Page 1 of 2 12>
Topic Options
#85818 - 2002-05-31 05:35 PM Is there a need for an ActiveX crypto Kix object?
Stevie Offline
Starting to like KiXtart
*****

Registered: 2002-01-09
Posts: 199
Hi all,

Just wanted to get a general sense if there was a need for an ActiveX crypto wrapper for KiX so that passwords etc. could be safely included in a kix script?

The functions I was thinking of writing would be encrypt/decrypt functions and a hash generator.

However, if Shawn or someone else has already written something that provides this functionality it would be a waste of time to pursue.

Otherwise, I could probably bang something out fairly quickly. Let me know what you all think.

Regards,

Steve Behrns
_________________________
Stevie

Top
#85819 - 2002-05-31 05:46 PM Re: Is there a need for an ActiveX crypto Kix object?
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Steve,

LOL, I had the very same thought as you. No - I haven't written one and im not aware of one. But when I was doing some thinking on this, I was trying to decide wether an ActiveX control or a simple commandline util would be more usefull. Specifically, the nuisance of having to download and register the control on every machine (not to mention any NT security issues with registering using normal domain user accounts).

Was thinking that a commandline util that would prompt for a password, then spit out some kind of ASCII encrypted key would be kinda neat. But the problem with commandline utils is that its pretty darn tough (risky) to get the password back into your script (ie, through file or registry).

So yeah - maybe the ActiveX control is the easiest and most secure way to go. I think most folks would find this usefull, yeah ?

-Shawn

Top
#85820 - 2002-05-31 06:13 PM Re: Is there a need for an ActiveX crypto Kix object?
Stevie Offline
Starting to like KiXtart
*****

Registered: 2002-01-09
Posts: 199
Now that you mention it, a command-line tool would be a lot easier to use. But you're right in that the tricky part is getting the return value from the command-line. There's really no "safe" place to put it.

So assuming the ActiveX object is the safest thing to go with, can you think of any other methods or properties that should be put in there besides the ones previously mentioned?
_________________________
Stevie

Top
#85821 - 2002-05-31 06:23 PM Re: Is there a need for an ActiveX crypto Kix object?
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
What's wrong with encrypting the entire script (KiXCrypt)? Seems to me that's the easiest route.

ELSE

What about existing DLLs or OCXs that may already exist. Do they have published APIs?
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#85822 - 2002-05-31 06:24 PM Re: Is there a need for an ActiveX crypto Kix object?
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
I think you pretty much nailed it Steve, key in, password out ? But I was hoping that a couple of other members might offerup some feedback, specifically Richard Howarth he wrote that KiXCrypt utility.

ps. How will you implement the encryption algorithm (if you do proceed) ? Home-grown ? Crypto-API ? Was your thought to have some kind of ASCII encrypted key ?

-Shawn

Top
#85823 - 2002-05-31 06:28 PM Re: Is there a need for an ActiveX crypto Kix object?
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Les - I think Steve has a valid idea - not everyone wants to bundle-up their scripts into an executable. I know that concept wouldn't fly too well around here - our scripts run long enough as it is - let alone unbundling the scripts, running, then deleting them again ... the question really becomes - would a crypto-activex control be usefull ? Got any idea ?

-Shawn

[ 31 May 2002, 18:29: Message edited by: Shawn ]

Top
#85824 - 2002-05-31 06:30 PM Re: Is there a need for an ActiveX crypto Kix object?
BrianTX Offline
Korg Regular

Registered: 2002-04-01
Posts: 895
It sounds like a great idea to me! I'm not sure about the implementation, though..

Brian

Top
#85825 - 2002-05-31 07:55 PM Re: Is there a need for an ActiveX crypto Kix object?
Stevie Offline
Starting to like KiXtart
*****

Registered: 2002-01-09
Posts: 199
As far as existing Crypto wrappers--Microsoft never bothered to create one for the CryptoAPI. That's kind of odd, but nevertheless...

Here's my thoughts on implementation:

An ActiveX control (DLL) that exclusively uses the CryptoAPI instead of something homegrown. One benefit of that would be to allow the scripter to select the type of encryption they would want, i.e. RC4, RSA, etc.

Or, for simplicity's sake, just hard-code one solution so it's easier to use.

Then when you have a password you want encrypted, for example, generate the encrypted string with a "dummy" script like:

Dim $Crypto
$Crypto = CreateObject("KixFunctions.Crypto")
$x = $Crypto.Encrypt("password")

? $x (let's pretend this returns "4rI92Hrk22pkl")

Then take the encrypted return and place that into the actual "protected" script wherever you need the password, for example:

USE E: "\\SERVER\PUBLIC" /user:Yogi /password:$Crypto.Decrypt("4rI92Hrk22pkl")

That seems to me the best way to go. At least that's what I have in my head. Any suggestions for a different implementation is more than welcome. Once we come up with a final plan, I'll go ahead and do it.

Quick question: Would allowing different encryption algorithms be a good idea? I'm thinking not since if you encrypt a string with one scheme and decrypt with another then you won't get a valid match. There's more chance for error.

Anyway, any thoughts?

Steve
_________________________
Stevie

Top
#85826 - 2002-05-31 08:28 PM Re: Is there a need for an ActiveX crypto Kix object?
BrianTX Offline
Korg Regular

Registered: 2002-04-01
Posts: 895
Hmmm.

The only problem I see with doing this is that if you have someone read your script then run with KiXtart:

$password = $Crypto.Decrypt("4rI92Hrk22pkl")

It's just a hair better than putting in a plain text password. If someone figures out how to read the file from the netlogon share, they may also figure out how to use KiXtart to get the password?

A way around this hmmm?
How about:
When Encrypting the password, add the expected modify date and name of the script file:
[code]
;logonscript.kix
;date 2002/5/31
$encryptedpassword = $Crypto.Encrypt("password")

would encrypt based on the current date and the name of the file. So, after the script's first day in operation, the password would be secure.

Is this feasible?

Brian

Top
#85827 - 2002-05-31 08:42 PM Re: Is there a need for an ActiveX crypto Kix object?
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Steve,Brian,Les to your collective knowledge, are there any platform dependencies that may be an issue here ? eg, Windows 95 only supports older type of encryption vs NT5 supports newer version ? Imagine you would want to account for that if hardcoded a particular level, say, set it to a common denominator ?

[ 31 May 2002, 20:48: Message edited by: Shawn ]

Top
#85828 - 2002-05-31 08:47 PM Re: Is there a need for an ActiveX crypto Kix object?
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Brian, good points ! This wouldn't stop somebody from grabbing the key and using crypto-api themselves. I wonder how Richard Howarth manages this (potentially same problem there ?) ... is it feasible to run KiXcrypt and "steal" the decrypted script out of %temp% ?

Would a crypto-activex control be "easier" to crack than KiXcrypt ?

-Shawn

Top
#85829 - 2002-05-31 08:56 PM Re: Is there a need for an ActiveX crypto Kix object?
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Steve, this is an idea that Bryce raised before, and that was only discussed briefly, but is there a way to validate the "context" of the process requesting the de-cryption. That is to say, in the ActiveX control, either validate some kind of security token, or somehow ensure that the process making the request is "the login process", know what I mean ? Think that that might be tough for even a non-casual hacker to spoof (don't know) ...

-Shawn

Maybe you/we could ask Ruud how he implemented the @LOGONMODE macro ? [Wink] Oh yeah, and I guess a potential problem with this idea is that your crypto-activex could only be used in a login script, not in an admin script (which is what I would have used it for) ... would also make it a nuisance to test (eg, has to be in logonmode to work), but that might be a good thing !

[ 31 May 2002, 21:04: Message edited by: Shawn ]

Top
#85830 - 2002-05-31 09:22 PM Re: Is there a need for an ActiveX crypto Kix object?
BrianTX Offline
Korg Regular

Registered: 2002-04-01
Posts: 895
Hmm... the whole security problem is why I haven't used encryption before. Sure, it's not a problem for most users, but if the idea is to be really secure, then I would figure you'd want some way to validate in a fairly secure manner.

The reason I proposed using the date is that it would allow some measure of security. Someone could look in a file and figure out how to make a script that decrypts a kixtart encryption.. but if you go off the script creation date and name then they would have to know that the date and name of their file must match, and although it can be done, it's pretty difficult to spoof a modify date.

Lemme think... hmmmm

I have another idea..

Perhaps when encrypting you could have options:

$rc = $crypto.Encrypt($password,$option)

$option could be:
1 - encrypt including modified date of file which would effectively do:
$encpass = $crypto.Encrypt($password + @date)
and $crypto.Decrypt($password,1) would check the modified date of the .kix file being run and effectively do $password = $crypto.Decrypt($encpass + $dateofkixfile)

2 - decrypt to run only from a script found on a domain controller in the domain the script is run from.

Decryption would only work if the script existed in a netlogon share on a domain controller in the given domain. This could be tested pretty easily.

3 - decrypt to run only from a script found on the given @wksta

4 - decrypt to run only from a script started via a logon process.

Brian

[ 31 May 2002, 21:31: Message edited by: BrianTX ]

Top
#85831 - 2002-05-31 10:26 PM Re: Is there a need for an ActiveX crypto Kix object?
Stevie Offline
Starting to like KiXtart
*****

Registered: 2002-01-09
Posts: 199
Excellent points all!

As far as OS compatibility issues, CryptoAPI is all contained within advapi32.dll

Every OS should be fine except 95 but that would have to be double-checked. Maybe Win98 would have some issues as well. Don't know at this point. 4.0 or better would be fine.

Regarding securing the decryption, the problem with using the modified date is that every time you modified the script you would have to update the encryption string.

How about using Created date? That won't change if you modify the script and is harder to spoof than the modified date. The problem with that is it requires an NTFS partition, since FAT doesn't track created date, please correct me if I'm wrong on that.

Just had an idea...

What about if it first checks the "context" of the request, to see if the user is logging on. And if so, go ahead and decrypt. If not, it checks to see if the user is in the Domain Admins group of the current logon domain, or a local workstation admin.

That way, users can only run it while logging on but at the same time admins can use it to run admin scripts, per Shawn's request.

What do you think?
_________________________
Stevie

Top
#85832 - 2002-05-31 10:47 PM Re: Is there a need for an ActiveX crypto Kix object?
BrianTX Offline
Korg Regular

Registered: 2002-04-01
Posts: 895
The more that I think about it, the more I don't like the date idea... (even though I came up with it.) Someone could simply change the date on their computer...

Checking the logon process for decryption to work isn't a bad idea, however there is still the (minor) security problem with someone writing their own script (non-kix) to decrypt. The idea of checking if the script is running from the netlogon share on a DC seems workable. You could embed DOMAIN-SPECIFIC information into the encrypted string. (perhaps some sort of unique (not obvious) info that everyone can read but not change on the PDC.) Someone would have to completely hack your activex wrapper to even see what that info was and how it was included.

Brian

[ 31 May 2002, 22:48: Message edited by: BrianTX ]

Top
#85833 - 2002-06-01 03:59 AM Re: Is there a need for an ActiveX crypto Kix object?
Anonymous
Unregistered


FYI - Ruud stated to me a while back that tokenizing scripts is high on the ToDo list. I would suspect that it will be part of the next point release, since it ovbiously did not make it into 4.10.

Of course, whatever Ruud does should not be considered high encryption, so perhaps this thread still has purpose...

-Brian

Top
#85834 - 2002-06-01 05:36 PM Re: Is there a need for an ActiveX crypto Kix object?
Stevie Offline
Starting to like KiXtart
*****

Registered: 2002-01-09
Posts: 199
After some preliminary research I'm at a total loss in figuring out how to programmatically determine if the code is being run during logon or afterwards.

I'd love to find out how Ruud is using the @LOGONMODE macro.

Anyone have any ideas?
_________________________
Stevie

Top
#85835 - 2002-06-01 05:49 PM Re: Is there a need for an ActiveX crypto Kix object?
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Well. hopefully Ruud may read this message, else we may be able to flag him down in the Beta or Suggestions forum, else I would just simply send him an email and politely ask how he did it. He's very helpfull and totally approachable on matters such as this (imho).

-Shawn

Top
#85836 - 2002-06-03 06:43 PM Re: Is there a need for an ActiveX crypto Kix object?
Stevie Offline
Starting to like KiXtart
*****

Registered: 2002-01-09
Posts: 199
Since I don't have his email address and I'm not sure he would want it plastered on the messageboard, if someone could ask him about this we can get the ball rolling.
_________________________
Stevie

Top
#85837 - 2002-06-03 07:45 PM Re: Is there a need for an ActiveX crypto Kix object?
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Your right - would never plaster Ruud email on the web, I'll send him off a kindly request.

-Shawn

Top
Page 1 of 2 12>


Moderator:  Shawn, ShaneEP, Ruud van Velsen, Arend_, Jochen, Radimus, Glenn Barnas, Allen, Mart 
Hop to:
Shout Box

Who's Online
2 registered (morganw, mole) and 414 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.071 seconds in which 0.023 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org