-1

I am building an application that connect to a 3rd party app to get some info, my idea was to design it in a way that the app control the password, it can change it once in a while, hash it and keep the hashed password somewhere. this way no human knows the password.

But I can't figure out where and how I should securely store the secret key, so the people that have access to that machine can't recover the password.

Is there any known method that I can't find? or this is not possible to have the password and secret key on the same machine.

koolaang
  • 397
  • 6
  • 15
  • If it's gonna be hashed , how can they know the password ? – Kiloreux Dec 23 '15 at 16:33
  • having hashed password + secret key = knowing password !! – koolaang Dec 23 '15 at 16:34
  • Think like this: You are trying to make a program which stores a value which is unretrievable from any program. Why would your program be different from any other to be able to retrieve it? – Desaroll Dec 23 '15 at 16:49
  • @Desaroll I get your point, can I assume that this is not possible and stop perusing this idea?? Is it impossible to secure part of a disk for just an application ? I understand that I can't rehash the secret key cause it needs a new key to be stored somewhere. – koolaang Dec 23 '15 at 16:57
  • Even OS's user password are accessible from a program with enough privileges. You can't retrieve them as they are saved using one-way hashes (They compare the hashed passwords) but you can change them. – Desaroll Dec 23 '15 at 17:05
  • There are "good enough" methods (The password will be invisible for most users), but none are able to resist a serious attack. – Desaroll Dec 23 '15 at 17:13
  • @Desaroll can you please mention this methods name, or where can I read more about them ? thanks – koolaang Dec 23 '15 at 17:22
  • One is the one you was thinking about. A double way hash with a hard-coded key. To find your key, the user has to be able to browse through the compiled binary. Any common user won't be able to find it. – Desaroll Dec 23 '15 at 17:42

1 Answers1

0

I dont think you can definitely hide it but what you can do is :

Windows

  • Hide it in a chosen path by using the attrib command (attrib +s +h filepath).
  • Deny access to all users with the cacls command (open command line and enter cacls /? for more). The command should be something like cacls filepath /D user. That will totally deny the file access to the specified user (no possibility to read or write in it). However, I think you will need administrator rights in order to do that. You can retrieve the user list with the command net user.

Linux

Apply the same strategy :

  • Hide it by preceding its name with a dot
  • Deny permission by using the chmod command