LabVIEW

here is a link to the knowledge base that may help you.
If this doesn't go to http://forums.lavausergroup.org/ I have seen some things in their that might help you.

Mexx;

In this scenario, because there is no specific documentation on how it is implemented, the trust you put on the password protection mechanism derives from the trust you have in National Instruments and its reputation. It is equivalent to the trust you have in LabVIEW - National Instruments is behind it.

That is OK. This is not the first nor the last time trust must be derived from another source. (Of course, we can all gain positive assurance if the protection mechanism can be examined by the community.)

This type of trust is also historically-based. It will be good to know if somebody had the bad experience of knowing that their source code was compromised because somebody was able to crack the password. Personally, I am not aware of that.

It is being argued that National Instruments can "recover" a password-protected VI. There may be legal issues involved in that and my understanding is that they won't do it. That is good news which affect positively NI reputation.

There are tools to crack VIs passwords, but are still limited. Check out my page at www.visecurity.com/links.shtml for this and more security-related links on LabVIEW. (If you or anybody knows of additional artivles I can point from my website, please e-mail me.)

Take special consideration in the length and composition of the password, and (if it apply) in how you are going to distribute the password. As a baseline, make sure it is longer than 6 characters.

Regards;
Enrique Vargas
www.visecurity.com

Mexx wrote:
> I want to distribute an application with some vi�s protected by a
> password. There is no information available about the used protection
> algorithm. Can I trust the implementation ? How does the security
> scale with the password length. Is only the block diagram protected or
> is it encrypted ?
>
> Have anyone any hint about the encryption behind this password
> protection feature ?

Well, take this with a grain of salt. I do NOT know how the password
protection is implemented. But I did look into it quite some time ago
and what I found out is:

1) LabVIEW seems to compute a digest hash of the password, the binary
block diagram, and/or some binary VI information in a way that saving
a VI again to disk does not change the actual digest code. The used
digest algorithme is probably one like SHA-1 or MD5. This digest is
saved inside the VI to disk as well.

2) The diagram is not encrypted. What is done is that whenever the
blockdiagram needs to be opened, the VI is checked for if it is password
protected and if that's the case the internal cache is checked for all
known passwords by applying them to the binary information, and if no
match is found you get the password dialog.

As the used digest algorithme is a one way cypher algorithme and does
not allow to get the password back, except by brute force attacks, it
is a reasonable security approach. Tampering with the binary information
in the VI file is additionally secured, as removing that information
altogether will give you a password tampered error. And since the digest
is calculated from both the password and some binary data of the VI you
can't simply replace that digest data by some other digest data from
another VI for which you know the password, as this will give you the
password tampered error again.

NI having the LabVIEW source code of course can modify the source code
to not do the password check at all when opening the block diagram so
that is why they actually have a way of retrieving VIs with lost
passwords. The shipping version of LabVIEW up to and including LabVIEW
7.0 does to my admittingly limited knowledge not contain any secret ini
file setting or such to remove the password protection from VIs.

Of course there is no guarantee that information which is present can
not be retrieved, no matter how well you protect it. So if the secrecy
of your code is paramount to anything else, removing the block diagram
is really the only way of protecting it, but then that leaves the
internal leaks in a company which are often a bigger problem than
the possible cracks which might be trying to steal your code.

Rolf K

I found there that NI will no longer help to unlock passwords. This means, that in principle it is possible and no strong cryptography could behind the lock mechanism. It seems to be security by obscurity.
It is also mentioned that it is more than just a bit flip. Regrettably, there is nothing written whats really behind the protection mechanism.

Nevertheless, thank you for this resource 🙂

> I found there that NI will no longer help to unlock passwords. This
> means, that in principle it is possible and no strong cryptography
> could behind the lock mechanism. It seems to be security by obscurity.
> It is also mentioned that it is more than just a bit flip.
> Regrettably, there is nothing written whats really behind the
> protection mechanism.
>

I work on the development team, and Rolf's post is quite accurate. A
pretty standard one-way key is generated from various parts of the VI
and the password. The diagram isn't encrypted, partly because of the
time penalties involved, and partly because we originally thought it
would be important for us to be able to unlock VIs if employees left an
organization, etc. With a su
itably small password, the password can be
cracked by shear brute force guessing. If you go to eight digits or so
and not in the typical cracking dictionaries, your VI should be safe to
years of attempted cracks.

In short, it is sound and is quite hard to break.

Greg McKaskle