Hey

I'm writing a new textboard that will revolutionize all textboards!

It is being written in the revolutionary programming language called Perl

This is what i have so far:


#!/usr/bin/perl
1;

Ok, i have this idea for the security in the site. What do you think?
Is just a small proof of concept, not the actual registration/identification procedure. So is not an actual algorithm, ok?

03E0A0CF676F1EA031A265685A552A34AB293D1852562ACB4D264YY7A16H

* An access_key is created. Is both your username and password
* On registration, a random password is created (we make sure is unique by concatenating a special timestamp)
* This random password is encrypted with your access key. used as a primary key in a table where yout personal data is stored (encrypted)
* This encrypted random password is stored in the personal data table together with the hash and the actual encrypted data
* After validating the encrypted random password with the hash, we can get the user's personal info
* The user_access_key is used as the decryption key, but this time, the salt is a fixed salt taken from the website config.

Please be nice to me. I am just learning this stuff. Please give me you're opinion.

#!/usr/bin/perl
use strict;

use Crypt::CBC;
use Crypt::PBKDF2;
use Crypt::URandom;
use Data::Dumper;

my $pbkdf2 = Crypt::PBKDF2->new(
hash_class => 'HMACSHA1',
iterations => 150000,
output_len => 26
);

#-- This is how we create the key the user will get
my $partial_user_access_key = uc $pbkdf2->PBKDF2_hex(Crypt::URandom::urandom(32), Crypt::URandom::urandom(20));
my $code = '4YY7A1'; #-- This code is generated for the user as part of the registration process. this is sent by email, with no links whatsoever. You just have to type it to register, so i kept it short.
my $extra_salt = '6H'; #-- 2 random extra characters, different for every user
my $user_access_key = $partial_user_access_key.$code.$extra_salt;

print "User access key: $user_access_key\n";
my $salt = substr($user_access_key, -8); #-- Last 8 characters in the user_access_key are the salt
print "Salt: $salt\n";
#-- This user_access_key is a decryption key
my $salt = Crypt::URandom::urandom(8);
#-- Encrypt and decrypt. This will hide the actual password.
my $cipher1 = Crypt::CBC->new(-key => $user_access_key,
-cipher => 'Blowfish',
-salt => $salt
);
my $random_internal_password = Crypt::URandom::urandom(32).time; #-- By adding time we make sure is unique (i have a way to make it unique beyond the level of the second. for simplicity i use only time here)
print "Random internal password generated. We will encrypt it with our user_access_key\n";
my $encrypted_internal_password = $cipher1->encrypt($random_internal_password);

#-- Since the encrypted_internal_password is unique we use it as an index
print "Store the encrypted internal password in a table as the index\n";

#-- We generate a hash from this internal password that is encrypted
my $hash = $pbkdf2->generate($encrypted_internal_password);
print "The hash is stored on the same row as the encrypted_internal_password\n";

if ($pbkdf2->validate($hash, $encrypted_internal_password)) {
print "hash and encrypted_internal_password do match: access granted\n";
} else {
exit(0);
}

my $site_salt = 'FR0GB0RD'; #-- 8 chars long string

my $user_id = 234;
my $user_email = 'supersecretemail@mail.com';
my $user_name = "NotSoAnonymous";

my $user_info = "$user_id\n$user_email\n$user_name";
my $cipher2 = Crypt::CBC->new(-key => $user_access_key,
-cipher => 'Blowfish',
-salt => $site_salt
);

my $encrypted_user_info = $cipher2->encrypt($user_info);

#The user personal info is encrypted. This time, the encryption key is the a combination of
#the user_access_key but the salt is taken from the frogboard's config.yml file

my @user_info = split /\n/, $cipher2->decrypt($encrypted_user_info);
print "===================\n";
print Dumper @user_info;