i want to generate a random number through a script, and even if anyone reads the script, they wont be able to figure out what the random number is. only the person who setup the script would know it.
something like this could work: random
the full thread is here:
if anyone can modify the code to spit out a precise number only I (the script author) would know and no one else, even those who try to read the script.
You've been down this road many times before.
Your script, by definition, would include the complete and unabridged method for generating this "secret" number. How would you conceal it? If the computer can decode it, so can they, no ifs or buts. You're not going to defeat this by being clever enough, the same way you can't change the value of pi by being clever enough.
The kind of security you want can be achieved by not letting their computer read it.
i understand what you're saying. but there's been quite a few things that i've read couldn't be done, but ended up being doable. they just required "being clever" enough, and having the excessive dedication time it takes to actually write something noone in their right mind would want to try to break unless given a massive monetary incentive to do so. and even then, you'd have to be in the mind of the coder to know what he's doing, especially if the script or code is large in size, void of comments, and not written in a way that makes it easily comprehended. but thanks for your input. much appreciated.
I don't think you do. Have fun, though. I'm done here.
Perhaps what you are actually going for is to embed in a script a non-random, pre-determined number in an obfuscated manner? If so, that is doable. Otherwise, you are out of luck.
Regards,
Alister
if this is possible, i would be elated.
It's possible, but as Corona pointed out, it's not at all secure. The best that you can hope for is to deter a lazy and incompetent adversary, someone who doesn't want to think through the code and who doesn't know enough to enable tracing (set -x) on your script.
You can't even do this in C or assembly language. If the instructions are there, they can be decoded.
It would probably be much more constructive if you described what you're defending against.
Regards,
Alister
thank you. to mr. corona, i apologize if my post was offensive. my intent was to merely point out that i've been through enough impossible situations to know things can be possible if only thought of in a slightly different way. that's all.
and mr. alister, thank you for your insight. much appreciated!
How can you produce a random number and then know it, even as the script witer?
Anyhow - you may consider a different approach: Use a pass phrase that only you know and compute its checksum; use that as your number.
There are ways that would work, but you haven't wanted them. You're doing the opposite of what you think, clinging to one notion, not being creative.
Running them on a system you control and they don't; that would keep it safe.
Denying them access to the file, only allowing it to be run through sudo. That would keep it safe from anything but root.
Encrypting it with a ssl key, so it could only be run with a password, that would keep it safe from anyone that didn't know the password. (But not from anyone that did.) Note that they don't necessarily have to be the ones to punch in the password; you could type the password into ssh-agent, to keep it around for multiple later uses. Or the program could keep itself resident after being run once. Still difficult to perfectly protect from root but conceptually a lot harder to break.
Some sort of hardware-based crypto where the processor itself doesn't have access to the program, would also work.
But having a program containing its own instructions and key for decrypting itself into plaintext running itself on an 'enemy' machine cannot be made secure.
this could work! thank you!
---------- Post updated at 06:24 PM ---------- Previous update was at 06:19 PM ----------
thank you very much. when i asked the question, i was only going off my limited knowledge on this. and i'm very open to any ideas, as you put forth, that may be available.
the people who will be running the code will mostly have root access. so that kinda limits the options of things i can do. i'm very curios about what you said here:
"Some sort of hardware-based crypto where the processor itself doesn't have access to the program, would also work."
i will look into that. thanks again!!!
Basically means installing a gadget in their computer to run the program instead of running it natively. A black box they can't dissect -- unlike code running on their machine, which they can dissect at their leisure. Probably not what you had in mind.
Perhaps insulating it inside a virtual machine instead of a physical one, as well.
And what's to stop them from watching the script as it extracts this obfuscated number from itself? You can't stop root from being root.
If all you want is a random number for use in a shell script, both ksh and bash will give you a "random" number whenever you expand $RANDOM.
But, as has already been stated several times, trying to obfuscate a shell script by encrypting it and decrypting it when it is executed won't fool anyone who is willing to spend a little time to figure out how it works.