LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Programming (https://www.linuxquestions.org/questions/programming-9/)
-   -   password template routine in C (novice) (https://www.linuxquestions.org/questions/programming-9/password-template-routine-in-c-novice-4175693752/)

JASlinux 04-15-2021 05:18 PM

password template routine in C (novice)
 
Is there a password template routine in C that a complete novice can use for a message?

Pseudocode

BEGIN
Prompt "Password:"
correct password = > print message
ELSE print string "Try again."
ENDIF
END


I need to send private messages without software, installations, or esoteric commands. A complied C executable for Windows to download or e-mail would work.

rtmistler 04-15-2021 07:31 PM

Quote:

Originally Posted by JASlinux (Post 6241572)
Is there a password template routine in C that a complete novice can use for a message?

Pseudocode

BEGIN
Prompt "Password:"
correct password = > print message
ELSE print string "Try again."
ENDIF
END


I need to send private messages without software, installations, or esoteric commands. A complied C executable for Windows to download or e-mail would work.

Suggest you perform a search for password libraries github seems to have quite a few.

By the way, most email systems will disallow EXE files.

pan64 04-17-2021 09:36 AM

Quote:

Originally Posted by JASlinux (Post 6241572)
I need to send private messages without software, installations, or esoteric commands. A complied C executable for Windows to download or e-mail would work.

A windows executable is definitely an esoteric command (for passwords) on linux. You can only send messages using some kind of software, so I do not really understand these requirements.
By the way, what kind of OS, environment is it?

JASlinux 04-18-2021 07:04 AM

Quote:

Originally Posted by pan64 (Post 6242097)
A windows executable is definitely an esoteric command (for passwords) on linux. You can only send messages using some kind of software, so I do not really understand these requirements.
By the way, what kind of OS, environment is it?

I want the program to work in Windows.
I'm in Linux.

I don't know if Windows has any open source compilers available.
Maybe the source code is different, but

it's a very basic program:

prompt for a password
match => print an internal message to screen

I can use either os if they have different coding requirements.

I don't write programs, so I don't know how to prompt for a password.

astrogeek 04-18-2021 08:52 AM

Write your message and save as plain text, then zip the file using zip's password encryption option... user unzips using the password and opens the file... no software not normally found on their end, no hassles.

JASlinux 04-18-2021 09:51 AM

Quote:

Originally Posted by astrogeek (Post 6242427)
Write your message and save as plain text, then zip the file using zip's password encryption option... user unzips using the password and opens the file... no software not normally found on their end, no hassles.

I very specifically want an encrypted message that requires no installations or actions on part of the recipient beyond clicking on the executable and entering a password, AND I do not want an automatically deciphered output file (of course anything can be captured deliberately) - just a message on screen.

gouttegd 04-18-2021 11:39 AM

What is your threat model? Who should not be able to read those private messages?

The pseudocode you are suggesting is absolutely not secure: Just because your hypothetical program does not print the message unless the correct password has been entered, it will not prevent anyone from getting the message just by looking inside the program file itself. No sophisticated tools would even be required to do that: a standard tool like strings(1) would be enough. To have some security, the message would need to be stored encrypted within the program. But that raises the difficulty significantly.

Then, even assuming you can write such a program, since you are on Linux and you want the program to run on Windows, you need to cross-compile it. Doyou have a cross-compiler targeting Windows on your Linux system? If not, do you know how to get one? (Hint: look for mingw32; it’s already packaged in some distributions.)

Then, assuming you have a cross-compiled binary ready to be sent, there’s the issue raised by rtmistler above: many email providers will not let a message containing an executable file pass through them. At best, they will let the message pass but without the attachment; at worst, they will silently discard the message, which will never reach the intended recipient.

Then, assuming your message somehow reaches the recipient, there’s the fact that we have spent the last 30 years educating email users not to blindly execute any attachment they receive. Asking your recipients to do just that is a disservice to them.

And finally: How could your recipients be sure that this message they received, containing an executable attachment that they are asked to execute, really comes from you? How can you and they be sure that the executable they have received is the one you sent, and that it has not been tampered with in transit to maybe replace it with a virus?

What you want to do, the way you want to do it, will most likely not guarantee the confidentiality of your messages, may not even work if your emails are blocked because of the executable attachments, and may jeopardize your recipients’ systems.

There are ways to send secure emails, but they all imply that users on both sides have to make some effort. That’s just the way it is.

Ser Olmy 04-18-2021 12:26 PM

Quote:

Originally Posted by JASlinux (Post 6242446)
I very specifically want an encrypted message that requires no installations or actions on part of the recipient beyond clicking on the executable and entering a password, AND I do not want an automatically deciphered output file (of course anything can be captured deliberately) - just a message on screen.

I have to say this sounds a tiny bit like homework, but anyway:

If you're looking for a way to verify a password that's hardcoded in the .exe without the password being immediately visible in a hex editor, you should store the (salted) hash of the password. The bcrypt.h header contains some useful functions, like BCryptHashData. And here's an example of how one might use it.

As gouttegd said above, to hide the message inside the .exe from prying eyes you'll have to encrypt it. And then you'll have a really hard time trying to send it to anyone, unless you put it inside an encrypted and password-protected .zip file.

JASlinux 04-22-2021 10:19 AM

Confirm to the contrary if you will:

gouttegd writes a .c program in a text editor with 30 lines of "echo" commands that contain a message. [Password] is a set string in the code. User is prompted for input and if it matches the password, the 30 lines print to screen.

Because a .c file is complied, the executable cannot be read.

Imagine the executable masked in an archive or linked in the cloud to download instead of attached.

Is this rocket science?

Quote:

Originally Posted by gouttegd (Post 6242467)
What is your threat model? Who should not be able to read those private messages?

The pseudocode you are suggesting is absolutely not secure: Just because your hypothetical program does not print the message unless the correct password has been entered, it will not prevent anyone from getting the message just by looking inside the program file itself. No sophisticated tools would even be required to do that: a standard tool like strings(1) would be enough. To have some security, the message would need to be stored encrypted within the program. But that raises the difficulty significantly.


Ser Olmy 04-22-2021 10:25 AM

Quote:

Originally Posted by JASlinux (Post 6243765)
Because a .c file is complied, the executable cannot be read.

That's where you're wrong.

All the recipient has to do is open the file using Notepad or Wordpad or Word or any text editor. Among a bunch of unreadable gibberish (the actual program code) your message will appear, clear as day.

JASlinux 04-22-2021 10:27 AM

Of course anything we can see or hear we can capture, but a specific requirement of this project is no deciphered data file. The encrypted file is o-kay, but it can only be deciphered to screen. It also cannot require installations, accounts or esoteric commands.

Quote:

Originally Posted by astrogeek (Post 6242427)
Write your message and save as plain text, then zip the file using zip's password encryption option... user unzips using the password and opens the file... no software not normally found on their end, no hassles.


JASlinux 04-22-2021 10:31 AM

If this is true my memory failed. I thought binary jumbled everything up.

Quote:

Originally Posted by Ser Olmy (Post 6243766)
That's where you're wrong.

All the recipient has to do is open the file using Notepad or Wordpad or Word or any text editor. Among a bunch of unreadable gibberish (the actual program code) your message will appear, clear as day.


boughtonp 04-22-2021 12:10 PM

Quote:

Originally Posted by JASlinux (Post 6243765)
[Password] is a set string in the code. User is prompted for input and if it matches the password, the 30 lines print to screen.

If that's your level of understanding, stop trying to create your own tool: you need to re-use existing proven tools or you will almost certainly not achieve your desired level of security.


Quote:

Originally Posted by JASlinux (Post 6242446)
I very specifically want an encrypted message that requires no installations or actions on part of the recipient beyond clicking on the executable and entering a password, AND I do not want an automatically deciphered output file (of course anything can be captured deliberately) - just a message on screen.

Quote:

Originally Posted by JASlinux (Post 6243765)
Imagine the executable masked in an archive or linked in the cloud to download instead of attached.

(Where "the cloud" is nothing more than someone else's computer.)

You have not justified your need for an executable file, and - if you're willing for people to download that file in a browser - you don't need one. (And can avoid a bunch of issues by not using one.)

Encryption algorithms can be implemented in JavaScript, thus a single non-cached HTML file containing your encrypted text can probably solve all your requirements.


TB0ne 04-22-2021 12:26 PM

Quote:

Originally Posted by JASlinux (Post 6241572)
Is there a password template routine in C that a complete novice can use for a message?

Pseudocode

BEGIN
Prompt "Password:"
correct password = > print message
ELSE print string "Try again."
ENDIF
END

I need to send private messages without software, installations, or esoteric commands. A complied C executable for Windows to download or e-mail would work.

So this sounds very much like a standard XY problem. Think about what you just wrote here, because:
  • You don't want software....
  • ...but you want an executable (which is software, isn't it?)....
  • ...that you don't have to install (how else would you run it??)...
  • ...and you don't want to use esoteric commands (which would be anything non-standard on the system, including this magic executable that you don't install or run)
Sound about right??? And then you add:
Quote:

Originally Posted by JASlinux
I very specifically want an encrypted message that requires no installations or actions on part of the recipient beyond clicking on the executable and entering a password, AND I do not want an automatically deciphered output file (of course anything can be captured deliberately) - just a message on screen.

So you *DO* want them to install the executable by double-clicking it...yet 99.X% of email systems won't let the EXE through, since it'll be flagged as a virus.

You could just do what most others do; use the widely accepted PGP systems available for pretty much every system, and send your emails that way. Abundant documentation/examples on how to do it, along with plugins for most email systems.

JASlinux 04-23-2021 02:26 AM

Quote:

Originally Posted by boughtonp (Post 6243823)
If that's your level of understanding, stop trying to create your own tool: you need to re-use existing proven tools or you will almost certainly not achieve your desired level of security.

What you quoted is not a level of understanding, but a function. It's the real world, not computer science. Success is when the goal is ethically achieved, not adherance to a technical standard.

I wouldn't think of trying to write a program if an app met my requirements. There are a lot of sledgehammers out there, but no screw drivers. Anyone with intelligent advice would point me to a screw driver.

Goals:
  • a password-encrypted message
  • no automatically saved deciphered file output
  • no recipient installations, exotic command lines, services & very little recipient thought (Windows recipient, Linux or Windows sender)

My level of security is modest encryption kept as away from 3rd parties as possible.


All times are GMT -5. The time now is 08:40 PM.