Re: PASSWORD PROTECTED data in Text file saved how?

Mon, 01 May 2006 17:42:54 -0700 

Jamie,
I do know of the HIPPA regs as I had to aid in creating the manual for a pharmist in Iowa. 


The program I am creating is more of a personal medical data format for the 
patient and not the physician, although I have had a few ask about a 
physician version.


But I do thank you for the heads up.

Jonathon



----- Original Message ----- 
From: "Jamie Lay" <[EMAIL PROTECTED]>

To: "REALbasic NUG" <[email protected]>
Sent: Monday, May 01, 2006 8:58 AM
Subject: Re: PASSWORD PROTECTED data in Text file saved how?



Jonathan,

Since you said you are writing something for "patients" you might  want to
either market it as something else (personal diary) or check the HIPPA
regulations.  HIPPA imposes some rather strict requirements even though

your software is for the patient and not the health-care provider.   The 
requirements
may still apply and the consequences of failure to comply are  draconian 
at a minimum.


Jamie
Sales     800-539-1780
Support     706-632-3763
Fax         706-632-6498
www.installfactory.com



On May 1, 2006, at 10:54 AM, [EMAIL PROTECTED] wrote:


Jonathon Bevar wrote:


If I wanted to save a User and Password editfields, mind you I am  using 
the
Password mask in the Password editfield, how would the password 
editfield be

saved?



Save the MD5 hash of it.  Then, to check the user's entered  password 
against what's saved in the file, compute the MD5 of what  the user 
entered, and compare it to what's in the file.



Is there some auto-encryption when saved to an .ini or text file?


No.


1> I want this to be easy and for all platforms so hiding it in the
registery is non-sinse to me.  A simple text file should be fine  if the
editfield data is encrypted already.


Agreed.


2> If this is not the case then, is there an easy encryption  method I 
could

use to encrypt the Password data to a simple text file?


Yep, MD5.


3> And of course a way of un-encrypt the file to view it to check  if it 
is

the correct password.



No, you don't want that.  If there were an easy way for you to un- 
encrypt the password, then that would be an easy way for others to  do 
it, too.  Instead, all you need is a way to encrypt (hash) what  the user 
enters in the same way it was done originally, so you can  compare it to 
what's in the file.



This still leaves your users vulnerable to a dictionary attack, of 
course (where the bad guy computes the MD5 of every word in the 
dictionary, looking for one that matches what's stored for the 
password).  So tell your users not to pick a password that's a real 
word.



I am creating a diary log for patients and one end-user wants a 
password
protected log as he has other members in his family that he does  not 
want

'snooping' in his personal log entries.  I don't blame him.



Hmm, I see I didn't fully appreciate your needs; you need to  encrypt not 
just the password, but the data as well.  But the  advice above about 
using MD5 to store the password is still useful;  just treat "storing the 
password" and "storing the data" as two  different problems.  A one-way 
encryption (e.g. MD5) is still the  best way to store the password.



As for the data, you'll need to do something else.  For industrial- grade 
encryption, you'll probably need to use a plugin or find a  library, as 
that code can be quite complex.  But there are some  relatively simple 
things you can do that may be good enough for an  app like this.  Here's 
an example:


1. Put the data to be encrypted into a MemoryBlock (m1).

2. Make a second MemoryBlock (m2) of the same size, and fill this  with 
the password repeated over and over.

3. Now, zip through the data like this:

  for i = 0 to m1.Size - 1
    m1.Byte(i) = BitwiseXOR( m1.Byte(i), m2.Byte(i) )
  next


This computes the XOR of the data with the password.  This will  work to 
both encrypt and decrypt the data.  I want to stress that  any serious 
cryptographer with a decent amount of data encoded this  way could crack 
it without breaking a sweat, but it would certainly  stump any "normal" 
person, and it's easy to implement.


HTH,
- Joe

--
Joe Strout -- [EMAIL PROTECTED]
Available for custom REALbasic programming or instruction.

_______________________________________________
Unsubscribe or switch delivery mode:
<http://www.realsoftware.com/support/listmanager/>

Search the archives of this list here:
<http://support.realsoftware.com/listarchives/lists.html>


_______________________________________________
Unsubscribe or switch delivery mode:
<http://www.realsoftware.com/support/listmanager/>

Search the archives of this list here:
<http://support.realsoftware.com/listarchives/lists.html>




--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.5.1/327 - Release Date: 4/28/2006






--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.5.1/327 - Release Date: 4/28/2006

_______________________________________________
Unsubscribe or switch delivery mode:
<http://www.realsoftware.com/support/listmanager/>

Search the archives of this list here:
<http://support.realsoftware.com/listarchives/lists.html>






















					Reply via email to