Page 1 of 1

Simple encryption algorhythm

Posted: Wed Jun 18, 2008 4:27 pm
by ricky92
I'm trying to encrypt some strings which will be passed from a PHP file to a JavaScript file, and vice versa. I coded the algorhythm in VB.Net, and both the functions to encode and to decode work well. I converted the decode function to JavaScript; everything went well too. Now I'm trying to convert the encode function to PHP... and I'm failing. The encrypted string, once decrypted, is somehow different, but not completely. Some letters are wrong, the others are right; sometimes the PHP script succedes to encrypt a string without problems. The VB.Net code is this:

Code: Select all

   Private hashes As String() = _
    {"vGn%$08@NfXJ&idD}p^9S1]>HL~3A4W7zK#(k.5!çleUb°6?YB=,2£;u:jr[", _
    ".WD$}Kg0CveH>RkMSYç8XE5h6<s&PT=An:*-tjLxq)iOp[G~#B°J,@?dm49%", _
    "tyDe}sm]@FX[9(.L{,IJCZ^WK-r~u)Nd6vUg_VT#n$hG51|?M\çY0Q°7kcB*", _
    ");\cqsaNFrd&ZB(*,KYyz]103QpD%l:|9E8xt§Ti-U@^J5mv7X!n}gbPA/_<", _
    "P_6R*lLzkp3o7%w|h1<!TEmrUB-tQWqn^AcIj)v£N[;\JiCçf.#xZaD=$y,@", _
    "lkqQe]{wXFf^GRC3,ga@=SY&U#:L£4$ZsçdH/P|u§xvIM~r.O%(A5-VJKo6!", _
    "lA-qYd.Mw<zGj){^>xJ[5S46°mXtrBvuEbs]f#cp_kD8yHi&2:VN03/ThçOF", _
    "£FgMZ4t0$/Rjx9nc@^h3LçdB°sCr7_JN§)y{K*5GD[Q]1H=!p?>;a&-#28EO", _
    "}bQ=2£-doKgz{Lc)Gj&5fY;I^V3n#PA/v~uS?ZxXBrtHs°T6:1!]DCmJk[@>", _
    "G6c5n7zOEZJ°o.%0wD]|=UyB@F)MPRt4>Y}8<!v/i:NVmKp;-kA\r*jh£_çe", _
    "iwY#$Q{tq_>Img\k]RM|p&nb)yfL4P/.Z,N9x~os-OAvrjW?ç6^BKJ%02;", _
    "0~KRoEu*>TiUxq°}D5geStO#^§sk6PCcYalAQz:2Np%w.(M=H8\3B19Zfj]-", _
    "$*;Yv!:£1Fm>Q§f5Z3lpgD].wM,LRezrUKu4=JkXt2TIqnVO%&}d8y~_{^E)", _
    ":i]WIb%n;E?m7Z2!Kg<,OVfU|TtePJF3LS9R=Gov)}khAsp.d_[#Xq54D0$^", _
    "S;3=!P)U~Dh-:jq°Xo%ramg£fsçvLON4GH?Y[JTx2\yz6Wuk@FlRw#,.$M^V", _
    "?3&iLwW(2Q°k]gzuUAIC4P.!0J8l%$@GNy={jVXZ<be/rM#-6£^,mv)a;ds*", _
    "X)?av*1x#@I.]EAWjPZw^i23,7CNyg°O5MrJfKQ<ko=_m!£p:;lLc$-%RBz~", _
    "T^(7zQ]U#DIRojL1&CJgh%qyp°f>:aw/WVe_b\AS5,!GZ3§ç042{<OE;l$k*", _
    "_1°7jG#=q%msbSOdVw@§T!H<ekJZ?£o)^(}&C$M*tWp/nx]l0:f5P>.~YB|-", _
    "jdJM_P}rc<{UT[,A]Q.omNevK|WVsçLB:>§t$yZ?kzDIRSu£g1b96325nli@", _
    "h5(Ywçf%8eQ°U-@,Ia0j|TtkD<n$6W:?/BS=#_*Ng1Fsmu^){L7HX§Zd\RM!"}
 
    Public Function Encode(ByVal str As String) As String
        Return _encode(Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(_encode(str))))
    End Function
 
    Private Function _encode(ByVal str As String) As String
        Dim hashNum As Integer = CInt(Rnd() * (hashes.Length - 1))
        Dim hash As String = hashes(hashNum)
 
        Dim buffer As String = String.Empty
        For i As Integer = 0 To str.Length - 1
            If hash.Contains(str(i)) Then
                Dim tmp As Integer = hash.Length - 1 - hash.IndexOf(str(i))
                buffer &= hash(tmp)
            Else
                buffer &= str(i)
            End If
        Next
        buffer &= String.Format("{0:00}", hashNum)
        Return buffer
    End Function
 
    Public Function Decode(ByVal str As String) As String
        Try
            Return _decode(System.Text.ASCIIEncoding.ASCII.GetString(Convert.FromBase64String(_decode(str))))
        Catch ex As Exception
            MessageBox.Show(ex.ToString, ex.Message, MessageBoxButtons.OK, MessageBoxIcon.Error)
        End Try
    End Function
 
    Private Function _decode(ByVal str As String) As String
        Dim hash As String = hashes(str.Substring(str.Length - 2))
        str = str.Substring(0, str.Length - 2)
        Dim buffer As String = String.Empty
        For i As Integer = 0 To str.Length - 1
            If hash.Contains(str(i)) Then
                Dim tmp As Integer = hash.Length - 1 - hash.IndexOf(str(i))
                buffer &= hash(tmp)
            Else
                buffer &= str(i)
            End If
        Next
        Return buffer
    End Function
And the PHP function to encode is:

Code: Select all

function encode($str)
{
    return _encode(base64_encode(_encode($str)));
}
 
function _encode($str)
{
    $hashes = array(
        'vGn%$08@NfXJ&idD}p^9S1]>HL~3A4W7zK#(k.5!çleUb°6?YB=,2£;u:jr[',
        '.WD$}Kg0CveH>RkMSYç8XE5h6<s&PT=An:*-tjLxq)iOp[G~#B°J,@?dm49%',
        'tyDe}sm]@FX[9(.L{,IJCZ^WK-r~u)Nd6vUg_VT#n$hG51|?MçY0Q°7kcB*',
        ');cqsaNFrd&ZB(*,KYyz]103QpD%l:|9E8xt§Ti-U@^J5mv7X!n}gbPA/_<',
        'P_6R*lLzkp3o7%w|h1<!TEmrUB-tQWqn^AcIj)v£N[;JiCçf.#xZaD=$y,@',
        'lkqQe]{wXFf^GRC3,ga@=SY&U#:L£4$ZsçdH/P|u§xvIM~r.O%(A5-VJKo6!',
        'lA-qYd.Mw<zGj){^>xJ[5S46°mXtrBvuEbs]f#cp_kD8yHi&2:VN03/ThçOF',
        '£FgMZ4t0$/Rjx9nc@^h3LçdB°sCr7_JN§)y{K*5GD[Q]1H=!p?>;a&-#28EO',
        '}bQ=2£-doKgz{Lc)Gj&5fY;I^V3n#PA/v~uS?ZxXBrtHs°T6:1!]DCmJk[@>',
        'G6c5n7zOEZJ°o.%0wD]|=UyB@F)MPRt4>Y}8<!v/i:NVmKp;-kA\r*jh£_çe',
        'iwY#$Q{tq_>Imgk]RM|p&nb)yfL4P/.Z<img src="images/smilies/biggrin.gif" border="0" alt="">,N9x~os-OAvrjW?ç6^BKJ%02;',
        '0~KRoEu*>TiUxq°}D5geStO#^§sk6PCcYalAQz:2Np%w.(M=H83B19Zfj]-',
        '$*;Yv!:£1Fm>Q§f5Z3lpgD].wM,LRezrUKu4=JkXt2TIqnVO%&}d8y~_{^E)',
        ':i]WIb%n;E?m7Z2!Kg<,OVfU|TtePJF3LS9R=Gov)}khAsp.d_[#Xq54D0$^',
        'S;3=!P)U~Dh-:jq°Xo%ramg£fsçvLON4GH?Y[JTx2yz6Wuk@FlRw#,.$M^V',
        '?3&iLwW(2Q°k]gzuUAIC4P.!0J8l%$@GNy={jVXZ<be/rM#-6£^,mv)a;ds*',
        'X)?av*1x#@I.]EAWjPZw^i23,7CNyg°O5MrJfKQ<ko=_m!£p:;lLc$-%RBz~',
        'T^(7zQ]U#DIRojL1&CJgh%qyp°f>:aw/WVe_bAS5,!GZ3§ç042{<OE;l$k*',
        '_1°7jG#=q%msbSOdVw@§T!H<ekJZ?£o)^(}&C$M*tWp/nx]l0:f5P>.~YB|-',
        'jdJM_P}rc<{UT[,A]Q.omNevK|WVsçLB:>§t$yZ?kzDIRSu£g1b96325nli@',
        'h5(Ywçf%8eQ°U-@,Ia0j|TtkD<n$6W:?/BS=#_*Ng1Fsmu^){L7HX§ZdRM!',
    );
 
    $hashIndex = mt_rand(0, sizeof($hashes) - 1);
    $hash = $hashes[$hashIndex];
 
    $buffer = '';
    for ($i = 0; $i < strlen($str); $i++)
    {
        $indx = strpos($hash, $str[$i]);
        //echo $hash[$indx].'<br />';
        if ($indx !== false)
        {
            $buffer.= $hash[strlen($hash) - 1 - $indx];
        }
        else
        {
            $buffer.= $str[$i];
        }
    }
    if (strlen(strval($hashIndex)) == 1)
    {
        $buffer.= "0$hashIndex";
    }
    else
    {
        $buffer.= "$hashIndex";
    }
    return $buffer;
}
Does anybody know what's wrong?

Re: Simple encryption algorhythm

Posted: Thu Jun 19, 2008 1:00 am
by Mordred
ricky92 wrote:Does anybody know what's wrong?
Yes, you are using homebrew encryption, one of the best and easiest ways to get it wrong.

Apart from that, from a diagonal glance at your source, this doesn't look right:

Code: Select all

$hashIndex = mt_rand(0, sizeof($hashes) - 1);

I guess the encryption and decryption pick different indices, because of the different (and unseeded) randoms.

Thirdly, you can't securely pass secret data to javascript (unless it will remain encrypted of course), as it runs on the user (attacker) machine, under his complete control. I strongly suggest you revise what you're doing.

Re: Simple encryption algorhythm

Posted: Thu Jun 19, 2008 3:58 am
by ricky92
Mordred wrote:
ricky92 wrote:Does anybody know what's wrong?
Yes, you are using homebrew encryption, one of the best and easiest ways to get it wrong.

Apart from that, from a diagonal glance at your source, this doesn't look right:

Code: Select all

$hashIndex = mt_rand(0, sizeof($hashes) - 1);

I guess the encryption and decryption pick different indices, because of the different (and unseeded) randoms.

Thirdly, you can't securely pass secret data to javascript (unless it will remain encrypted of course), as it runs on the user (attacker) machine, under his complete control. I strongly suggest you revise what you're doing.
I am appending the $hashIndex at the end of the string. And the problem is converting it: maybe there's something wrong with the hashes? Is there something I should escape or anything else?