1082 LSA Cppencrypt_5thgroup (Password Encryption)

# 1082 LSA Cppencrypt_5thgroup (Password Encryption) 25/6/2020 created the github 25/6/2020 commited C++ encrytion program > github link : https://github.com/nandafernando29/5th-group # Final project : Password [TOC] Abstraction : what is password? - is something private - used to access something - disallow others to access your stuff without it background story : once upon a time live some students with interest in password encryption and decryption, dream to make a secure encrypt and decrypt system, dream to invent new innovative way to crack others password and easily become rich. introduction : after some digging around, we got some knowledge from google our only source of knowledge which are what others published and prone to copyright, and thus we need to use the information we got from google even at risk of sued for copyright. this is hackmd about password encrypt and decrypt that we have learn from google, the Culmination of internet's knowledge. the source of knowledge of many not knowledgeable(ignorant and ill-informed) independent students. so below are the fruits of Our blood, tears, and sweat digging around our beautiful dream. ending with the bitter reality of password encryption and cracking. why we made easy topic? because we got to know our limitation from past 期中報告 so we choose topic that we deem we can. TL;DR we are making password encryption. # Quick Review : 1. How password is saved 2. Who is able to access your password 3. Where the password is saved 4. What things needed for making a password 5. Why password is saved that way 6. When your password will expire ## How password is saved Password-> hash -> hashed password (unreadable) -> Save as password why use hash to save password? more secure ## Who is able to access your password - Only Super User is able to access because it's in root directory - The server owner ## Where the password is saved Ubuntu password location ``` cat /etc/shadow ``` ![](https://i.imgur.com/7n18oE6.jpg) - without grep username ![](https://i.imgur.com/8tRTcNt.png) ![](https://www.cyberciti.biz/faqs/uploaded_images/shadow-file-718705.png) 1. Username 2. Password ( $id $salt $hashed) 3. Last password change 4. Minimum days for password change 5. Maximum days before password change is needed 6. Warning before password change 7. Inactive days before account is expired 8. Expire days after the account is disabled being recorded $1 = MD5 $2 = Blowfish $2a= eksblowfish $5 = SHA-256 $6 = SHA-512 ## What things needed for making a password a bit of creativity cooked slowly with hash and a pinch of salt An algorithm for encryption : * normal encryption (goes both way) * hashing (one way) ## Why password is saved that way hash provided more security than encryption, also provided more privacy and secrecy. they stored password in hash, so even the admin or moderator doesn't know the real password(may depend on the system). encryption and hashing are used to provide protection, ensure security, and ensure your password doesn't leak even in case their database leak. but it doesn't provide absolute protection. ## When your password will expire * Nowadays: * Password never expired. check from : `chage -l USERNAME ` chage mean : change user password expiry information ![](https://i.imgur.com/Bgxfx28.png) * but we also can set when we want our password expired `chage username` ![](https://i.imgur.com/Lic2yyN.png) * Past : * Password expiry date depends on the policy as it is a kind of protective measure. **Set expiry date reminder that our password going to expired** so can help us to remember when is the password expired. `chage -M 10 Username` -M reminder how many days this account going to expired ![](https://i.imgur.com/FtO8QaW.png) **Set expiry date for our user** better always changing password during a time, because it can be the best way to prevent from bruceforce(password cracking type) `chage -E "2025-10-29" username` -E is to set the date to disactived the user ![](https://i.imgur.com/BDtunUL.png) **changing how many days that we want to disactived the user after expired** so make sure if that we forgot to login or what, so we set the extra days before the user become disactived. `chage -I 2 username` -I is to add the valid date of the account ![](https://i.imgur.com/yGQVjQV.png) **How to cancel all the password and user disactivation** maybe if you changing your mind to set the disactivation. `chage -m 0 -M 99999 -I -1 -E -1 username` > -m 0 is to set the minimum days > -M 99999 is to set the maximum days > -I -1 is to set password never expired (cancel) > -E -1 is to set user never expired (cancel) ![](https://i.imgur.com/E5ph42V.png) # Make your own encryption ## Algorithm * normal encryption ``` password[] = abcd; for x=0, x< length_of_password, x++ { y=int(password[x]); //getting the ascii value y=y+1; //increase the ascii value by 1 newpassword[x]=char(y);//revert back to char } output: newpassword = bcde; ``` * hashing ``` password[] = abcd; hashed password = md5(password); ``` * hashing with salt ``` password = password + "salt"; hash(password); ``` * hashing the hashed with salt ``` password = password + "salt"; hash(password); hash(password); ``` # Cracking password * method against both encrypt and hash 1. common and easiest cracking password method are scamming.scam the user for their password 2. most common technical method of password cracking are by brute force. you just try all the possibility until you get the correct one. 3. using spyware to get the input password 4. intercepting the data transfer * method against encrypt 1. finding the cryptographic key 2. cryptoanalysis attacking the crypt algorithm * method against hash 1. collision attack (almost like brute force) 2. dictionary attack (dictionary brute force) 3. rainbow table ## Try Password Cracking * Method : * Brute force....... Ubuntu password cracking program John the ripper > sudo apt-get install john optional : * sha512 > MD5 > nano /etc/pam.d/common-password * Make new user > adduser pikapika we can get lists of common password for john [List of common password](https://www.scrapmaker.com/data/wordlists/dictionaries/rockyou.txt) Using john to read and try all password in file > john -w:possiblepassword.txt /etc/shadow what to do when john didnt find any match from dictionary? - make one c++ make list of possible password lets say password length may only be 8 character with no space ``` ofstream out( "textfile.txt" ); password[]={!,!,!,!,!,!,!,!}; //!=32 for(x=0,x<8,x++) for(y=33,y<=126,y++) { password[x]=char(y); out<<password; } ``` linux run john with the new textfile.txt secure your PC * dont give other access to your main computer * prevent brute force > auth required pam_tally2.so onerr=fail deny=3 unlock_time=600 audit Honorable mention Wifi password hashing > Key = PBKDF2(HMAC−SHA1, passphrase, ssid, 4096, 256) 1. pseudorandom function 2. Password 3. Salt is a sequence of bits, known as a cryptographic salt 4. c number of repetition of a process in order to generate a sequence of outcomes 5. dkLen bit-length path for saved password in linux > /etc/NetworkManager/system-connections what makes it harder to crack a password 1. human creativity 2. what salt did it use 3. chinese letter ("我" how do i read this, how do i print this) content encyption possible but took a lot of time to encrypt and decrypt when deals with hugh size of file file encyption you can just open up a notepad and remove or add a single thing inside of it and make it unreadable, this is a basic type of encryption C++ Code for encryption file ``` //EncryptionProgram #include<iostream> #include<stdlib.h> #include<math.h> #include<string.h> #include <ctime> # define size 100 using namespace std; int x, y, n, t, i, flag; long int e[size], d[size], temp[size], j; char en[size], m[size], msg[size]; int prime(long int); void key(); long int cd(long int); void encrypt(); int main() { flag=0; srand(time(NULL)); while(flag == 0) { x = rand() % 100 + 1; flag = prime(x); // if not prime return 0 } flag=0; while(flag == 0) { y = rand() % 100 + 1; flag = prime(y); } cout << "\nENTER STRING TO ENCRYPT\n"; cin >> msg; for(i = 0; msg[i] != NULL; i++) m[i] = msg[i]; n = x * y; t = (x - 1) * (y - 1); key(); encrypt(); cout<<"\n"; cout<<"Your First Generated Prime number"; cout<<"\n"; cout<<x; cout<<"\n"; cout<<"Your Second Generated Prime number"; cout<<"\n"; cout<<y; return 0; } int prime(long int pr) { int i; j = sqrt(pr); for(i = 2; i <= j; i++) { if(pr % i == 0) return 0; } return 1; } void key() { int k; k = 0; for(i = 2; i < t; i++) { if(t % i == 0) continue; flag = prime(i); if(flag == 1 && i != x && i != y) { e[k] = i; flag = cd(e[k]); if(flag > 0) { d[k] = flag; k++; } if(k == 99) break; } } } long int cd(long int a) { long int k = 1; while(1) { k = k + t; if(k % a == 0) return(k/a); } } void encrypt() { long int pt, ct, key = e[0], k, len; i = 0; len = strlen(msg); while(i != len) { pt = m[i]; pt = pt - 96; k = 1; for(j = 0; j < key; j++) { k = k * pt; k = k % n; } temp[i] = k; ct= k + 96; en[i] = ct; i++; } en[i] = -1; cout << "\n\nTHE ENCRYPTED MESSAGE IS\n"; for(i=0; en[i] != -1; i++) cout << en[i]; } ``` [C++ COMPILER](https://www.onlinegdb.com/online_c++_compiler) for the program above we first make the key for the encryption by taking 2 prime number and what i did is generate a random number using srand. if the random come out non prime number then it'll be randomize till it gets prime number after getting 2 prime number Calculate totient function, > ø (x * y) = (x − 1)(y − 1) = n where you'll be given a key from a sequence of phi and the encryption start by doing > encrypted char = message ^ n (mod n)