0

I have a web app that I use to run exe programs but the exe programs require a password to be passed. Currently this password is hard coded into the web app file in clear text.

Since this is not secure and I have seen other web apps do this. I am wondering, how do I securely store the password in a file or database that can't be viewed in clear text but when needing to run the exe, it can retrieve the securely stored password and run the program.

(web app is mainly PHP and database of MSSQL)

James
  • 1
  • 1
  • Related: https://security.stackexchange.com/questions/12332/where-to-store-a-server-side-encryption-key – mti2935 May 24 '22 at 01:25
  • Unless you want to prompt the user for a master key/password each run I think the best you can do is encrypt it using as a part of the key the machine's serial number. (you read that from the motherboard when you encrypt/decrypt...) If this is Windows you can just use "DPAPI" for this. That way the key is not exposed by the code. (though it could be exposed in memory) – pcalkins Jun 24 '22 at 19:21

1 Answers1

0

I believe what you're looking for is a way to encrypt and decrypt the password. There are algorithms that allow you to encrypt a string and reverse the encrypted string to get the original one: Encryption algorithms, while some do not: Hashing algorithms

Since you're using PHP, you can use the in-built function openssl_encrypt to encrypt and openssl_decrypt to decrypt it

string openssl_encrypt( 
  string $data, string $method, string $key,
  $options = 0, string $iv, string $tag= NULL,
  string $aad, int $tag_length = 16  
)
# Returns a boolean
string openssl_decrypt( 
  string $data, string $method, string $key,
  int $options = 0, string $iv, string $tag, string $aad
)

Example:

$string = "My password";

$ciphering = "AES-128-CTR";

$options   = 0;
$encryption_iv = '1234567891011121';

$encryption_key = "YOURCUSTOMKEY";
$encryption = openssl_encrypt($string, $ciphering, $encryption_key, $options, $encryption_iv);

$decryption_iv = $encryption_iv;
$decryption_key = $encryption_key;

$decryption = openssl_decrypt($encryption, $ciphering, $decryption_key, $options, $decryption_iv);

echo "Original => " . $string;
echo '<br/>';
echo "Encrypted => " . $encryption . "\n";
echo '<br/>';
echo "Decrypted => " . $decryption;

For this to work, the key you use to decrpyt should be the same as the one used to encrypt or the results will be different. So the key $encryption_key should be not accessible to anyone else.

Cypherjac
  • 101
  • Is there a way to securely store the encryption key some where? – James May 23 '22 at 21:21
  • You can store the encrypted password in the database. For the key you can save it in the database as well, since you're the only one who can access it.. or even just within the code as a variable.. since PHP is a server-side code, it won't be visible to the client – Cypherjac May 24 '22 at 06:05