[R] Obfuscate AES password

Jeff Newmiller jdnewmil at dcn.davis.CA.us
Sun Apr 12 17:33:14 CEST 2015


The topic of this list is R, not security. For the purposes of this mailing list the user needs to take responsibility for the password. If you want to take that responsibility (cache it) from the user then you need to talk to experts on security so you can become one yourself.

IMHO obfuscating a password is worse than leaving it plain, because that would be misleading the user about how securely the password is being managed.
---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil at dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
                                      Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...1k
--------------------------------------------------------------------------- 
Sent from my phone. Please excuse my brevity.

On April 12, 2015 8:11:46 AM PDT, Luca Cerone <luca.cerone at gmail.com> wrote:
>Hi, I need some help with obfuscating AES key on Windows, Linux and
>Mac.
>I have asked the same question on stackoverflow, but since I didn't
>receive any input
>I have decided to post it here too. You can find my question at:
>http://stackoverflow.com/questions/29580742/protect-aes-key-used-in-r-code
>
>The package I am writing interfaces R to various services we have
>available in my company and some of these require to receive username
>and password.
>
>I ask the credentials to the users during the installation, and save
>them
>in an encrypted using AES from the digest package and writeBin.
>
>This way users don't need to hardcode their credentials and we can
>share the
>code without issues.
>
>The problem is that the AES key is saved as plain text on the machine,
>so that an intruder has access to the machine he can easily decrypt the
>users
>profile and get their credentials.
>
>What is the best way to protect the key, so that even if somebody gets
>the encrypted file he can't decrypt it easily?
>
>Thanks a lot in advance for the help,
>Cheers.
>Luca
>
>______________________________________________
>R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see
>https://stat.ethz.ch/mailman/listinfo/r-help
>PLEASE do read the posting guide
>http://www.R-project.org/posting-guide.html
>and provide commented, minimal, self-contained, reproducible code.



More information about the R-help mailing list