Delphi 7 TIdFTP FTP安全(密码保护) [英] Delphi 7 TIdFTP FTP security (password protection)
问题描述
TIdFTP 。这就是为什么我创建了一些我想与你分享的测试,所以你可以给出你最好的做法和如何做的意见。 首先我只是使用对象检查器在组件中添加用户名和密码:
并创建了一个很好的连接:
procedure TForm1.FormActivate发件人:TObject);
begin
try
FTP.Connect();
ShowMessage('Connection success');
除
ShowMessage('Connection failure');
结束
结束
此方法的问题是,如果您使用简单的工具,如资源黑客,您可以立即看到所有数据:
Host ='ivstefano.com'
密码='testpass'
用户名=' testuser'
然后我决定从OI中删除它并将其插入代码与其他人一样:
FTP.Host: ='ivstefano.com';
FTP.Username:='testuser';
FTP.Password:='testpass';
仍然如果有人更聪明,他可以轻松使用一些工具,如十六进制编辑器,看看是什么编译在exe中:
所以我最后做的是使用OTP制作加密工具(
我将为软件使用一些保护工具,例如 asprotect 加密您的exe文件。
但是无论如何,Remy Lebeau表示FTP将密码作为纯文本发送,这是一个很大的安全漏洞...
I have been dealing with FTP lately and I'm not sure about the security of the Indy component TIdFTP. That is why I have created some tests which I want to share with you so you could give your opinion of best practices and how it is done.
First of all I just added the username and password in the component using the Object Inspector:
And created a simple connection which works well:
procedure TForm1.FormActivate(Sender: TObject);
begin
try
FTP.Connect();
ShowMessage ('Connection success');
except
ShowMessage ('Connection failure');
end;
end;
The problem with this method is that if you use a simple tool like Resource Hacker you can immediately see all that data:
Host = 'ivstefano.com'
Password = 'testpass'
Username = 'testuser'
Then I decided to be a little bit smarter by removing it from the OI and inserting it in the code as everybody else does:
FTP.Host:= 'ivstefano.com';
FTP.Username:= 'testuser';
FTP.Password:= 'testpass';
Still if somebody is smarter he can use with ease some tool like Hex editor and see what is in compiled in the exe:
So what I finally did was to make an encryption tool using OTP(One Time Pad Wiki) which you can download from here Sample OTP tool:
I used it to encrypt my password 'testpass' with the keyword 'lemon'. Then I took the OTP encrypted string (#25+#2+#3+#7+#117+#19+#31+#6) and the key(#108+#101+#109+#111+#110), both in ASCII sum of characters and used them in my main ftp connection program to decrypt them using OTP again:
function opt(text, key: String): String;
var i: Integer;
begin
SetLength(Result, length(text));
for i:= 1 to length(text) do
Result[i]:= Char(Byte(text[i]) xor (i + Byte(key[i mod length(key)])));
end;
procedure TFTPTester.FormActivate(Sender: TObject);
var decyptedPass: String;
begin
decyptedPass:= opt(#25+#2+#3+#7+#117+#19+#31+#6, #108+#101+#109+#111+#110);
FTP.Host:= 'ivstefano.com';
FTP.Username:= 'testuser';
FTP.Password:= decyptedPass;
try
FTP.Connect();
ShowMessage ('Connection success with pass: ' + decyptedPass);
except
ShowMessage ('Connection failure');
end;
end;
And as you can see it connects properly:
And if we look at the Hex again we can see that the keyphrase and the encrypted password are here but at least not the plain text password:
Conclusion: Still, the "hacker" can see the keyphrase and the encrypted pass but it is going to be harder to guess how to decrypt the pass using the key because he has to reverse engineer the code and see what kind of encryption I have used. Basically I can invent my own encryption and decryption so it is not necessary OTP but if somebody is more advanced he still could see the way I decrypt the encrypted password and access my FTP by applying it to the encrypted pass using the key.
ADDITIONAL THOUGHTS: Maybe obfuscating the Delphi code would be a much better choice?
QUESTION: What is a better way of protecting your password if any?
SOURCES: Here can find the source codes for the FTPTester and OTP generator: Link to both
I would use some protection tool for softwares, like asprotect to encrypt your exe file.
But anyway as Remy Lebeau said FTP sends the password as plain text, which is a big security hole...
这篇关于Delphi 7 TIdFTP FTP安全(密码保护)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
