: 

You should stick with hash algorithms, even in low security environments. Take a look on SHA256 Class

Note you will not be able to recover original password by using hash algorithms.

EDIT: As OP noted, just using a hash algorithm isn't enough. You must to add a salt to make it harder to break. Some examples can be found here: How To: Hash Data with Salt (C#/VB.NET)

Rubens Farias  2009-12-23 08:45:34
I agree on the hash approach but I'd avoid MD5 even for low security environments as it's now pretty easy to create hash collisions. I'd use SHA-256 instead
zebrabox  2009-12-23 08:48:15
fair enough, updated
Rubens Farias  2009-12-23 08:50:26
A: 

It's roughly comparable to a strip of adhesive tape used as a "lock" on an apartment door. If you have "low security" requirements, why don't you skip the password check completely?

jarnbjo  2009-12-23 08:46:31
-1: You could to propose a solution
Rubens Farias  2009-12-23 08:48:55
so my sister can't access my personal web server.
Woland  2009-12-23 08:54:18
Rubens: He simply asked if the algorithm he had implemented was safe and no, it is not. If he wanted a better solution, he could learn to ask for a better solution.
jarnbjo  2009-12-23 09:49:09
@WolandWhat if she drops your computer ?
mP  2009-12-23 09:55:09
+3  A: 

Obfuscation is not security.

The XOR mechanism you describe is a recipe for future pain and embarrassment. You should probably avoid it and use the built-in features of the .NET and Windows platforms to implement security.

The problem with approaches to security like the one you describe is that most attacks on systems happen from within an organization. The fact that you feel your application needs a password mechanism at all implies that security is a relevant consideration. If security is indeed relevent, why opt for the illusion of security - spend a little more effort and get the real thing.

Here are some reasons to go the full nine yards:

  1. Techniques to break XOR "encryption" schemes like the one you describe abound on the internet, and it requires very little knowledge and access to break such a scheme.

  2. If successful, your application may grow to have more users than you might first imagine - don't trust that all of these users will be friendly and play by the rules.

  3. Once in production, changes to an existing system are hard to justify and harder to make than before the code is released. It's also easier to add missing functionality than to change existing functionality.

  4. Trust is hard (or impossible) t regain. The price of a security breach is often disproportional to the price of implementing security. Once trust is lost in a system's security or ability to protect user identity/information, it doesn't matter how good the application features are, people will lose confidence in the system as a whole.

LBushkin  2009-12-23 08:57:59
A: 

I just found out that there are quite extensive databases with hash codes so this renders Rubens Farias solution useless for me

http://askcheck.com/hash?hash=WOLAND

Even turning out lights maybe security improvident for home. especially when burglar has already broken in.

Woland  2009-12-23 09:47:00
Rubens forgot to say that a password needs a SALT adding to it. This is a cryptographically random number which makes it much harder to do dictionary attacks ( as in the link you sent )
zebrabox  2009-12-23 09:50:31
you can add a salt to your hash; I'll update my answer
Rubens Farias  2009-12-23 09:52:36

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?