Generic encryption for AppleScripters

Here is something I’ve thrown together:

on ShellEncryption(str, passwd, doEncode, isBase64)

	--	echo 'plain text' | openssl enc -bf -pass pass:'my password' -salt -e
	--	echo 'coded text' | openssl enc -bf -pass pass:'my password' -salt -d

	--	The "echo" command apparently places its argument
	--	into something called "standard input." The vertical
	--	slash, ("pipe"), sends the standard input to the
	--	next command
	--
	set src to "echo " & str's quoted form & " | "

	--	"openssl" is a command line tool for implementing a
	--	number of security operations. The "enc" indicates
	--	that we want the encryption function of openssl.
	--
	set src to src & "openssl enc "

	--	"enc" is followed by the encryption method to use.
	--
	--	The "man" says, "A beginner is advised to just use a
	--	strong block cipher in CBC mode such as bf or des3."
	--
	--	"bf" indicates the Blowfish algorithm in CBC mode.
	--
	set src to src & "-bf "

	--	Apparently, there are these "utilities" that can read
	--	everything that happens in the command line, (Unix 'ps'
	--	being an example). This makes the following method of
	--	indicating the password insecure, (for people who are
	--	running strange things with names like 'ps').
	--
	set src to src & "-pass pass:" & passwd's quoted form & " "

	--	The "man" says "ALWAYS use -salt", whatever the heck it is.
	--
	set src to src & "-salt "

	--	Encrypt or decrypt:
	--
	if (doEncode) then

		set src to src & "-e " -- actually, it's the default
	else
		set src to src & "-d "

	end if

	--	For encryption, we're indicating if the result should be
	--	returned in Base64 encoding. For decryption, we're
	--	indicating if the encrypted string is in Base64, ie: it
	--	needs to be decoded before it can be decrypted.
	--
	if (isBase64) then set src to src & "-a"

	return do shell script src

end ShellEncryption

I was wondering if someone could explain to me about the password. The man page for enc(1) says that Blowfish takes a 128 bit key (16 bytes), by which I understood it to mean the password. Resources I found on the Internet indicate that Blowfish can use a key from 32 to 448 bits, (4 to 56 bytes). As it turns out, however, the command works without fail or complaint no matter what length password I use, including an empty string:

echo ‘hello’ | openssl enc -bf -pass pass:‘’ -salt -e | openssl enc -bf -pass pass:‘’ -salt -d

Why are the various pieces of documentation I’ve found not consistent with one another, and why would an encryption tool allow an empty password?

My ultimate goal would be a user-friendly AppleScript library implementing these 5 basic handlers:

EncryptText( theText, thePassword, useBase64 )
DecryptText( theText, thePassword, useBase64 )
EncryptFile( fileAlias, newFilePath, thePassword, useBase64 )
DecryptFile( fileAlias, newFilePath, thePassword, useBase64 )
FingerprintText( theText ) --> MD5 message digest

Before doing so, however, I want to be sure I understand the security issues involved. I’m not looking for something strong enough to keep out the NSA, but just a “reasonably secure” system for basic “good enough” encryption. The problem with the openssl command is that it has a million options, and despite the fact that “man” stands for “manual,” man has never satisfactorily explained anything to me.

Is it a requirement for you to use stuff that’s built-in to OS X? I wrote a droplet script which takes files or folders and encrypts them but it requires that you have GPG installed. GPG provides lots of command line stuff for handling input and output of files which makes it very scriptable.

I have one version using tar to bundle the contents before security encryption and another version using hfstar (another thing to install separately). The tar version is good for cross-platform use (the original purpose of my script) but the hfstar version is good for handling all kinds of Mac-specific stuff. Would those sort of issues of cross-platform vs. Mac legacy support be of concern to you as well?

Key length refers to the bits (1’s and 0’s) of the encryption key used in the encryption algorithm.

A salt is random bits used in key generation to hash the password, etc. iirc.

The blowgish algorithm is reasonably secure, but I’d go with something a little stronger, like 128bit AES, or 1024+bit RSA. But it’s up to you.

did you ever come up with a library that includes encryption & decryption? i could use even a low grade one right now. thanks.

Oh, hi.

Sorry, I haven’t logged into this site in a really long time. Yes, I did come up with just such a library. What I don’t understand is why the library is currently attributed to someone called “Trash Man”???

http://bbs.applescript.net/viewtopic.php?id=11428

Trash Man is a generic name for members accounts that were screwed up when MacScripter and this bbs made the transition to a new engine last year. It is also used when member’s details (like their real name or email address) don’t check out, often because the listed email address bounces.

You really should try and keep in touch a little more often, Mr Knapp.

Good to see you, Arthur!

Hiya, kai!

I’m just here for the free tacos…oh, wrong place.

You wouldn’t say that if you’d seen the same photographs I have! :o

Just kiddin’. It’s good to know you’re still out there somewhere, Admiral!

:lol::lol::lol:

I’m sure there’s a perfectly good explanation for those, Mr G.

Look who’s talking!

Deivy Petrescu once showed me a guy in this penguin suit… I am so tempted to post a link to the David Shaw-Parker site.

Good to hear form you Nigel.

– Arthur