Page 1 of 2
Encryption for file vs Standalone App
Posted: Sun Jan 22, 2017 3:45 pm
by newpie
Hello, I want to implement the method below:
To run a stack delivered from a server is easy in LiveCode - run this in the Message Box:
Code: Select all
go url "http://fourthworld.net/revnet/devolution/4W_gzipper.livecode"
You can encrypt your stack with a password in standalone application setting, but is there a way to encrypt it in .livecode state? Is there a way to put a password on the zipper file perhaps.
Any help would be appreciated. Thanks
Re: Encryption for file vs Standalone App
Posted: Sun Jan 22, 2017 8:09 pm
by ghettocottage
What version of Livecode are you using? Community, Business, Indy?
Re: Encryption for file vs Standalone App
Posted: Sun Jan 22, 2017 9:08 pm
by newpie
Hello, it is Indy.
Re: Encryption for file vs Standalone App
Posted: Sun Jan 22, 2017 9:52 pm
by FourthWorld
LC's RevZiup external does not currently support passwords. But you can encrypt data after compressing it - see the encrypt and decrypt commands in the Dictionary.
Re: Encryption for file vs Standalone App
Posted: Sun Jan 22, 2017 11:32 pm
by ghettocottage
..our of curiosity:
are you using the stack to access a database?
if so, is giving access to the db the thing you are trying to protect?
Re: Encryption for file vs Standalone App
Posted: Mon Jan 23, 2017 4:08 pm
by newpie
@fourthworld Thank you I will start researching this method and post back if have questions
@ghettocottage Hello, I wanted to simulate what fourthworld did. For my program it would actually access a database to answer your question. Basically I was wondering how can I protect my code if someone downloaded the livecode file from the server.
If there is a post on how to do encryption and decryption for this scenario with zipped files if you know off hand then please post if you have chance.
Thanks
Re: Encryption for file vs Standalone App
Posted: Tue Jan 24, 2017 5:10 am
by ghettocottage
A slightly different approach that might be useful (or not):
You can use Livecode server as an intermediary between your app and your database. This makes connecting to your database more secure, and also allows you to offload a lot of your code to livecode server files.
It took me a bit of dinkering to get the hang of it, but once I got it set up and working it makes a lot of sense. The app can be minimal and sends pre-configured commands and queries to your Livecode files, where your functional code is...and then sends a reply back to the app.
so the app acts as a sort of thin-client for your livecode server files.
Re: Encryption for file vs Standalone App
Posted: Tue Jan 24, 2017 10:50 am
by AxWald
Hi newpie,
newpie wrote:To run a stack delivered from a server is easy in LiveCode - run this in the Message Box:
Code: Select all
go url "http://fourthworld.net/revnet/devolution/4W_gzipper.livecode"
[...] is there a way to encrypt it in .livecode state?
I had a lot of problems using the above method in Android (for "start using" the stack at least ...) - it may well be that it doesn't work there as described. So I dl' the stack to specialfolderpath("cache") that is semi-persistent, and use it from there.
Encryption itself is rather easy. Let's try it with a stack "TestStack.rev" on your desktop:
Code: Select all
on mouseUp
get encStrg(URL "binfile:C:/Users/myName/Desktop/TestStack.rev")
put it into URL "binfile:C:/Users/myName/Desktop/cryptStack.rev"
end mouseUp
Now you have the stack in encrypted form. To reverse it:
Code: Select all
on mouseUp
get decStrg(URL "binfile:C:/Users/myName/Desktop/cryptStack.rev")
put it into URL "binfile:C:/Users/myName/Desktop/plainStack.rev"
end mouseUp
Bingo! Hehe - there's something missing, the code that actually does the job:
Code: Select all
function encStrg Strg -- Encrypt the data
put char -1 of the millisecs into MyChar
set the randomSeed to MyChar & MyChar & MyChar
put random(900000000) + 99999999 into MySalt
delete char 1 of MySalt
put "My long, complicated & elaborate PassWord v1b22!" into myP -- ###
encrypt Strg using "aes-256-cbc" with password myP and salt MySalt
get B2H(it)
return it
end encStrg
function decStrg Strg -- Decrypt the data
put "My long, complicated & elaborate PassWord v1b22!" into myP -- ###
put H2B(Strg) into MyVar
put char 9 of MyVar +1 into MyPass
decrypt MyVar using "aes-256-cbc" with password myP
return it
end decStrg -- OK
function B2H pString -- from libHash-Hmac V 2.3, http://marksmith.on-rev.com/revstuff/
repeat for each byte c in pString
get bytetonum(c)
put baseconvert(it,10,16) into tTemp
if it < 16 then put "0" before tTemp
put tTemp after tHex
end repeat
return tolower(tHex)
end B2H
function H2B pString -- from libHash-Hmac V 2.3, http://marksmith.on-rev.com/revstuff/
repeat with n = 1 to length(pString) - 1 step 2
put numtobyte(baseconvert(byte n to n + 1 of pString, 16, 10)) after tBin
end repeat
return tBin
end H2B
That's it. You may want to change the line where I enter my "My long, complicated & elaborate PassWord v1b22!" - here I originally have a function that does this for me. And you may want to polish it a bit, guess we could scrape away some more cycles. The salt creating part in the first handler may also be improved.
Hope this is of use for you.
ghettocottage wrote:You can use Livecode server as an intermediary between your app and your database.
... if you have full control on your server or are very lucky. There's no sufficient information, too much outdated/ missing links, and obviously nearly nobody is using it. On the typical "rented webspace with PHP & MySQL" (that I have to work with) I tried ad nauseam, with no success at all.
Acquiring basic knowledge of PHP (eeek!) looks like a more easy & promising way :/
Have fun!
Re: Encryption for file vs Standalone App
Posted: Wed Jan 25, 2017 6:38 pm
by newpie
@AxWald Wow! This is great information. Thank you so much, I will run thru the coding and try out.
Thanks
Re: Encryption for file vs Standalone App
Posted: Sun Feb 05, 2017 7:57 pm
by newpie
@AxWald, I reviewed the coding and wanted to review the steps below. I also wanted to mention this is for a desktop environment.
1. Encrypt the livecode stack and store on server
2. User downloads livecode "startup" application exe file which does the following
a. When you user presses START button it downloads the encrypted livecode stack from server to the specialfolderpath("cache") on local machine
b. The startup app then decodes it and performs the go url command to start the file (plainstack.runrev)
c. the startup app closes itself
3. The cache file is cleared on local machine I assume when they log off their user or turn off computer
So my question is the livecode stack vulnerable to be taken out of cache while it is in a decrypted state (plainstack.runrev)?
Coding would be as so?
1. Downloading file into cache:
Code: Select all
libURLDownloadToFile "http://server.org/cryptStack.runrev",specialfolderpath("cache") & "/cryptStack.runrev","downloadComplete"
2.Decrypt would be:
Code: Select all
on mouseUp
set the defaultfolder to specialfolderpath("cache")
get decStrg(URL "binfile:cryptStack.runrev")
put it into URL "binfile:plainstack.runrev"
end mouseUp
3. To run it:
Code: Select all
on mouseUp
set the defaultfolder to specialfolderpath("cache")
go url "binfile:plainstack.runrev"
end mouseUp
Please let me know if these seem correct, I seem to be having an issue with the decrypt piece as I get an error "baseConvert: can't convert this number"
Thank you for your help
Re: Encryption for file vs Standalone App
Posted: Mon Feb 06, 2017 11:32 am
by AxWald
Hi,
newpie wrote:c. the startup app closes itself
This will not work. The Standalone is your runtime app - it contains the LC code needed to run your stack. You may hide it, but you cannot close it.
I use it as the central menu :)
newpie wrote:So my question is the livecode stack vulnerable to be taken out of cache while it is in a decrypted state (plainstack.runrev)?
Sure it can be copied, modified, whatever. And if you have a backup program, shadow copy, "file history" running it will be copied sooner or later, anyways. Even in .\temp.
Protecting a stack itself doesn't make much sense to me, even with using the "password protect" in the commercial versions. Those who really want to steal your code will steal it anyways - people multitudes better than me have failed miserably in protecting their code, over & over, so why should I even try?
But
the data must be safe. So I have no data in my stacks, in the saved state - the data live in their databases, the stacks are home to the UI & processing logic only. Sensible data belonging to the logic (credentials etc.) are always encrypted, get decrypted only when used, and overwritten immediately after.
The data come in at run time for displaying & processing, and it's made sure only the necessary data are transmitted. To assure this I use a system of nested "prefs" where I can control permissions down to even single machine basis. And the really sensible data are stored & transmitted encrypted, again.
I'm writing commercial software (business to business), and so I have to hand over my code (well documented) anyways: A bus could hit me after writing this, while crossing the street - my customer needs to be able to hire someone replacing me. So I happily release my code as GPL V3, share parts of it if desired, and sometimes enjoy other coders pointing me to bugs or improvements ;-)
The protection of my code is the complexity, the customer specific implementation, and my knowledge of my customers needs as well as my ability to fulfill it.
About the error "baseconvert: ..." - this comes from the LibHash-Hmac functions (Hex to Byte and vice verse); it would be interesting when this happens (encrypt or decrypt). The stack may contain bytes that make it choke - I usually don't encrypt full stacks, and tried only with a very simple example for the post ...
Have fun!
Re: Encryption for file vs Standalone App
Posted: Mon Feb 06, 2017 5:09 pm
by newpie
Ok, thanks for your reply.
Re: Encryption for file vs Standalone App
Posted: Tue Mar 07, 2017 3:58 pm
by trevix
If I may ask, my problem is not concerning the data, but protecting stacks that get often saved by my Standalone commercial App:
My standalone allows the user to open/modify/save LC stacks, exchange them with other user and, since the standalone will run on desktop AND on mobile, they often need to be saved while the App is running (in case the user has to suddenly quit the app).
Encrypting and decrypting so often could be a nightmare...
Some info:
The standalone (App) is a splash screen.
The real application is a LC stack (main Stack) that is a password protected (I only protected the stack script)
The stacks that get shared (the exchange stacks) have a variable number of cards and get saved locally and shared trough the web and emails.
I want to protect the exchanged stacks because I think that, if not, any LC user could insert a script that will exploit the main stack and the App (like adding a group with an OpenControl script that save all the script of the App), etc.
So, as of now:
1 - the App is protected by being a standalone (enough for the average user)
2 - the main stack has password protected script that gets unlocked only from the App when loaded: on the preopenstack, if doesn't receive an OK from the App, it just quit
3 - I am thinking about using the same schema for the exchanged stacks (open on LC only if launched by the main stack)
How much sense has this schema?
Thanks
Trevix
Re: Encryption for file vs Standalone App
Posted: Wed Mar 08, 2017 10:14 am
by trevix
Wrong. I just realized that my idea doesn't work.
The stack I wanted to protect had this password protected script:
Code: Select all
global gTheGlobal
On PreopenStack --on the exchange stack script
if gTheGlobal then
set the passkey of me to ThePassword
else
quit
end if
end PreopenStack
The idea was that the App was setting a value on the global gTheGlobal, making it possible for the App to use the stack for the time it was loaded.
BUT I did not realize that if before opening the stack you set the lock messages on LC, once you open the stack the above script will not run. The stack will open (still with the password protected script) and you are able to patch it with something the will reveal all your code, once opened from the App.
Is there any other way?
Re: Encryption for file vs Standalone App
Posted: Wed Mar 08, 2017 11:46 am
by AndyP
The main stack if not altered does not need to have the password protection removed.
I would have the exchange stacks password protected during most of the operation, then momentarily remove the password when a change has been made and the stack needs saving.
e.g. in the Exchange stack
Code: Select all
set the passKey of this stack to "1234"
--do your stuff
set the password of this stack to "1234"
save this stack