PEPPLER.ORG
Michael Peppler
Sybase Consulting
Menu
Home
Sybase on Linux
Install Guide for Sybase on Linux
General Sybase Resources
General Perl Resources
Freeware
Sybperl
Sybase::Simple
DBD::Sybase
BCP Tool
Bug Tracker
Mailing List Archive
Downloads Directory
FAQs
Sybase on Linux FAQ
Sybperl FAQ
Personal
Michael Peppler's resume

sybperl-l Archive

Up    Prev    Next    

From: "Chris Jack" <jackc at rabo-bank dot com>
Subject: RE: I need a simple encryption subroutine, to encrypt/decrypt a string
Date: Feb 18 1999 5:30PM

I am not a particular expert on CGI/HTML so I think I will bow out of this 
conversation after this contribution however?

If I understand you, you want users to be able to book mark pages, but have 
the password only visible in encrypted form. (As an aside this would imply 
that whatever encryption algorithm you use would have to be modified to 
output in displayable characters). However?

Unless there is something I don't know, this would not provide secure 
access as another user could type in the complete book mark including the 
encrypted password and still gain access. You also need to restrict access 
to screens with displayed encrypted passwords so they can only be accessed 
via a screen where a password needs to be typed (if that is possible).

Furthermore, if you want good encryption security, you would have to keep 
the encryption algorithm + encryption seed secret (and have good reason to 
believe that they could not be derived by users using 'weak' passwords or 
other techniques). Changing the encryption seed would invalidate any book 
marks.

Anyway, if you are still after an encryption algorithm for Perl, my advice 
remains the same - get PGP from the net somewhere and link it in.

Chrisj

-----Original Message-----
From:	Steve Allen [SMTP:sallen@sybase.com]
Sent:	Thursday, February 18, 1999 4:51 PM
To:	jackc@rabo-bank.com
Cc:	'Steve Allen'; SybPerl Discussion List
Subject:	Re: I need a simple encryption subroutine, to encrypt/decrypt a 
string

Chris,

I have a form created in html which a password is input, this form will be 
used by
many people to access the application, I then need to use the POST method 
in cgi
which executes the main perl script diary application.
the problem is the password is passed as a variable in the query string and 
only
this user would see the password on how leaving his desk leaves his 
password is
wide open as it will show in the browser. this password is the main 
password to
access the SQLSERVER database. the simplest method is to encript the 
password when
passed to the second perl script using "POST" method then when the diary is
regularly refreshed the password which will then be bookmarked will show 
the
variable and the encripted password, when the variable is checked it can 
then be
decrypted and used to access the database

so all I need is a bit of perl to read the string, and convert to 
something, and
then be able to unconvert when database connection is required.

I am not to sure how to manipulate a string in perl like you would do in C
ie newstr[i] = oldstr[i] + 'A' for instance



Regards
Steve.

Chris Jack wrote:

> I am not clear why you need encryption. Are you worried about some 
security
> problem - if so what? What operating system are you using?
>
> Is it the case that what you need is a mechanism whereby you invoke an
> application with a password. Furthermore you do not want people to
> eavesdrop upon that password. If so, how do believe people would do this 
in
> your environment? If your problem is simply that you pass the password on
> the command line and people can then do process listings to view it, 
there
> are other mechanisms you could use to pass the password. For instance you
> could invoke the Perl script as a pipe and pass the password on STDIN.
>
> In a more general sense, it is easier to advise on a solution to a 
problem
> if you give complete details of the problem rather than asking for advice
> on implementing one possible solution.
>
> Chrisj
>
> -----Original Message-----
> From:   Steve Allen [SMTP:sallen@sybase.com]
> Sent:   Thursday, February 18, 1999 3:11 PM
> To:     jackc@rabo-bank.com
> Cc:     SybPerl Discussion List
> Subject:        Re: I need a simple encryption subroutine, to 
encrypt/decrypt a
> string
>
> Chris Jack wrote:
>
> > Perl has a function called crypt() that you could look at but that only
> > does encryption (why do you need to decrypt?). Alternatively you could
> get
> > PGP off the net. You could also try looking at the secure_rpc routines 
if
> > they are available on your platform.
> >
> > It would be useful if you could give a little bit more information 
about
> > what you are trying to achieve. Do you want to force users to access
> Sybase
> > only through applications controlled by you or what?
>
> I need to pass the information between forms ie perl/sybperl script which
> access a
> database. Based on selections made it reconnects to the db, currently 
this
> is passed
> on the query string but I need to encrypt/decrypt when I read the 
variable
> I need to
> decrypt it so I can access the database as the user.
> A main entry form takes the original password
>
> Kind Regards
> Steve Allen.

--
Sybase (UK) LTD                         email:  sallen@sybase.com
Sybase Court                            direct: 01628 597130
Crown Lane                              tel:    01628 597111
Maidenhead                              fax:    01628 597112
Berkshire                                       http: www.sybase.com
SL6 8QZ