The Big Programming Thread - Page 784

Prev 1 782 783 784 785 786 1032 Next

Thread Rules
1. This is not a "do my homework for me" thread. If you have specific questions, ask, but don't post an assignment or homework problem and expect an exact solution.
2. No recruiting for your cockamamie projects (you won't replace facebook with 3 dudes you found on the internet and $20)
3. If you can't articulate why a language is bad, don't start slinging shit about it. Just remember that nothing is worse than making CSS IE6 compatible.
4. Use [code] tags to format code blocks.

shz

Germany2687 Posts

October 20 2016 21:17 GMT

#15661

On October 21 2016 06:16 Manit0u wrote:

Show nested quote +

First, if you're using anything other than Foobar for music listening in Windows you're misguided

Prillan

Sweden350 Posts

October 20 2016 21:18 GMT

#15662

On October 20 2016 22:21 Manit0u wrote:
Is anyone here good with cryptography?

I'm wondering if such code would be sufficient to encode/decode some sensitive data?


    final public static function encrypt($data)
    {
        $serialized = serialize($data);

        $iv = static::getIv();
        $key = static::getKey();
        $mac = static::getMac($serialized, $key);

        $serialized .= $mac;

        $passcrypt = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $serialized, MCRYPT_MODE_CBC, $iv);

        return sprintf('%s|%s', base64_encode($passcrypt), base64_encode($iv));
    }

    final public static function decrypt($data)
    {
        $key = static::getKey();
        $decrypt = explode('|', $data);

        if (count($decrypt) !== 2) {
            return false;
        }

        $decoded = base64_decode($decrypt[0]);
        $iv = base64_decode($decrypt[1]);

        if (!static::validIv($iv)) {
            return false;
        }

        $decrypted = trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $decoded, MCRYPT_MODE_CBC, $iv));

        if (!static::validMac($decrypted, $key)) {
            return false;
        }

        return unserialize(substr($decrypted, 0, -64));
    }

    final public static function getIvSize()
    {
        return mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC);
    }

    final public static function getIv()
    {
        return mcrypt_create_iv(static::getIvSize(), MCRYPT_DEV_URANDOM);
    }

    final public static function validIv($iv)
    {
        return strlen($iv) === static::getIvSize();
    }

    final public static function getMac($data, $key)
    {
        return hash_hmac('sha256', $data, substr(bin2hex($key), -32));
    }

    final public static function validMac($decrypted, $key)
    {
        return substr($decrypted, -64) === static::getMac(substr($decrypted, 0, -64), $key);
    }

    final public static function getPublicKey()
    {
        return static::generateRandomKey(); // obviously there's something else here (doesn't return random key)
    }

    final public static function getPrivateKey()
    {
        return static::generateRandomKey(); // obviously there's something else here (doesn't return random key)
    }

    final public static function getKey()
    {
        $compositeKey = static::getPublicKey();
        $compositeKey .= static::getPrivateKey();

        return pack('H*', hash('sha256', $compositeKey));
    }

    final public static function generateRandomKey()
    {
        return md5(uniqid(mt_rand(), true)); // to illustrate sample keys
    }

The encryption has to be based on 2 separate keys. One is per-application and the other one is per-client, ensuring that even if you get a hold of one key it's no good. Getting hold on both keys in one system doesn't compromise other systems.

Cool thing about it is that it allows you to encrypt not just text but even arrays and objects (which turn into fully functional PHP arrays/objects upon decryption). Which can let you for example send objects (of specific class with their fields set) through some API and share them between systems.

The cryptography does look sound, but I might have missed something. I'm more worried about using serialize and unserialize. I'm not a PHP programmer but I'm pretty sure that one can use unserialize to trigger internal methods during deserialization that can let an attacker run arbitrary code. Unfortunately, I don't remember when and where I read this.

tofucake

Hyrule19209 Posts

October 20 2016 21:38 GMT

#15663

unserialize in PHP is horribly unsafe

also, mcrypt is abandoned and has been deprecated for 7.1. You should probably use openssl or an encryption library

Manit0u

Poland17740 Posts

October 20 2016 22:11 GMT

#15664

On October 21 2016 06:38 tofucake wrote:
unserialize in PHP is horribly unsafe

also, mcrypt is abandoned and has been deprecated for 7.1. You should probably use openssl or an encryption library

Wow, good to know

Man, it sucks to be working on software that has to run on servers where the highest PHP version is 5.3...

Djagulingu

Germany3605 Posts

October 21 2016 06:22 GMT

#15665

On October 21 2016 00:45 Morfildur wrote:
Linux doesn't have a native ssh or sftp client nor a C++ compiler. Pretty much all distributions include those, but they are not included in Linux by default. If you bootstrap your own Linux, which I actually did a few years back, you have to install all of those on your own. You are confusing Linux with Linux distributions. Also, those are hardly things a normal user requires.

I don't want to bootstrap my own Linux because I don't need to bootstrap my own Linux. I just need to be able to develop and test on my local machine, with my app having the same behavior as it will have on my ec2 instances. Ubuntu 16.04 gives me that (my ec2 instances are 14.04, but still), Windows dies trying.

On October 21 2016 00:45 Morfildur wrote:
As for hiding files, I found Linux to be a bigger pain. Some files are in /usr/bin, /usr/lib, /usr/local/bin, /usr/local/lib, /usr/include, /usr/local/include, /opt (Debian based distributions -.-), /etc, /var, ... and a lot of distributions have their own layout, e.g. apache config on RedHat based distributions is in /etc/httpd, because apache is the company and httpd the product, on Debian based distributions it's /etc/apache2, because Debian users are ~~stupid~~misguided, ... and god help you if you want to install something that doesn't have a native package for your specific distribution. Most desktop distributions these days aren't even actually safer, because they have the default user in sudoer without password or use root without a password, because they noticed that people don't actually want to be bothered by having to enter a password for what they consider simple things.

At least you have autoremove coming with Ubuntu for deleting "secret and unneeded files". Also, if you want to make Ubuntu safer, you can. There is no way to make Windows safer. No amount of passwords and shit.

On October 21 2016 02:31 spinesheath wrote:

Show nested quote +

Those clearly are mighty important for the average user.

I used Ubuntu a bunch during my time at uni. I had my fair share of problems with both Ubuntu and Windows. Windows still is more convenient for the stuff I usually do.

It would still take a company like Microsoft no time to write 2 tools that can accomplish the functionality of:

1- ssh -i key.pem user@remoteserveraddress
2- sftp -i key.pem user@remoteserveraddress

They say they will try to make Windows a better experience for developers too, but I'm still not seeing an ssh client.

Nesserev

Belgium2760 Posts

October 21 2016 07:23 GMT

#15666

--- Nuked ---

Djagulingu

Germany3605 Posts

October 21 2016 08:50 GMT

#15667

On October 21 2016 16:23 Nesserev wrote:

Show nested quote +

Actually, it would probably take years, result in a closed proprietary product accompanied by a large book of documentation filled with weird quirks, ugly hacks and backwards logic.

Yeah, you're probably right. I forgot that the tool will be developed by the same guys who developed Windows, so the lack of developer skill is to be taken into account.

Onto the music player thing, I found Clementine to be the best one and I tried VLC and Amarok too. I find Windows Media Player good too, so feel free to ignore what I say about Music players and think that I'm a dipshit for thinking that way.

Deleted User 101379

4849 Posts

October 21 2016 09:33 GMT

#15668

On October 21 2016 17:50 Djagulingu wrote:

Show nested quote +

Microsoft is the company that developed C# and .NET, which is the best programming language and Framework I've ever worked with and the Visual Studio IDE that is currently unmatched, and I've worked with pretty much any programming language of the past 20 years, a few dozen frameworks and an endless amount of terrible IDEs. They do have some amazing developers, they are just held back by some stupid decisions from marketing, e.g. windows store and all that.

sabas123

Netherlands3122 Posts

October 21 2016 09:39 GMT

#15669

On October 21 2016 18:33 Morfildur wrote:

Show nested quote +

I hope you mean VS + Resharper right?

Vanilla VS is makes me wanna cry when I have to use that shit again.

Djagulingu

Germany3605 Posts

October 21 2016 10:51 GMT

#15670

On October 21 2016 18:33 Morfildur wrote:

Show nested quote +

Then they should transfer their incredibly talented developers to the Windows team, fire all marketing guys who work on windows and never hire replacements, wait for it and then we might finally have a Windows version which can finally stop losing the OS war against Linux.

Khalum

Austria831 Posts

October 21 2016 10:54 GMT

#15671

It's getting better though, not worse.

R1CH

Netherlands10342 Posts

October 21 2016 11:56 GMT

#15672

On October 20 2016 22:21 Manit0u wrote:
Is anyone here good with cryptography?

I'm wondering if such code would be sufficient to encode/decode some sensitive data?

Don't touch anything except libsodium.

https://github.com/jedisct1/libsodium-php

Prillan

Sweden350 Posts

October 21 2016 12:45 GMT

#15673

On October 21 2016 20:56 R1CH wrote:

Show nested quote +

Don't touch anything except libsodium.

https://github.com/jedisct1/libsodium-php

Care to elaborate?

"Sodium is a new, easy-to-use software library for encryption, decryption, signatures, password hashing and more."

New is usually a property that should be avoided when doing cryptography. But on the other hand, PHP is bad in so many regards that they might have failed at building good cryptographic constructs to begin with.

Manit0u

Poland17740 Posts

October 21 2016 13:14 GMT

#15674

On October 21 2016 18:33 Morfildur wrote:
Microsoft is the company that developed C# and .NET, which is the best programming language and Framework I've ever worked with and the Visual Studio IDE that is currently unmatched, and I've worked with pretty much any programming language of the past 20 years, a few dozen frameworks and an endless amount of terrible IDEs. They do have some amazing developers, they are just held back by some stupid decisions from marketing, e.g. windows store and all that.

Would you care to elaborate a bit on why do you find C# and .NET the best?

I know it's nice and my limited experience with it was quite pleasant but it didn't seriously "wow" me as much as Scala or Ruby did. It might be because I've never really done anything big in any of those languages, or never had to work for extended time with them but they seemed like they were some seriously next level stuff.

On October 21 2016 20:56 R1CH wrote:

Show nested quote +

Don't touch anything except libsodium.

https://github.com/jedisct1/libsodium-php

I'd love to use libsodium but I can't for this. 90% of our clients are city halls and such, which means that their servers are crap, their admins don't know what they're doing and there's close to no chance at all of compiling/installing any new software in there. I mean, the best server they have is running PHP 5.3 and is some old Cent OS crap.

The most laughable thing we've noticed on their servers was top of the line firewall and web filter but they only had one rule in it "allow all for all". It's pathetic but I guess it all boils down to how much is government willing to pay their employees and you simply can't get a good admin with such low pay.

Mr. Wiggles

Canada5894 Posts

October 21 2016 13:17 GMT

#15675

On October 21 2016 21:45 Prillan wrote:

Show nested quote +

Sodium is built using NaCl ( http://nacl.cr.yp.to ) which is ~8 years old. It's also relatively battle-tested: https://download.libsodium.org/doc/libsodium_users/

Note that the project is about 3 years old, so it's not "new".

On another note, I'm doubtful any programming language provides a good cryptography implementation out of the box.

phar

United States1080 Posts

October 22 2016 18:13 GMT

#15676

On October 20 2016 22:21 Manit0u wrote:
Is anyone here good with cryptography?

I'm wondering if such code would be sufficient to encode/decode some sensitive data?

The encryption has to be based on 2 separate keys. One is per-application and the other one is per-client, ensuring that even if you get a hold of one key it's no good. Getting hold on both keys in one system doesn't compromise other systems.

Cool thing about it is that it allows you to encrypt not just text but even arrays and objects (which turn into fully functional PHP arrays/objects upon decryption). Which can let you for example send objects (of specific class with their fields set) through some API and share them between systems.

Depends on your definition of "good". I learned enough in Uni and on the job to know that rule #1 is:

Don't ever do your own crypto, unless you really are an expert. It will end badly.

Even if you're going to use someone else's crypto library, stop and ask an expert.

Shit is too hard, way too easy to mess up, and the consequences are too big.

Some few thoughts from reading your code:

Check all those libraries you're using, chances are some of them are not appropriate for crypto. Especially check anything you use to generate a 'random', as the requirements for crypto strength random are way, way, way more stringent.

Hhanh00

34 Posts

October 23 2016 01:30 GMT

#15677

The 'random' part is a placeholder for code that he means to replace with something better.

@OP, your code seems fine but uses algo that aren't common. It is bound to raise some questions.
1. The session key is hash(k1|k2). Assuming k1 and k2 have enough entropy, sk is ok but why not use a standard key derivation scheme instead?
2. You use MCRYPT_RIJNDAEL_256. I'm not sure if it's on purpose but if you intended to do AES-256, you should use MCRYPT_RIJNDAEL_128. 128 refers to the block size and not the key size.
3. mcrypt pads with 0 if the data isn't a multiple of the block size. If your data can have trailing \0, this could be problematic.
4. You have mac on plain text then encrypt. That doesn't protect the ciphertext. The recommended way is to encrypt and then add mac on ciphertext.

Disclaimer: I know next to nothing about PHP so I can't comment on that and I'm not an expert in crypto either.

Deleted User 3420

24492 Posts

October 23 2016 17:35 GMT

#15678

Okay let's say I was using a set to store objects.
And, if I wanted to store a repeat of the same object, I wanted to increase some sort of count that said "now you're storing 2 of those objects". So Let's say if I added "3, 4, 4, 4, 3" to the bag, I would be able to see "3" and "4" in the bag, and somehow have a count that could tell me that there was 2 3s, and 3 4s.

How could I do that in java?

edit: what is coming to my mind first is putting the items into an array of size 2, where one of the indexes is the object and the other index is the number of the objects

and then putting the arrays into the set

edit: or I guess I could make a new class that has the object and the count and add that into the set?

JWD[9]

364 Posts

October 23 2016 17:57 GMT

#15679

On October 24 2016 02:35 travis wrote:
Okay let's say I was using a set to store objects.
And, if I wanted to store a repeat of the same object, I wanted to increase some sort of count that said "now you're storing 2 of those objects". So Let's say if I added "3, 4, 4, 4, 3" to the bag, I would be able to see "3" and "4" in the bag, and somehow have a count that could tell me that there was 2 3s, and 3 4s.

How could I do that in java?

edit: what is coming to my mind first is putting the items into an array of size 2, where one of the indexes is the object and the other index is the number of the objects

and then putting the arrays into the set

edit: or I guess I could make a new class that has the object and the count and add that into the set?

I don't know Java. In C++ you could do a class with a static variable ( a variable that is shared between all objects of the class ). If you were to do the arrays, than in C++ you would rather use lists than arrays, since arrays elements have to be next to each other in memory, and if you have a set of arrays, you'd have to move all elements of the set in order to extend one array, while with a list, you just have a set of pointers to the first element of the lists, and new elements can go anywhere.

Edit: NVM, read your array idea wrong. that sounds like the same as making an object with a counter, make the object in that case.

Nesserev

Belgium2760 Posts

October 23 2016 18:08 GMT

#15680

--- Nuked ---

Prev 1 782 783 784 785 786 1032 Next

Please or register to reply.

The Big Programming Thread - Page 784

Completed

Ongoing

Upcoming