AlliedModders

AlliedModders (https://forums.alliedmods.net/index.php)
-   Scripting Help (https://forums.alliedmods.net/forumdisplay.php?f=11)
-   -   Any good encryption? (https://forums.alliedmods.net/showthread.php?t=156559)

johnally 05-08-2011 12:25

Any good encryption?
 
I'm a newly registered user to alliedmodders but NOT a new visitor.

I personally wish to thanks every amx coders here that helped advance this wonderful metamod plugin.


Ok, lets jump in.

My issue is quite simple to understand. I got a plugin I'm working on that connects the user management system of a website to the cs server the plugin is on. [I just wish users to have same nick and steamID as on the website.]..

As such, the plugin will contain some data as SQL query string or SQL db infos.

Code:

#define SQL_DB "amxsys_db"
#define SQL_USRN "johnally"
#define SQL_TBL "amxsys_tbl"

How can I protect that information(mostly the strings) from being seen if ever the plugin is decompiled.

I did some research here:
[unsecure] ROT13
[ONE way hash] MD5
[unsecure] xTea
[very unsecure] Base64

How should I tackle that issue?. Even when I handle a socket connection from the plugin I wish to encrypt the transmitted data to prevent anyone from tampering it.


Any suggestions highly appreciated,

fysiks 05-08-2011 12:31

Re: Any good encryption?
 
1. Don't give out the plugin.
2. Use cvars for those values.

(this was posted recently and should have been found easily via a search)

Encrypting during transmission is another story. Wouldn't you have to use a secure connection?

johnally 05-08-2011 12:34

Re: Any good encryption?
 
I found that. But I NEED TO DISTRIBUTE IT.

Reasons:
Hosters in my community need to download that plugin and install on their servers. This is not a private plugin but only close-source with sensitive data.

And use cvar's for so much strings and hardcorded data?


Thanks,

Clauu 05-08-2011 12:48

Re: Any good encryption?
 
Quote:

Originally Posted by fysiks (Post 1465671)
2. Use cvars for those values.

Cvars can't help, the same result event if using cvars(decompiled plugin) - http://forums.alliedmods.net/showpos...84&postcount=1

fysiks 05-08-2011 12:59

Re: Any good encryption?
 
Quote:

Originally Posted by Clauu (Post 1465680)
Cvars can't help, the same result event if using cvars(decompiled plugin) - http://forums.alliedmods.net/showpos...84&postcount=1

A decompiler can't get info that's not in the source code. When using a cvar for these items, the info is NOT in the source code and hence cannot be retrieved via decompilation.

Quote:

Originally Posted by johnally (Post 1465674)
I found that. But I NEED TO DISTRIBUTE IT.

Reasons:
Hosters in my community need to download that plugin and install on their servers. This is not a private plugin but only close-source with sensitive data.

Honestly, it's probably not possible to completely protect the info if you are handing out the plugin and require them to connect to your DB.


Quote:

Originally Posted by johnally (Post 1465674)
And use cvar's for so much strings and hardcorded data?

It's only 3 strings. That's not many. (or maybe I have no clue what this sentence means :))

johnally 05-08-2011 13:05

Re: Any good encryption?
 
Anything NOT hardcoded in the plugin cannot be decompiled obviously :). However, let's say I have the md5 of a file. How do I prevent it from being hardcoded? Do I use socket? Should I always use socket and retrieve the data from a php file?

Exolent said that a custom base64 encryption can be made. How much secure is that? Enough to discourage intermediate crackers?

I'm only looking for if hardcoded strings can be encrypted and still, be decrypted with a key if needed. A key-enc system is highly appreciated.

I'm NOT asking for prefabs or anything, just looking in if there was another good encryption method under pawn scripting than the one I found [in my first post]..

It's not only 3 strings however, It is a lot of strings :D. The above 3 strings are only example of how important the information is.

Cheers, :wink:

Clauu 05-08-2011 13:06

Re: Any good encryption?
 
@fysiks Yes but that cvars must be defined somewhere right? So its just a matter of time until that sensitive data will be founded and then used in a negative way.
@johnally the best way is to retrive that data from a .php file using sockets and then deny any browser acces to that file, this is how i will do it for plugins with a sql connection.

fysiks 05-08-2011 13:09

Re: Any good encryption?
 
Quote:

Originally Posted by Clauu (Post 1465688)
Yes but that cvars must be defined somewhere right? So its just a matter of time until that sensitive data will be founded and then used in a negative way.

Well, clearly in the OPs situation cvars is not the answer however, in most situations where there is only one user of a database and you don't want it hardcoded the method is to use cvars. If someone hacks into the FTP (the only place the cvars are in plain text) then that's a whole different story.

Clauu 05-08-2011 13:16

Re: Any good encryption?
 
Wait a second, what ftp? the plugin will be used by x users on their servers so cvars must be defined locally in every server.

johnally 05-08-2011 13:22

Re: Any good encryption?
 
@Clauu .. I hate sockets.. Why? I feel it is more unsecure as data is transmitted in a near plain-text format :s.. However, whenever I use sockets, I have to consider an md5 key by the side of my data. Such a pain :s.. Do you know of any other technique of securing my socket connection as I do NOT wish the hosters tamper the data.

@fysiks .. Now you see the tip of the iceberg :P My issue is kinda enormous but I'm sure we can 'hack' our way through it and probably help this community with decompiling issues. However, private plugins are not so welcomed here ;)

@Clauu[2nd rep] .. yep used locally.. the hoster will download and install locally.. use of cvars is kinda extreme sucide :(


All times are GMT -4. The time now is 04:17.

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.