Jump to content



Photo

  • Please log in to reply
14 replies to this topic

#1 rwx

rwx

    Neowinian

  • Joined: 24-February 08

Posted 06 April 2013 - 08:29

Hello all,

I have a need to upload a file to a server. In order to do so, the only way I know how to do this is to connect to a server via FTP. Obviously in order to do this, I need to provide username and password pragmatically in the source code (and I've done that with WIN32) but the problem is that someone can decompile the source code or use utilities to trace the password. I am not new to programming but I am new to this particular area. How is this done? I need to know the way the method works behind it.

All I want to do is be able to upload or download a file in a secure manner using an utility of mine but the only logical way I know how to do is via FTP and I have done it with Windows API but I know that putting passwords in the source code is not a brilliant idea because as stated above, one can decompile the program or use utilities to trace the password.

Any Java/Android or C++/WIN32 references will be fine. When I say references, I mean documentation, not in particular source code examples.

Thanks


#2 Andre S.

Andre S.

    Asik

  • Tech Issues Solved: 14
  • Joined: 26-October 05

Posted 06 April 2013 - 14:36

So if I understand well, you want that program to connect to a particular account on a server - always the same, regardless of user, and not allow a tech-savvy user to reverse-engineer what the program is doing to gain access to this account and abuse it.

Unfortunately I don't think that's possible. Even if the password was somehow unbreakably encrypted and sent over an encrypted connection, a hacker could simply re-use that portion of the program to establish a connection to the server, and then use that connection to perform whatever he wants. The problem isn't how the password is stored, it's that every user is using the same account and the server is a dumb repository that doesn't validate the requests it is sent.

What every application does is have the user create his own account, that way he can only ever access his data. Then you can start wondering how to store and send the password securely so it can't be stolen.

#3 +Majesticmerc

Majesticmerc

    Resident Idealist

  • Tech Issues Solved: 9
  • Joined: 24-August 05
  • Location: United Kingdom
  • OS: Arch Linux / Win 7
  • Phone: HTC One X

Posted 06 April 2013 - 17:39

Adding to what the good doctor mentioned. Imagine a scenario where the security of your FTP server is compromised, and you have to change all the FTP passwords. Now you need to release an update to your application that updates the password, and any users that don't get the update are hosed.

#4 Kai Y

Kai Y

    Neowinian

  • Joined: 16-May 08

Posted 06 April 2013 - 18:32

Any reason why you need to use FTP? And by "upload or download a file in a secure manner" do you mean you need to lock it down only to specific users, or that you simply need to have the file encrypted during the upload? FTP isn't encrypted anyway though.

As the previous posts have said, it is quite impossible to secure the username and password in the application. So I'm thinking if it's possible to do something on the server instead.

For example, if your app is used only internally (i.e. misuse is unlikely), create an FTP account and set the permissions to upload-only. Found a link on how to do this in vsftpd, not sure what FTP server you use. In this way, even if users manage to discover the account username and password, they won't really want to abuse since they can't download the files that they uploaded. Worse-case is that they upload a big file and fill up the disk space on the server - in that case set a size limit on this FTP account (and have a scheduled task/cron on the server to move the files out periodically) - but that may result in a case of a user uploading files until the size limit is reached, thus blocking other users' uploads.

IMO if you have no specific FTP constraint, it might be easier to use HTTP for your file upload. Set up a HTTP server, create a basic script (PHP, ASP, whatever) to receive the upload. That way any user who knows the URL (i.e. has access to your app) can upload files without having to create an account. And you can make the script receiving uploads store the file in a folder that isn't accessible to anyone else (e.g. a folder outside the web root of the HTTP server, or a folder where public HTTP access is disallowed), so that once the file is uploaded, only you (with access to the server through other means) can access the uploaded files, thus preventing abuse. The script can also check and verify file size, file contents etc. and keep only the files that meet your specification.

For added security, you can use HTTPS for the file upload to the HTTP server, that way the file is encrypted on the upload and you can ensure that your app connects to the right server (by having the app check the certificate).

To do HTTP file upload, there's Apache Commons FileUpload for Java. Not sure about C++ but you can try libcURL (a bit overkill for uploading though). For the server side, if you want to use PHP, the PHP manual has some info on how to write a script to do file uploads.

#5 AJerman

AJerman

    Boomer Sooner!

  • Joined: 24-July 02
  • Location: Raleigh, NC
  • OS: Windows 8.1
  • Phone: Nexus 5

Posted 06 April 2013 - 20:40

I agree. Use a web service, not FTP. But I don't know exactly what you're uploading and why, so it may depend on the specific application.

#6 OP rwx

rwx

    Neowinian

  • Joined: 24-February 08

Posted 06 April 2013 - 21:27

Thank you all that replied. This certainly give me an idea to think through and is exactly what I looked for - the fundamentals of the mechanism.

The file I'd like to upload will be a non-ASCII file. The idea is for the program to download /decrypt/ read the file, do whatever it will do locally and then upload/overwrite it again.

#7 srbeen

srbeen

    Neowinian

  • Joined: 30-November 11

Posted 06 April 2013 - 22:10

This may help. Not sure, but its always great to learn from others..

Sonys PS3 always called up clear text files from various links on boot. Using the information gleamed from these files it decided if it was up to date or not, or if any addresses needed updating in the program. Im sure something similar could be implemented to be a '3rd key' required for authentication. Program automatically downloads key file on startup which it can decrypt that has the information that allows it access to the server or something along those lines, so if the account is breached you can just change the key file again or add psudo key files so if people are wiresharking they have no idea what its doing. get a VM-style code running on the local machine which can house the key files and do all the decrypting. (similar to how the PS3 hackers wrote the cobra, cheat dongle and true blue)

Anyone determined enough will get through, but if you can enable a constant 'rolling' or somewhat semi auto-rolling it may be more beneficial if problems arise.

For the uploading bit, maybe have the local program do an RSA or similar signature using the key file it downloaded & decrytped, compress the file, and upload it. server can recieve and compare the signature. good decompress. This would prevent people being able to upload junk as you can set the server to receive only one filetype which has to be correctly hashed to be accepted, and you'll know/uploader will know if it corrupted in its travel.

#8 Original Poster

Original Poster

    Systems Developer

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7/8, Kali, ubuntu, OSx 10.9
  • Phone: Android

Posted 06 April 2013 - 22:15

all my passwords for my java/android programs are PHP handled though i need to work on secure tranfers of said passwords as they can be sniffed in plain text over a network (probs hash the passwords on send )

#9 +Karl L.

Karl L.

    xorangekiller

  • Tech Issues Solved: 15
  • Joined: 24-January 09
  • Location: Virginia, USA
  • OS: Debian Testing

Posted 07 April 2013 - 02:58

This may help. Not sure, but its always great to learn from others..

Sonys PS3 always called up clear text files from various links on boot. Using the information gleamed from these files it decided if it was up to date or not, or if any addresses needed updating in the program. Im sure something similar could be implemented to be a '3rd key' required for authentication. Program automatically downloads key file on startup which it can decrypt that has the information that allows it access to the server or something along those lines, so if the account is breached you can just change the key file again or add psudo key files so if people are wiresharking they have no idea what its doing. get a VM-style code running on the local machine which can house the key files and do all the decrypting. (similar to how the PS3 hackers wrote the cobra, cheat dongle and true blue)

Anyone determined enough will get through, but if you can enable a constant 'rolling' or somewhat semi auto-rolling it may be more beneficial if problems arise.

For the uploading bit, maybe have the local program do an RSA or similar signature using the key file it downloaded & decrytped, compress the file, and upload it. server can recieve and compare the signature. good decompress. This would prevent people being able to upload junk as you can set the server to receive only one filetype which has to be correctly hashed to be accepted, and you'll know/uploader will know if it corrupted in its travel.


Your suggestion is probably way overkill for what the OP is trying to accomplish - especially if he is developing a relatively simple in-house application - but I really like the idea. I never looked into the software security scheme employed by the PS3, but it sounds pretty clever from your description. Are there any (preferably open-source) libraries that you know of to aid the development of such a system? I would be very tempted to try to implement it if I had a lot more free time.

#10 OP rwx

rwx

    Neowinian

  • Joined: 24-February 08

Posted 07 April 2013 - 03:16

The problem with sending passwords over an FTP connection is bad because even if the password/username are encrypted in a file, the running client program will have to decrypt the contents and read them. Once this is done, the username/password are transmitted in clear text to the server which means anyone that knows how to use Wireshark can capture the details.

I agree with some posters above. The best way to do is to have some sort of server side PHP script that accepts encrypted/scrambled data and the server script will then decrypt the data and tunnel into an an FTP connection locally (to the server)......hmm this is getting a bit complex.

#11 srbeen

srbeen

    Neowinian

  • Joined: 30-November 11

Posted 08 April 2013 - 01:22

Your suggestion is probably way overkill for what the OP is trying to accomplish - especially if he is developing a relatively simple in-house application - but I really like the idea. I never looked into the software security scheme employed by the PS3, but it sounds pretty clever from your description. Are there any (preferably open-source) libraries that you know of to aid the development of such a system? I would be very tempted to try to implement it if I had a lot more free time.


I know absolutely NOTHING about writing code. I can read and understand what it does but thats about it. This is why I explained what sony did to hopefully inspire - without the ability to go in-depth explaining how they accomplished it.

Using sites like ps3devwiki you can read about every security measure sony took with the ps3 and all research done to reverse it, get some basic source code or programs and the like. The hacker sites like ps3crunch and psx-scene has more info on the cracked/reverse engineered dongles that used the VM's and how they were discovered and reversed with RAM dumping. In short Sonys method wasn't being secure, but rather security by obscurity. It was really insecure (as per the PSN shutdown early 2012) but so confusing you couldn't understand how it worked to extract the insecure data from the gibberish. Sony's key file was hard-coded into the PS3s ROM though. a software program with internet access can 'roll' the keys.. This is a lot of overkill cryptography for a simple program as stated. If you really wanna get into that stuff look into DSS methods.

#12 Kami-

Kami-

    ♫ d(-_-)b ♫

  • Tech Issues Solved: 3
  • Joined: 28-July 08
  • Location: SandBox

Posted 08 April 2013 - 11:16

all my passwords for my java/android programs are PHP handled though i need to work on secure tranfers of said passwords as they can be sniffed in plain text over a network (probs hash the passwords on send )

That doesn't sound secure to be honest...

#13 Original Poster

Original Poster

    Systems Developer

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7/8, Kali, ubuntu, OSx 10.9
  • Phone: Android

Posted 08 April 2013 - 19:02

That doesn't sound secure to be honest...


it isnt ... i need to work in an SSL encryption as i said i need a more secure data transfer BUT i am in functionality testing at this stage not patching the holes... its easy to test if there is no security not like i have anything to hide through testing data

#14 Kami-

Kami-

    ♫ d(-_-)b ♫

  • Tech Issues Solved: 3
  • Joined: 28-July 08
  • Location: SandBox

Posted 09 April 2013 - 07:59

it isnt ... i need to work in an SSL encryption as i said i need a more secure data transfer BUT i am in functionality testing at this stage not patching the holes... its easy to test if there is no security not like i have anything to hide through testing data

I'd hardly call implementing security 'patching the holes'.
To me it makes more sense to put the security in first - then work on the functionality; that way you can ensure adding in security isn't going to break your functionality as it's tested together.

#15 Original Poster

Original Poster

    Systems Developer

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7/8, Kali, ubuntu, OSx 10.9
  • Phone: Android

Posted 09 April 2013 - 14:48

I'd hardly call implementing security 'patching the holes'.
To me it makes more sense to put the security in first - then work on the functionality; that way you can ensure adding in security isn't going to break your functionality as it's tested together.


you are really not understanding ... if i put in security how will i be able to read what is happening? i work with network programming security has to be thought of first and added last or I cant see if its working ... the whole point of my security protocol would be so no one can see whats happening from point A to point B something... if i sent a string saying OK... and that makes something happen at B ...if I cant see that happening only the result how do i know B just didnt accept any old string (obviously thats just a silly example)