Monday, February 25, 2013

A simple Password Encryption Technique - ROT13 and ROT 47

Posted by Thirunavukkarasu Muthuswamy at Monday, February 25, 2013 Labels: ,

Accessing data on the remote machine is relatively easy with Secure Shell(SSH) with passphrase option. But what about accessing data in the remote database using some SQL Statements?

Scenario:

Go through the following simple script to know more about the usage of ROT13 and ROT47.

image

Source: Wikipedia

[thiru@localhost secure_password]$ cat password_protect.sh

#!/bin/bash

LogDirectory='/var/tmp/logs'

DataDirectory='/var/tmp/data'

DBUSER='scott'

#Raw Username

DBUSERPASSWORD='tiger'

#Raw Password

#We are passing raw username and password, actually it's not a good #practice to store this in such a way.

DB='oracle'

sqlplus -s <<EOF > ${LogDirectory}/query.log

${DBUSER}/${DBUSERPASSWORD}@${MYDB}

set linesize 32767

set feedback off

set heading off

spool ${DataDirectory}/query_output.dat

SELECT * from dual

spool off

EOF

So we need to find out a secure yet simple way to overcome this vulnerability. So What was that simple solution at unix terminal level?

>>>>> I would say it's ROT 13 and ROT 47.

ROT13 Cipher:

Rotate by 13 places is simple cipher based on Caesar Cipher implemented using unix terminal application command 'tr'.

ROT13 only handle ASCII values.

Encryption:

[thiru@localhost secure_password]$ echo "tiger"|tr 'A-Za-z' 'N-ZA-Mn-za-m'

gvtre

Decryption:

[thiru@locahost secure_password]$ echo "gvtre"|tr 'A-Za-z' 'N-ZA-Mn-za-m'

tiger

ROT47 Cipher:

Specialty of this Rotate By 47 places(ROT47) cipher is , along with ASCII values ,you could also handle some punctuation as well.

Encryption:

[thiru@localhost secure_password]$ echo "tiger"|tr '\!-~' 'P-~\!-O'

E:86C

Decryption:

[thiru@localhost secure_password]$ echo "E:86C"|tr '\!-~' 'P-~\!-O'

Tiger

Implement ROT13 or ROT47:

Step 1: While creating script for the very 1st time we need to encrypt the password manually.

[thiru@localhost secure_password]$ echo "tiger"|tr '\!-~' 'P-~\!-O'

E:86C

[thiru@localhost secure_password]$ echo "scott"|tr '\!-~' 'P-~\!-O'

D4@EE

[thiru@localhost secure_password]$ echo "oracle"|tr '\!-~' 'P-~\!-O'

@C24=6

Step 2: Once this encrypted cipher is generated, place those encrypted cipher to the respective arguments in script as follows.

[thiru@localhost secure_password]$ cat password_protect.sh

#!/bin/bash

LogDirectory='/var/tmp/logs'

DataDirectory='/var/tmp/data'

DBUSER=`echo "E:86C"|tr '\!-~' 'P-~\!-O'`

# Encrypted Username

DBUSERPASSWORD=`echo "D4@EE"|tr '\!-~' 'P-~\!-O'`

# Encrypted Password

DB=`echo "@C24=6"|tr '\!-~' 'P-~\!-O'`

sqlplus -s <<EOF > ${LogDirectory}/query.log

${DBUSER}/${DBUSERPASSWORD}@${MYDB}

set linesize 32767

set feedback off

set heading off

spool ${DataDirectory}/query_output.dat

SELECT * from dual

spool off

EOF

That’s all, we done with it.But this obviously has its own risks, but is worth checking out.

I hope that this will help some one :)

References:

1. http://www.folkstalk.com/2012/06/connect-to-oracle-database-in-unix.html

2. http://en.wikipedia.org/wiki/ROT13

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)