encryption

[asg]

below is a script i compiled after searching this forum. i would like
feedback on wether you think it is secure.
#!/usr/bin/perl

print "Content-type: text/html\n\n";
use CGI qwstandard);
use CGI::Carp qw(fatalsToBrowser);
use Crypt::Blowfish;
use Crypt::CBC;
$scriptname = "cbc.cgi";
$key = "dfghdfghdfghdfgh";

if(param('cypher')){ &cypher; }
elsif(param('dcypher')){ &dcypher; }
else{ &dcypher; }
sub cypher{
$cipher = new Crypt::CBC( $key, 'Blowfish' );
$decrypt = param('decrypt');
my $encrypt = encrypt($decrypt);
print qq~ <FORM METHOD = "post" NAME="f1" ACTION = "$scriptname"
ENCTYPE="multipart/form-data" >
<input type="text" name="encrypt" value="$encrypt" size="50"><BR>
<input type="submit" name="dcypher" value="Dcypher">
</form>~;
}

sub dcypher{
$cipher = new Crypt::CBC( $key, 'Blowfish' );
$encrypt = param('encrypt');
my $decrypt = decrypt($encrypt);

print qq~<FORM METHOD = "post" NAME="f1" ACTION = "$scriptname"
ENCTYPE="multipart/form-data" >
<input type="text" name="decrypt" value="$decrypt" size="50"><BR>
<input type="submit" name="cypher" value="Cypher">
</form>~;
}
sub decrypt { defined $_[0] ? $cipher->decrypt_hex($_[0]) : '' }
sub encrypt { defined $_[0] ? $cipher->encrypt_hex($_[0]) : '' }

 

[Larry]

below is a script i compiled after searching this forum. i would like
feedback on wether you think it is secure.
...

Are you going to be accessing the script over the internet and if so,
will it use an SSL connection (i.e. https)? Because if you go over the
internet and just use plain http, your plaintext message can be sniffed.

 

[Matt Garrish]

below is a script i compiled after searching this forum. i would like
feedback on wether you think it is secure.

It's not secure at all because there is nothing in it that enforces
security. All I see is a script that either encrypts or decrypts a value
passed to it and sends the value back to the browser.

#!/usr/bin/perl

Should always be followed by:

use strict;
use warnings;

Why are you printing the header here?

use CGI qwstandard);

use CGI qw/param/;

You don't appear to be using anything else in the module...

use CGI::Carp qw(fatalsToBrowser);
use Crypt::Blowfish;
use Crypt::CBC;

$scriptname = "cbc.cgi";
$key = "dfghdfghdfghdfgh";

Your site is only as secure as your account password (or any blip that
prints the source to screen). Databases are a good place to keep encryption
information such as the key, because presumably it adds an extra level of
difficulty for someone trying to hack your site (assuming your
username/password isn't the same everywhere).

if(param('cypher')){ &cypher; }
elsif(param('dcypher')){ &dcypher; }
else{ &dcypher; }

The elsif condtional would appear to be irrelevant, since you're going to
call dcypher one way or the other. Most people would make the else condition
default to an error page, as something would be amiss if your conditions
aren't met.

sub cypher{
$cipher = new Crypt::CBC( $key, 'Blowfish' );
$decrypt = param('decrypt');
my $encrypt = encrypt($decrypt);
print qq~ <FORM METHOD = "post" NAME="f1" ACTION = "$scriptname"
ENCTYPE="multipart/form-data" >
<input type="text" name="encrypt" value="$encrypt" size="50"><BR>
<input type="submit" name="dcypher" value="Dcypher">
</form>~;
}

This is what I mean about the script not being secure. All you do here is
encrypt whatever value is passed in.

sub dcypher{
$cipher = new Crypt::CBC( $key, 'Blowfish' );
$encrypt = param('encrypt');
my $decrypt = decrypt($encrypt);

print qq~<FORM METHOD = "post" NAME="f1" ACTION = "$scriptname"
ENCTYPE="multipart/form-data" >
<input type="text" name="decrypt" value="$decrypt" size="50"><BR>
<input type="submit" name="cypher" value="Cypher">
</form>~;
}

And then here you decrypt the value and send it back to the browser. One
would normally decrypt and check against the original value to ensure no
tinkering has gone on (and almost never send the unencrypted password
back) - the original value being stored in a database with a session id to
tie it back to the original user, for example. If the two don't match, off
the user goes to an error page.

Matt