[R] Obfuscate AES password
Luca Cerone
luca.cerone at gmail.com
Sun Apr 12 19:59:02 CEST 2015
Hi Jeff,
thanks, actually my question is how to do this in R, I don't think I am
being out of topic.
Other programming/scripting languages provide interfaces to the OS password
keyring that allows
users to encrypt files using the user master password, but I have no idea
how to do this in R.
Thanks again for your reply !
On Sun, Apr 12, 2015 at 5:33 PM, Jeff Newmiller <jdnewmil at dcn.davis.ca.us>
wrote:
> The topic of this list is R, not security. For the purposes of this
mailing list the user needs to take responsibility for the password. If you
want to take that responsibility (cache it) from the user then you need to
talk to experts on security so you can become one yourself.
>
> IMHO obfuscating a password is worse than leaving it plain, because that
would be misleading the user about how securely the password is being
managed.
>
---------------------------------------------------------------------------
> Jeff Newmiller The ..... ..... Go Live...
> DCN:<jdnewmil at dcn.davis.ca.us> Basics: ##.#. ##.#. Live Go...
> Live: OO#.. Dead: OO#.. Playing
> Research Engineer (Solar/Batteries O.O#. #.O#. with
> /Software/Embedded Controllers) .OO#. .OO#. rocks...1k
>
---------------------------------------------------------------------------
> Sent from my phone. Please excuse my brevity.
>
> On April 12, 2015 8:11:46 AM PDT, Luca Cerone <luca.cerone at gmail.com>
wrote:
>>Hi, I need some help with obfuscating AES key on Windows, Linux and
>>Mac.
>>I have asked the same question on stackoverflow, but since I didn't
>>receive any input
>>I have decided to post it here too. You can find my question at:
>>http://stackoverflow.com/questions/29580742/protect-aes-key-used-in-r-code
>>
>>The package I am writing interfaces R to various services we have
>>available in my company and some of these require to receive username
>>and password.
>>
>>I ask the credentials to the users during the installation, and save
>>them
>>in an encrypted using AES from the digest package and writeBin.
>>
>>This way users don't need to hardcode their credentials and we can
>>share the
>>code without issues.
>>
>>The problem is that the AES key is saved as plain text on the machine,
>>so that an intruder has access to the machine he can easily decrypt the
>>users
>>profile and get their credentials.
>>
>>What is the best way to protect the key, so that even if somebody gets
>>the encrypted file he can't decrypt it easily?
>>
>>Thanks a lot in advance for the help,
>>Cheers.
>>Luca
>>
>>______________________________________________
>>R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see
>>https://stat.ethz.ch/mailman/listinfo/r-help
>>PLEASE do read the posting guide
>>http://www.R-project.org/posting-guide.html
>>and provide commented, minimal, self-contained, reproducible code.
>
[[alternative HTML version deleted]]
More information about the R-help
mailing list