ArticlePDF Available

A Simple Encryption Method for FTP Passwords

Authors:

Abstract and Figures

In this short article, we propose and explain a simple method that can be used to encrypt an FTP (file transfer protocol) server account password in an ASCII text file. This is useful for programmers of all levels to provide some security with regard to the FTP functionality of their programs. The method is easy and encapsulated enough to be understood and implemented in the form of a single function in any programming language while providing sufficient protection for most purposes where security is not the most critical issue.
Content may be subject to copyright.
electronic Journal of Computer Science and Information Technology (eJCSIT), Vol. 5, No. 1, 2015
A. Iqbal, A Simple Encryption Method for FTP Passwords 13
A Simple Encryption Method for FTP Passwords
Azlan Iqbal
College of Information Technology, Universiti Tenaga Nasional, Putrajaya Campus,
Jalan IKRAM-UNITEN, 43000 Kajang, Selangor
e-mail: azlan@uniten.edu.my
AbstractIn this short article, we propose and explain a simple
method that can be used to encrypt an FTP (file transfer
protocol) server account password in an ASCII text file. This is
useful for programmers of all levels to provide some security
with regard to the FTP functionality of their programs. The
method is easy and encapsulated enough to be understood and
implemented in the form of a single function in any
programming language while providing sufficient protection
for most purposes where security is not the most critical issue.
Keywords FTP, login, encryption, algorithm, networking,
programming
I. INTRODUCTION
FTP or ‘file transfer protocol’ is a network protocol used to
transfer files from one computer to another, typically over the
Internet. FTP servers usually require login information such
as a username and password. In order for third party
computer programs which can automate FTP transfers to
‘remember’ this information, the login information needs to
be stored somewhere in the computer for easy retrieval by the
program. This can be in the program folder itself or
somewhere else in the hard drive that is typically
inconspicuous.
In any case, the password to the FTP account which is in
otherwise ASCII clear textwould be better protected if
encrypted. ASCII is a widely-used character coding scheme
used in most computers and short for the ‘American Standard
Code for Information Interchange’. In other words, if
someone were to find the file, inside would be garbled data
that would be difficult for most people with ill intentions to
decipher. The FTP account itself should provide another
layer of security such that even if the login information were
deciphered, access would be limited to a just a particular area
of the server (e.g. a folder and its subfolders).
Since there are many highly sophisticated methods of
encryption, in this paper we propose a simple one that can be
incorporated into any third party program. The advantage is
that the encryption method can be modified easily to suit
individual needs or just applied algorithmically as presented.
Section 2 presents the algorithm and section 3 concludes with
a summary and some direction for further work.
II. THE ENCRYPTION ALGORITHM
In order for the encryption algorithm to work, the hostname
(e.g. myserver.ddns.net) or the IP address (e.g. 192.268.0.75)
is needed. A hostname (formerly known as nodename) is
useful when the server needs to be accessed from outside the
LAN (local area network) such as when connecting from the
office to the home, where the FTP server is located.
Otherwise, the IP (Internet Protocol) address should suffice
for connections to the server within the home. In addition to
these, the username and password is also needed. There is no
minimum requirement with regard to the length of the
password even though a long password (exceeding 10
characters) or a somewhat shorter one (e.g. 8 characters) that
includes digits and/or a combination of lower and uppercase
characters (and perhaps special characters such as ‘@’) is
usually desirable.
The reason for this is to minimize the chances of the
password being discovered through brute-force testing of all
possibilities. For example, a 6-character password which
happens to be an English word in only lowercase characters
can easily be discovered using a ‘dictionary’ attack or even a
brute-force search of all the possibilities (266 = 308,915,776
combinations) on a standard personal computer. This might
only take a few hours. There are, of course, other security
measures that are usually inherent to FTP servers such as
limiting the number of tries from the same location.
Additionally, one needs to be careful not to reveal such a
password to anyone such as in the case of a boss to his
secretary since anyone (usually a hacker) can call her,
pretend to be the boss or he can even trick her into revealing
the information.
Once the location of the FTP server (hostname or IP), the
username and password are known, the encryption algorithm
proposed can be used to return an encrypted version of the
password that may be stored in an ASCII file. The remaining
information, i.e. location and username may be stored in the
same file unencrypted. The following pseudocode shows
how the encryption and also decryption works.
Function Simple_Encryption (the_string As String, crypto_key As
String, mode As String) As String
'this function performs simple encryption on a string using another
string (crypto_key) as the encryption key
'for example, the FTP server name is used as the crypto key to
encrypt the FTP password
'it can also be used to decrypt a string (the encrypted string) by setting
the mode to either "encrypt" or "decrypt"
encrypted_string As String
decrypted_string As String
i As Integer
alphabet_sum As Double
shift As Integer
If mode = "encrypt" Then
For i = 1 To Length(crypto_key)
alphabet_sum = alphabet_sum + Asc(Mid(crypto_key, i, 1))
Next i
'first sum the ASCII value of the individual characters for the
crypto_key
electronic Journal of Computer Science and Information Technology (eJCSIT), Vol. 5, No. 1, 2015
A. Iqbal, A Simple Encryption Method for FTP Passwords 14
shift = alphabet_sum Mod Length(the_string)
'then mod that sum by the length of characters in the string to be
encrypted to get the shift (other methods of doing so are also
possible)
For i = 1 To Length(the_string)
encrypted_string = encrypted_string & Chr(Asc(Mid(the_string, i,
1)) + shift)
'the encrypted string with the characters shifted based on their ASCII
code
Next i
Simple_Encryption = encrypted_string
this encrypted string is returned by the function
Else
'mode = "decrypt" (to get the original password back)
For i = 1 To Length(crypto_key)
alphabet_sum = alphabet_sum + Asc(Mid(crypto_key, i, 1))
Next i
shift = alphabet_sum Mod Length(the_string)
For i = 1 To Length(the_string)
decrypted_string = decrypted_string & Chr(Asc(Mid(the_string, i,
1)) - shift)
Next i
Simple_Encryption = decrypted_string
End If
End Function
As an example, a call to this function which will return the
encrypted password might look like the following:
Simple_Encryption ("hellogoodbye", "myserver.ddns.net", "encrypt")
The first parameter is the password unencrypted, the second
parameter the hostname and the third the mode (i.e. to
encrypt or decrypt). The hostname, which we already know,
serves as the ‘crypto key’ to generate the encrypted
password. The particular example above results in the
function returning “qnuuxpxxmk‚n”, which will be in the
ASCII text file that the main program can read from. Should
anyone find this file, they would have all the information
necessary to access the FTP account except for the password;
but only the program itself will contain the means for
decrypting it back into “hellogoodbye”.
The program, of course, should only access the FTP
account in question for its own purposes; not the intruder’s.
Examples of such purposes may include storing a copy of a
game’s high scores thus far on an FTP server, or storing the
results of some computer analysis done by the program on
said FTP server. The program at first run would, of course,
require the necessary information to be input by the
developer in order to be able to henceforth access the FTP
server. In cases where the user itself should enter the
information one time, an input box such as shown in Fig. 1
may be used. The ‘overwrite’ option is to replace the existing
FTP information (and encrypted password) in the ASCII file
with new information.
The password, as it is typed in the password field, should
also be replaced with say, asterisks (*), so anyone who
happens to be standing over the shoulder of the user would
not be able to see and remember the password; though this is
not a critical issue. So after typing 5 characters, the password
in the input box would look like: *****goodbye. A simple
method of doing so, in real-time as the password is being
typed, is as follows.
Private Sub Pword_Change()
'this turns the password entered into asterisks character by character,
as the user is typing it in
pwlength As Integer
i As Integer
masked_word As String
pwlength = Length(Pword.Text)
For i = 1 To Length(Pword.Text)
If Mid(Pword.Text, i, 1) <> "*" Then
Real_PW = Real_PW & Mid(Pword.Text, i, 1)
'retains the actual password internally
End If
masked_word = "*" & masked_word
Next i
Pword.Text = masked_word
End Sub
Figure 1. A simple input box to obtain the FTP details.
The main advantages of this function include its simplicity
and efficiency. In many applications where security is not the
most critical issue (e.g. game high scores, backup media
servers, anonymous usage statistics), this algorithm can be
used to grant FTP access to software at reasonably low risk.
A programmer therefore need not be a security or math expert
to implement acceptable FTP or similar networking
functionality into their programs to enhance its capabilities.
A notable but not-so-serious limitation of the algorithm is
that in shifting the characters to different ASCII values
during the encryption process, it may be that the encrypted
character exceeds the possible character set and results in an
error. However, given most passwords, this seldom ever
happens and can nonetheless be easily remedied by
prompting the user for a different password or using a
‘cut-off’ method where if the character exceeds the character
set, it and no further characters are encrypted but rather,
stored ‘as is’. So the password would only be partially
encrypted, which is also sufficient in many cases.
III. CONCLUSION
In this paper, we proposed a simple encryption algorithm for
FTP login information that can be used in virtually any
program for purposes where security is not the most critical
issue. The method is simple enough to be implemented by
electronic Journal of Computer Science and Information Technology (eJCSIT), Vol. 5, No. 1, 2015
A. Iqbal, A Simple Encryption Method for FTP Passwords 15
programmers with little to no knowledge about security and
encryption such that they may enhance the functionality of
their programs with networking capabilities.
Even though the example of FTP password information
was used, the algorithm itself may be expanded in terms of its
complexity and for uses that have nothing to do with FTP
servers or networking. However, there is plenty of literature
in the field of data encryption and transmission that may
already address these issues. These topics and computer
security literature, in general, are nevertheless well beyond
the scope of this short paper.
Our intention was only to provide an immediately applicable
method of encryption that suffices for the ‘hands on’
programmer who is a security and encryption layman not
interested in going into greater depth than necessary about
these matters.
ACKNOWLEDGMENT
This work was sponsored, in part, by the Universiti Tenaga
Nasional grant, J510050547.
ResearchGate has not been able to resolve any citations for this publication.
ResearchGate has not been able to resolve any references for this publication.