electronic Journal of Computer Science and Information Technology (eJCSIT), Vol. 5, No. 1, 2015
A Simple Encryption Method for FTP Passwords Azlan Iqbal College of Information Technology, Universiti Tenaga Nasional, Putrajaya Campus, Jalan IKRAM-UNITEN, 43000 Kajang, Selangor e-mail:
[email protected]
Abstract – In this short article, we propose and explain a simple method that can be used to encrypt an FTP (file transfer protocol) server account password in an ASCII text file. This is useful for programmers of all levels to provide some security with regard to the FTP functionality of their programs. The method is easy and encapsulated enough to be understood and implemented in the form of a single function in any programming language while providing sufficient protection for most purposes where security is not the most critical issue. Keywords – FTP, login, encryption, algorithm, networking, programming
I. INTRODUCTION FTP or ‘file transfer protocol’ is a network protocol used to transfer files from one computer to another, typically over the Internet. FTP servers usually require login information such as a username and password. In order for third party computer programs which can automate FTP transfers to ‘remember’ this information, the login information needs to be stored somewhere in the computer for easy retrieval by the program. This can be in the program folder itself or somewhere else in the hard drive that is typically inconspicuous. In any case, the password to the FTP account which is in otherwise ASCII ‘clear text’ would be better protected if encrypted. ASCII is a widely-used character coding scheme used in most computers and short for the ‘American Standard Code for Information Interchange’. In other words, if someone were to find the file, inside would be garbled data that would be difficult for most people with ill intentions to decipher. The FTP account itself should provide another layer of security such that even if the login information were deciphered, access would be limited to a just a particular area of the server (e.g. a folder and its subfolders). Since there are many highly sophisticated methods of encryption, in this paper we propose a simple one that can be incorporated into any third party program. The advantage is that the encryption method can be modified easily to suit individual needs or just applied algorithmically as presented. Section 2 presents the algorithm and section 3 concludes with a summary and some direction for further work. II. THE ENCRYPTION ALGORITHM In order for the encryption algorithm to work, the hostname (e.g. myserver.ddns.net) or the IP address (e.g. 192.268.0.75) is needed. A hostname (formerly known as nodename) is useful when the server needs to be accessed from outside the LAN (local area network) such as when connecting from the office to the home, where the FTP server is located. Otherwise, the IP (Internet Protocol) address should suffice
for connections to the server within the home. In addition to these, the username and password is also needed. There is no minimum requirement with regard to the length of the password even though a long password (exceeding 10 characters) or a somewhat shorter one (e.g. 8 characters) that includes digits and/or a combination of lower and uppercase characters (and perhaps special characters such as ‘@’) is usually desirable. The reason for this is to minimize the chances of the password being discovered through brute-force testing of all possibilities. For example, a 6-character password which happens to be an English word in only lowercase characters can easily be discovered using a ‘dictionary’ attack or even a brute-force search of all the possibilities (266 = 308,915,776 combinations) on a standard personal computer. This might only take a few hours. There are, of course, other security measures that are usually inherent to FTP servers such as limiting the number of tries from the same location. Additionally, one needs to be careful not to reveal such a password to anyone such as in the case of a boss to his secretary since anyone (usually a hacker) can call her, pretend to be the boss or he can even trick her into revealing the information. Once the location of the FTP server (hostname or IP), the username and password are known, the encryption algorithm proposed can be used to return an encrypted version of the password that may be stored in an ASCII file. The remaining information, i.e. location and username may be stored in the same file unencrypted. The following pseudocode shows how the encryption and also decryption works. Function Simple_Encryption (the_string As String, crypto_key As String, mode As String) As String 'this function performs simple encryption on a string using another string (crypto_key) as the encryption key 'for example, the FTP server name is used as the crypto key to encrypt the FTP password 'it can also be used to decrypt a string (the encrypted string) by setting the mode to either "encrypt" or "decrypt" encrypted_string As String decrypted_string As String i As Integer alphabet_sum As Double shift As Integer
If mode = "encrypt" Then For i = 1 To Length(crypto_key) alphabet_sum = alphabet_sum + Asc(Mid(crypto_key, i, 1)) Next i 'first sum the ASCII value of the individual characters for the crypto_key
A. Iqbal, A Simple Encryption Method for FTP Passwords
13
electronic Journal of Computer Science and Information Technology (eJCSIT), Vol. 5, No. 1, 2015
shift = alphabet_sum Mod Length(the_string) 'then mod that sum by the length of characters in the string to be encrypted to get the shift (other methods of doing so are also possible)
not a critical issue. So after typing 5 characters, the password in the input box would look like: *****goodbye. A simple method of doing so, in real-time as the password is being typed, is as follows. Private Sub Pword_Change()
For i = 1 To Length(the_string) encrypted_string = encrypted_string & Chr(Asc(Mid(the_string, i, 1)) + shift) 'the encrypted string with the characters shifted based on their ASCII code
'this turns the password entered into asterisks character by character, as the user is typing it in pwlength As Integer i As Integer masked_word As String
Next i Simple_Encryption = encrypted_string ‘this encrypted string is returned by the function Else
pwlength = Length(Pword.Text) For i = 1 To Length(Pword.Text) If Mid(Pword.Text, i, 1) "*" Then Real_PW = Real_PW & Mid(Pword.Text, i, 1)
'mode = "decrypt" (to get the original password back) For i = 1 To Length(crypto_key) alphabet_sum = alphabet_sum + Asc(Mid(crypto_key, i, 1)) Next i
'retains the actual password internally End If masked_word = "*" & masked_word Next i
shift = alphabet_sum Mod Length(the_string)
Pword.Text = masked_word
For i = 1 To Length(the_string) decrypted_string = decrypted_string & Chr(Asc(Mid(the_string, i, 1)) - shift) Next i
End Sub
Simple_Encryption = decrypted_string End If End Function
As an example, a call to this function which will return the encrypted password might look like the following: Simple_Encryption ("hellogoodbye", "myserver.ddns.net", "encrypt")
The first parameter is the password unencrypted, the second parameter the hostname and the third the mode (i.e. to encrypt or decrypt). The hostname, which we already know, serves as the ‘crypto key’ to generate the encrypted password. The particular example above results in the function returning “qnuuxpxxmk‚n”, which will be in the ASCII text file that the main program can read from. Should anyone find this file, they would have all the information necessary to access the FTP account except for the password; but only the program itself will contain the means for decrypting it back into “hellogoodbye”. The program, of course, should only access the FTP account in question for its own purposes; not the intruder’s. Examples of such purposes may include storing a copy of a game’s high scores thus far on an FTP server, or storing the results of some computer analysis done by the program on said FTP server. The program at first run would, of course, require the necessary information to be input by the developer in order to be able to henceforth access the FTP server. In cases where the user itself should enter the information one time, an input box such as shown in Fig. 1 may be used. The ‘overwrite’ option is to replace the existing FTP information (and encrypted password) in the ASCII file with new information. The password, as it is typed in the password field, should also be replaced with say, asterisks (*), so anyone who happens to be standing over the shoulder of the user would not be able to see and remember the password; though this is
Figure 1. A simple input box to obtain the FTP details.
The main advantages of this function include its simplicity and efficiency. In many applications where security is not the most critical issue (e.g. game high scores, backup media servers, anonymous usage statistics), this algorithm can be used to grant FTP access to software at reasonably low risk. A programmer therefore need not be a security or math expert to implement acceptable FTP or similar networking functionality into their programs to enhance its capabilities. A notable but not-so-serious limitation of the algorithm is that in shifting the characters to different ASCII values during the encryption process, it may be that the encrypted character exceeds the possible character set and results in an error. However, given most passwords, this seldom ever happens and can nonetheless be easily remedied by prompting the user for a different password or using a ‘cut-off’ method where if the character exceeds the character set, it and no further characters are encrypted but rather, stored ‘as is’. So the password would only be partially encrypted, which is also sufficient in many cases. III. CONCLUSION In this paper, we proposed a simple encryption algorithm for FTP login information that can be used in virtually any program for purposes where security is not the most critical issue. The method is simple enough to be implemented by
A. Iqbal, A Simple Encryption Method for FTP Passwords
14
electronic Journal of Computer Science and Information Technology (eJCSIT), Vol. 5, No. 1, 2015
programmers with little to no knowledge about security and encryption such that they may enhance the functionality of their programs with networking capabilities. Even though the example of FTP password information was used, the algorithm itself may be expanded in terms of its complexity and for uses that have nothing to do with FTP servers or networking. However, there is plenty of literature in the field of data encryption and transmission that may already address these issues. These topics and computer security literature, in general, are nevertheless well beyond the scope of this short paper.
Our intention was only to provide an immediately applicable method of encryption that suffices for the ‘hands on’ programmer who is a security and encryption layman not interested in going into greater depth than necessary about these matters. ACKNOWLEDGMENT This work was sponsored, in part, by the Universiti Tenaga Nasional grant, J510050547.
A. Iqbal, A Simple Encryption Method for FTP Passwords
15
