Simple encryption software - Security & Cryptography

Users browsing this thread: 4 Guest(s)
z3bra
Grey Hair Nixers
Hello fellow crypto friends!

I need your help on a small piece of software I'm working on: safe.

It is a pass(1)-like application used to store passwords, but I want to drop usage of asymmetric keys and use only a master password instead (ie. symmetric encryption), so all I need to do to unlock my password store is a master password.

There is one neat feature that I like with gpg though: gpg-agent. I would like to have something similar with my master password approach, so I don't have to type my password every time I want to encrypt/decrypt a password.

I know that there are multiple security implications with it, but I'm no security expert, so I would like your input/advice on this topic.

From the top of my head, here are the security concerns I should have:
  • DO NOT store master password in memory --> sha256() it
  • DO NOT store secrets in memory --> ???? I don't think I can avoid that. At least I can store smaller "chunks" for in/output
  • NEVER keep decrypted secrets in memory --> memset() the secrets address after usage
  • NEVER write decrypted secrets anywhere --> output to stdout only

What should I add to this list? Are there things I should change?

BONUS QUESTION:
Do you guys understand how the "encrypt(3)" function from unistd.h works (don't judge me) ?
It seems to take a 64bits message and return the 64bits equivalent, encrypted. Which means that my encrypted message will have the same size as the ciphertext... I'm not security expert, but it looks like a security issue right?

Answering my own question from the man page:

Quote:Because they employ the DES block cipher, which is no longer considered secure, crypt(), crypt_r(), setkey(), and setkey_r() were removed in glibc 2.28. Applications should switch to a modern cryptography library, such as libgcrypt.

Thanks for your help!
BANGARANG, MOTHERFUCKER


Messages In This Thread
Simple encryption software - by z3bra - 05-04-2019, 09:00 AM
RE: Simple encryption software - by z3bra - 11-04-2019, 09:18 AM
RE: Simple encryption software - by venam - 11-04-2019, 09:42 AM
RE: Simple encryption software - by z3bra - 12-04-2019, 05:49 AM
RE: Simple encryption software - by venam - 12-04-2019, 05:54 AM
RE: Simple encryption software - by pkal - 12-04-2019, 12:19 PM
RE: Simple encryption software - by z3bra - 12-04-2019, 01:54 PM
RE: Simple encryption software - by z3bra - 19-04-2019, 09:02 AM
RE: Simple encryption software - by tudurom - 19-04-2019, 04:07 PM
RE: Simple encryption software - by z3bra - 20-04-2019, 05:47 AM
RE: Simple encryption software - by z3bra - 23-05-2019, 05:03 PM
RE: Simple encryption software - by Doom - 24-05-2019, 06:58 PM
RE: Simple encryption software - by z3bra - 25-05-2019, 02:31 AM
RE: Simple encryption software - by tudurom - 25-05-2019, 05:51 PM
RE: Simple encryption software - by z3bra - 27-05-2019, 06:14 AM
RE: Simple encryption software - by Doom - 28-05-2019, 05:28 PM
RE: Simple encryption software - by z3bra - 29-05-2019, 03:30 AM
RE: Simple encryption software - by z3bra - 31-05-2019, 06:46 PM
RE: Simple encryption software - by Halfwit - 31-05-2019, 06:54 PM
RE: Simple encryption software - by Halfwit - 31-05-2019, 06:59 PM
RE: Simple encryption software - by z3bra - 01-06-2019, 03:34 AM
RE: Simple encryption software - by Halfwit - 01-06-2019, 03:37 AM
RE: Simple encryption software - by z3bra - 01-06-2019, 04:27 AM
RE: Simple encryption software - by Halfwit - 01-06-2019, 01:00 PM
RE: Simple encryption software - by Halfwit - 01-06-2019, 01:02 PM
RE: Simple encryption software - by z3bra - 13-06-2019, 03:49 AM
RE: Simple encryption software - by tudurom - 09-07-2019, 03:12 PM
RE: Simple encryption software - by tudurom - 09-07-2019, 04:05 PM
RE: Simple encryption software - by z3bra - 10-07-2019, 08:40 AM
RE: Simple encryption software - by z3bra - 10-08-2020, 05:37 PM
RE: Simple encryption software - by pranomostro - 11-08-2020, 07:08 PM
RE: Simple encryption software - by z3bra - 12-08-2020, 04:59 AM