Re: Serial/PW Generation

From: Patrick Dughi (dughi@imaxx.net)
Date: 12/01/02


> >         Sounds like you're making software licence certificates.  This
> > shouldn't be too hard, the only trick is to make sure that no one else
> > can make their own.

> Very similar, yes.  However, the setup only gives the person 2 of the 3
> pieces of information.  Unless they figure out what number each of the
> non-standard races are, they can't get that third piece, there is some
> measure of security.

        False security; if you know 2 of the three pieces of information,
you know what the third is since it's all that's left.  If you just use
numerics ('1' instead of 'vampire' for example), then it's just trial and
error.  In effect, you're doing a static 1 to 1 replacement, which is
pretty much the same as the rot13 replacement.  The hardest part is just
separating the parts, after that, it's trial and error.

> Having a database of passwords, which would be easier, also could be
> more problematic, since I need to go in, edit the file, and then make
> the MUD learn the password every time.  If it had a self-validating
> system where all I needed to do was generate it and then the MUD
> verified if it was valid and then implemented it, would be simpler and
> give me less headache.

        Why don't you do that?  You don't need to hand edit a file, just
make an ascii file, like the boards (er, like ascii board files) load it
up on startup, have a command that updates the in-memory list, and the
file itself.  Check the in memory list when a new password needs to be
assigned, and force a real password assignment on them.

> >         I've seen some that just XOR their entire file, or use a static
> > internal keyword to encrypt and decrypt the data (and some even have
> > shell
> > scripts that create the intital file on install with the word in
> > plaintext!!!)
>
> I have heard about this method a lot in my searches of the subject.
> But as of yet, never seen it.  How does it work?  What bits are XOR
> with what?  Its been far too long since I have done complex logic
> circuits.  ;)

        XOR stands for 'exclusive or'. You know how AND and OR work, well,
exclusive or returns true only if one of the two arguments is true.

so, (TRUE) || (TRUE) returns 'true', wheras (TRUE) ^ (TRUE) is 'false'.

        ^ is the symbol for XOR, btw.

        The property that makes it useful for encryption is that if a file
is xored by the same key, it returns to it's original value.  Everyone
uses examples in binary, and frankly, that's the easiest way to show it;

      100100101
  XOR 101010101                   <- this is our key
     -----------
      001110000                   <- encrytped result
  XOR 101010101                   <- key again
     -----------
      100100101                   <- back to our original value.


        Now, you may want to use a longer key if you're going to do that -
at least a key larger than a single byte (or a single char).  You can do
something with (untested code) like this;


void xor_encrypt (char *data, char *key) {
  int i,j=0;

  if(strlen(key) == 0) {
    return;
  }

  for(i=0; i < strlen(data); i++) {
    if(strlen(key) <= 1 || j+1 == strlen(key)) {
      j=0;
    }
    data[i] ^= key[j++];
  }
}


        Something like that ought to do you; but watch out - this will
CERTAINLY produce unprintable characters.  You're doing bit-level
fiddling.  Don't expect to use this directly as a password.

                                PjD

--
   +---------------------------------------------------------------+
   | FAQ: http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html |
   | Archives: http://post.queensu.ca/listserv/wwwarch/circle.html |
   | Newbie List:  http://groups.yahoo.com/group/circle-newbies/   |
   +---------------------------------------------------------------+



This archive was generated by hypermail 2b30 : 06/25/03 PDT