Page 1 of 3

Encryption Challenge!

Posted: Sun Aug 24, 2008 3:13 pm
by Parody
There are no prizes, just the honour of winning, but give it a shot.

I have written a function in php that encrypts a string with a key and then another which decrypts the encrypted string with a key. I would like to test their strength and so I thought the best place to start would be here :D

To try out the encryption using a basic example: http://www.fusioncloud.com/encryptionchallenge.php

The challenge:

I have encrypted the string: "DevNetwork" (without speech marks) with a password and the encrypted output is: "&HDyfq3XaU" (without speech marks)
  • The functions were written from scratch and the process is unique, researching existing methods won't help (in my opinion).
  • The reason for the reduced character list is that the functions were for my own use and the strings being used could only contain those characters.
  • The password is randomly generated and so you can't use a dictionary.
  • Don't bombard my site with automatic requests; the challenge is to work it out, not to force it open.
If no one gets the answer by thursday the 28th of August 2008 then I'll post the password here.

Also, I would like some advice on what people do to secure their distributed scripts so that others cannot copy the source code you have distributed, but still use the scripts. If anyone can recommend a FREE tool that does this or give me some tips on how this can be achieved I'd be very grateful. If I manage to secure the code I'll release these functions.

This is intended as a light hearted bit of fun, if you don't approve then don't take part.

Good luck to all who attempt the challenge. :D

Re: Encryption Challenge!

Posted: Sun Aug 24, 2008 3:39 pm
by Parody
Could you please post a quick message here if you are attempting this challenge so I know if people are doing it or not?

Thanks :D

Re: Encryption Challenge!

Posted: Sun Aug 24, 2008 3:41 pm
by onion2k
The only valid way to see if there's a weakness in the method of encryption is to share the code. All this test would be is a test of the password strength, not the encryption strength. I could easily write some 'encryption' code that would be virtually impossible to break without seeing the code, but utterly trivial if you can ... similarly your system here might stand up to guess work but anyone who has access to the code might be able to find an way around the encryption and decrypt anything protected by it without using the password if there's a mistake in there anywhere.

Encryption is one area of computing where a closed source test is completely invalid.

Re: Encryption Challenge!

Posted: Sun Aug 24, 2008 4:11 pm
by Parody
Ok, I see your point. If the code was closed source then the string would be uncrackable as the process would be anyone's guess and I wouldn't have a problem. Seems like ultimate security.

I don't see how without knowing what the string or password is (which would be what you would be trying to find and so you would not be given) how you could work out what the encrypted string was. Even if you used brute force you would have to know what you were looking for. Only by knowing one could you discover the other.

Am I missing something or is this right and I have nothing to worry about? The reason for asking about securing code is so that I could write a code like this which would not present a possible security flaw as the process would not be known.

Re: Encryption Challenge!

Posted: Sun Aug 24, 2008 5:34 pm
by omniuni
I will also mention that you are apparently using some sort of filter or cypher.

By nature, it can be decrypted, though I don't have the time to investigate thoroughly. An interesting "bug" in your encryption is seen when you encrypt a with c, and c with a - the encrypted result is the same!

I can also tell you're using some kind of reversal; if you encrypt any string with the same string backwards, you get a palindrome.

Also, you are applying the key in sequence, some how. if you encrypt abcabc with cbacba, you get two palindromes.

Although I do not have time to fully decrypt anything, I believe your encryption is rater weak. Also, you are asking us to find a password; what good is this? The idea of encryption is that it should not be decrypted.

Instead, give us something like this if you want to test the strength of your encryption:

I have encrypted a string with the key "dev" and the output is "Wu0CHXiH#8IF>KsFg0ND" What was the original message?

Re: Encryption Challenge!

Posted: Sun Aug 24, 2008 6:09 pm
by Parody
I've just changed the process.

Encrypting abcabc with cbacba now returns d2GiGK

The two capital Gs are a coincidence.

The case in which a with c is n and c with a is n is not a problem. The original character could be any one of 68 characters depending upon the key.

Could you please give me some more feedback so I can further secure it?

Thanks

PS. The string was "Encryption Challenge", just used the decrypt function. The process has changed since you encrypted it though.

Re: Encryption Challenge!

Posted: Mon Aug 25, 2008 2:29 am
by onion2k
Parody wrote:Could you please give me some more feedback so I can further secure it?
No feedback you get here will really help you make it more secure. There could be a flaw in the implementation that makes any string crackable without the password. The only way you'll know that is if someone who has access to the code spots the problem. If you keep it closed source then I hope you are good enough to see all the problems. If someone is fortunate enough to guess the flaw then all your security will fall apart, and there'll be nothing you can do about it if they don't tell you what they've found. Essentially you'll have no security. And trust me, people will try to find any flaws if what you secure is worth taking.

Closed source security is a bad idea for exactly that reason.

Re: Encryption Challenge!

Posted: Mon Aug 25, 2008 4:24 am
by Parody
But how could anyone discover either the password or original text "DevNetwork" from a string such as "&HDyfq3XaU" without knowing the password or the string? All they could intercept would be the jumble of letters. If they knew the string they wouldn't need to crack it and if they knew the password then they would use the proper channels to access the data. As long as the script is closed then it would be near impossible. If not then my original challenge still stands.

Also, how could I encode the php source code so that I can distribute it without people viewing the source code? I understand there are retail systems, but are there any free / open source equivalents?

Thanks

Re: Encryption Challenge!

Posted: Mon Aug 25, 2008 4:39 am
by Apollo
Parody wrote:But how could anyone discover either the password or original text "DevNetwork" from a string such as "&HDyfq3XaU" without knowing the password or the string? All they could intercept would be the jumble of letters. If they knew the string they wouldn't need to crack it and if they knew the password then they would use the proper channels to access the data. As long as the script is closed then it would be near impossible. If not then my original challenge still stands.
I still think there are some weaknesses in your encryption, that will likely make it much easier to crack.

For example: when comparing two encrypted strings, one normal and one with some chars add or removed at the beginning or end of the original string, the rest of the encrypted string stays the same.
E.g. when I encrypt "ABCDEFG" using key "xyz", and then add "H" to the orignal, "I", etc, the encrypted string expands with one new character each time, but the rest is the same. This makes it easier to break down the decryption to individual chars.

Furthermore, when using repetitive chars in the original string and a short key, e.g. encrypting "AAAAABBBBBCCCCC" with key "xy", the pattern is obvious. This seems another indication that an attack may be performed on separate chars.

Also here's something strange: When I encrypt "ABC" using key "ABCDE", the encrypted result is "f", and same when I encrypt "ABCD" or "ABCDE"??
Also, how could I encode the php source code so that I can distribute it without people viewing the source code? I understand there are retail systems, but are there any free / open source equivalents?
Try FOPO

Re: Encryption Challenge!

Posted: Mon Aug 25, 2008 5:13 am
by Mordred
Bruce Schneier wrote:Anyone, no matter how unskilled, can design an algorithm that he himself cannot break.
http://www.schneier.com/essay-188.html
'Nuff said.

Re: Encryption Challenge!

Posted: Mon Aug 25, 2008 5:57 am
by onion2k
Parody wrote:As long as the script is closed then it would be near impossible.
No. That's not what I'm saying. You're relying on obscurity for protection. Anyone who's even taken a tiny interest in cryptography will know that obscurity is no protection at all.

If you want to know that the code is secure and the encryption system doesn't have weaknesses then you need people to try and break an encrypted string even when they have the source code. If you can release the code, and an encrypted text, without telling anyone the password, and it still stands up to cracking attempts then I'll agree that it's strong. Until then though I am never going to trust it, and nor will anyone else who's sensible about security.

To be completely honest, whenever I see a closed source encryption system I wonder if the developer knows there are problems with it and that's why they won't release the code.

Re: Encryption Challenge!

Posted: Mon Aug 25, 2008 6:39 am
by Parody
Mordred: My question is that if the system is closed and the output is all that could be intercepted how could the encryption be cracked? Surely there would be nowhere to start. The article you referred to states that the cryptoanalysyts were working on breaking the encryption, it does not state whether they had the code which produced the code or could just use it like in this case.

Also: A brute force script wouldn't know what it was looking for if the output of using an incorrect key is just another jumble, right?

Updates
  • The process now no longer has the flaw of simpling adding a new character to the existing encrypted string if the original has another character added.
  • Encoding a single character with another single character now no longer produces the same output as the reversing of the two characters.
Even if it was open source the output of the encryption would still be secure as you would neither know the password used or the original string.

I'll look over the functions some more and release the source later today if I think it is sufficiently secure for my use.

Re: Encryption Challenge!

Posted: Mon Aug 25, 2008 6:51 am
by onion2k
Parody wrote:Even if it was open source the output of the encryption would still be secure as you would neither know the password used or the original string.
You aren't in a position to say that. You wrote the code, you won't be able to spot the flaws in it. I'm saying there may be a problem with the logic you're using.
I'll look over the functions some more and release the source later today if I think it is sufficiently secure for my use.
Why not release the code, let loads of people look at it, and then decide if it's secure when you've had the benefit of more input?

Re: Encryption Challenge!

Posted: Mon Aug 25, 2008 7:28 am
by Mordred
Parody wrote:Mordred: My question is that if the system is closed and the output is all that could be intercepted how could the encryption be cracked? Surely there would be nowhere to start.
(...)
Also: A brute force script wouldn't know what it was looking for if the output of using an incorrect key is just another jumble, right?
(...)
Even if it was open source the output of the encryption would still be secure as you would neither know the password used or the original string.
All wrong.
1. Cryptanalysis techniques do exist, even if you know nothing about them ;) Start here: http://en.wikipedia.org/wiki/Cryptanalysis
2. No, the plaintext can have properties which are easy to check for. There are also analytic methods to check if it's English text, etc.
3. You assume that your algorithm is secure, which may (*ahem*) not be true. It's the correct goal though.

Re: Encryption Challenge!

Posted: Mon Aug 25, 2008 7:40 am
by Parody
I see your point. I was going from the logic that if the letters are differed by the key which is entered the only way to retrieve the original message is with the key. I do not see how unless you knew the password you could retrieve the plain text, therefore it works as intended.

Here is the source code for the whole page. Remember my logic, I'm not an expert cryptoanalyst, I was just trying to ensure the data I was sending was secure enough. Point out holes, but don't flame.

Code: Select all

 
 
Valid characters: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890&#;>< and SPACE( )
<br /><br />
<form action="encryptionchallenge.php" method="post">
Text <input name="text" type="text" value="<? if(isset($_POST['text'])){echo($_POST['text']);} else {echo("String to convert");} ?>" size="30" maxlength="30" />
<br /><br />
Key <input name="key" type="text" value="<? if(isset($_POST['key'])){echo($_POST['key']);} else {echo("Key to use");} ?>" size="30" maxlength="30" />
<br /><br />
<input name="encrypt" type="submit" value="Encrypt" />
</form>
 
<?
 
 
function checkstring($string){
if (!ereg("[^ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890&#;>< ]", $string)) {return true;} else {return false;}
}
 
function fusionencrypt($string,$key){
if(!checkstring($_POST['text'])){return "Invalid characters present in string";} else{
if(!checkstring($_POST['key'])){return "Invalid characters present in key";} else{
$key=md5($key);
$numofchars=68;
$numbers['A']=1;
$numbers['a']=2;
$numbers['B']=3;
$numbers['b']=4;
$numbers['C']=5;
$numbers['c']=6;
$numbers['D']=7;
$numbers['d']=8;
$numbers['E']=9;
$numbers['e']=10;
$numbers['F']=11;
$numbers['f']=12;
$numbers['G']=13;
$numbers['g']=14;
$numbers['H']=15;
$numbers['h']=16;
$numbers['I']=17;
$numbers['i']=18;
$numbers['J']=19;
$numbers['j']=20;
$numbers['K']=21;
$numbers['k']=22;
$numbers['L']=23;
$numbers['l']=24;
$numbers['M']=25;
$numbers['m']=26;
$numbers['N']=27;
$numbers['n']=28;
$numbers['O']=29;
$numbers['o']=30;
$numbers['P']=31;
$numbers['p']=32;
$numbers['Q']=33;
$numbers['q']=34;
$numbers['R']=35;
$numbers['r']=36;
$numbers['S']=37;
$numbers['s']=38;
$numbers['T']=39;
$numbers['t']=40;
$numbers['U']=41;
$numbers['u']=42;
$numbers['V']=43;
$numbers['v']=44;
$numbers['W']=45;
$numbers['w']=46;
$numbers['X']=47;
$numbers['x']=48;
$numbers['Y']=49;
$numbers['y']=50;
$numbers['Z']=51;
$numbers['z']=52;
$numbers['0']=53;
$numbers['1']=54;
$numbers['2']=55;
$numbers['3']=56;
$numbers['4']=57;
$numbers['5']=58;
$numbers['6']=59;
$numbers['7']=60;
$numbers['8']=61;
$numbers['9']=62;
$numbers['&']=63;
$numbers['#']=64;
$numbers[';']=65;
$numbers[' ']=66;
$numbers['>']=67;
$numbers['<']=68;
 
 
$letters["1"]="A";
$letters["2"]="a";
$letters["3"]="B";
$letters["4"]="b";
$letters["5"]="C";
$letters["6"]="c";
$letters["7"]="D";
$letters["8"]="d";
$letters["9"]="E";
$letters["10"]="e";
$letters["11"]="F";
$letters["12"]="f";
$letters["13"]="G";
$letters["14"]="g";
$letters["15"]="H";
$letters["16"]="h";
$letters["17"]="I";
$letters["18"]="i";
$letters["19"]="J";
$letters["20"]="j";
$letters["21"]="K";
$letters["22"]="k";
$letters["23"]="L";
$letters["24"]="l";
$letters["25"]="M";
$letters["26"]="m";
$letters["27"]="N";
$letters["28"]="n";
$letters["29"]="O";
$letters["30"]="o";
$letters["31"]="P";
$letters["32"]="p";
$letters["33"]="Q";
$letters["34"]="q";
$letters["35"]="R";
$letters["36"]="r";
$letters["37"]="S";
$letters["38"]="s";
$letters["39"]="T";
$letters["40"]="t";
$letters["41"]="U";
$letters["42"]="u";
$letters["43"]="V";
$letters["44"]="v";
$letters["45"]="W";
$letters["46"]="w";
$letters["47"]="X";
$letters["48"]="x";
$letters["49"]="Y";
$letters["50"]="y";
$letters["51"]="Z";
$letters["52"]="z";
$letters["53"]="0";
$letters["54"]="1";
$letters["55"]="2";
$letters["56"]="3";
$letters["57"]="4";
$letters["58"]="5";
$letters["59"]="6";
$letters["60"]="7";
$letters["61"]="8";
$letters["62"]="9";
$letters["63"]="&";
$letters["64"]="#";
$letters["65"]=";";
$letters["66"]=" ";
$letters["67"]=">";
$letters["68"]="<";
$stringlength=strlen($string);
$keylength=strlen($key);
$step=1;
$stringcharacter=0;
$keychar=0;
$output="";
$numkey=0;
$keycharactervalue=0;
$wholekeyvalue=0;
while($numkey<$keylength-1){
$keycharacter=$key[$numkey];
$keycharactervalue=$numbers[$keycharacter];
$numkey=$numkey+1;
$wholekeyvalue=$wholekeyvalue+$keycharactervalue;
}
$stringvalue=0;
$stringcharacter=0;
while($stringcharacter<$stringlength){
$stringchar=$string[$stringcharacter];
$characternumber=$numbers[$stringchar];
$keyletter=$key[$keychar];
$keycharval=$numbers[$keyletter];
$cryptchar=$characternumber-$stringcharacter+$stringlength+$keycharval+$step+$wholekeyvalue;
$divide=$cryptchar-1;
$count=floor($divide/$numofchars);
$cryptchar=$cryptchar-$count*$numofchars;
$output.=$letters[$cryptchar];
$keychar=$keychar+1;
if($keychar>$keylength){$keychar=1; $step=$step+1;}
$stringcharacter=$stringcharacter+1;
}
return $output;
}}
}
 
function fusiondecrypt($string,$key){
if(!checkstring($_POST['text'])){return "Invalid characters present in string";} else{
if(!checkstring($_POST['key'])){return "Invalid characters present in key";} else{
$key=md5($key);
$numofchars=68;
$numbers['A']=1;
$numbers['a']=2;
$numbers['B']=3;
$numbers['b']=4;
$numbers['C']=5;
$numbers['c']=6;
$numbers['D']=7;
$numbers['d']=8;
$numbers['E']=9;
$numbers['e']=10;
$numbers['F']=11;
$numbers['f']=12;
$numbers['G']=13;
$numbers['g']=14;
$numbers['H']=15;
$numbers['h']=16;
$numbers['I']=17;
$numbers['i']=18;
$numbers['J']=19;
$numbers['j']=20;
$numbers['K']=21;
$numbers['k']=22;
$numbers['L']=23;
$numbers['l']=24;
$numbers['M']=25;
$numbers['m']=26;
$numbers['N']=27;
$numbers['n']=28;
$numbers['O']=29;
$numbers['o']=30;
$numbers['P']=31;
$numbers['p']=32;
$numbers['Q']=33;
$numbers['q']=34;
$numbers['R']=35;
$numbers['r']=36;
$numbers['S']=37;
$numbers['s']=38;
$numbers['T']=39;
$numbers['t']=40;
$numbers['U']=41;
$numbers['u']=42;
$numbers['V']=43;
$numbers['v']=44;
$numbers['W']=45;
$numbers['w']=46;
$numbers['X']=47;
$numbers['x']=48;
$numbers['Y']=49;
$numbers['y']=50;
$numbers['Z']=51;
$numbers['z']=52;
$numbers['0']=53;
$numbers['1']=54;
$numbers['2']=55;
$numbers['3']=56;
$numbers['4']=57;
$numbers['5']=58;
$numbers['6']=59;
$numbers['7']=60;
$numbers['8']=61;
$numbers['9']=62;
$numbers['&']=63;
$numbers['#']=64;
$numbers[';']=65;
$numbers[' ']=66;
$numbers['>']=67;
$numbers['<']=68;
 
 
$letters["1"]="A";
$letters["2"]="a";
$letters["3"]="B";
$letters["4"]="b";
$letters["5"]="C";
$letters["6"]="c";
$letters["7"]="D";
$letters["8"]="d";
$letters["9"]="E";
$letters["10"]="e";
$letters["11"]="F";
$letters["12"]="f";
$letters["13"]="G";
$letters["14"]="g";
$letters["15"]="H";
$letters["16"]="h";
$letters["17"]="I";
$letters["18"]="i";
$letters["19"]="J";
$letters["20"]="j";
$letters["21"]="K";
$letters["22"]="k";
$letters["23"]="L";
$letters["24"]="l";
$letters["25"]="M";
$letters["26"]="m";
$letters["27"]="N";
$letters["28"]="n";
$letters["29"]="O";
$letters["30"]="o";
$letters["31"]="P";
$letters["32"]="p";
$letters["33"]="Q";
$letters["34"]="q";
$letters["35"]="R";
$letters["36"]="r";
$letters["37"]="S";
$letters["38"]="s";
$letters["39"]="T";
$letters["40"]="t";
$letters["41"]="U";
$letters["42"]="u";
$letters["43"]="V";
$letters["44"]="v";
$letters["45"]="W";
$letters["46"]="w";
$letters["47"]="X";
$letters["48"]="x";
$letters["49"]="Y";
$letters["50"]="y";
$letters["51"]="Z";
$letters["52"]="z";
$letters["53"]="0";
$letters["54"]="1";
$letters["55"]="2";
$letters["56"]="3";
$letters["57"]="4";
$letters["58"]="5";
$letters["59"]="6";
$letters["60"]="7";
$letters["61"]="8";
$letters["62"]="9";
$letters["63"]="&";
$letters["64"]="#";
$letters["65"]=";";
$letters["66"]=" ";
$letters["67"]=">";
$letters["68"]="<";
$stringlength=strlen($string);
$keylength=strlen($key);
$step=1;
$stringcharacter=0;
$keychar=0;
$output="";
$numkey=0;
$keycharactervalue=0;
$wholekeyvalue=0;
while($numkey<$keylength-1){
$keycharacter=$key[$numkey];
$keycharactervalue=$numbers[$keycharacter];
$numkey=$numkey+1;
$wholekeyvalue=$wholekeyvalue+$keycharactervalue;
}
$stringvalue=0;
$stringcharacter=0;
while($stringcharacter<$stringlength){
$stringchar=$string[$stringcharacter];
$characternumber=$numbers[$stringchar];
$keyletter=$key[$keychar];
$keycharval=$numbers[$keyletter];
$cryptchar=$characternumber+$stringcharacter-$stringlength-$keycharval-$step-$wholekeyvalue;
$divide=$cryptchar-1;
$count=floor($divide/$numofchars);
$cryptchar=$cryptchar-$count*$numofchars;
$output.=$letters[$cryptchar];
$keychar=$keychar+1;
if($keychar>$keylength){$keychar=1; $step=$step+1;}
$stringcharacter=$stringcharacter+1;
}
return $output;
}}
}
 
 if(isset($_POST['text'])){ 
 
$string=$_POST['text'];
$key=$_POST['key'];
$encrypted=fusionencrypt($string,$key);
 
print"Unencrypted:<Br>$string<br><br>";
print"Encrypted:<br>";echo($encrypted);
print"<br><br>With key:$key<br><br>Decrypted:<br>";
$decrypted=fusiondecrypt($encrypted,$key);
echo($decrypted);
 
 
}
 
 
//YOU MAY ONLY USE THIS SOURCE CODE TO AID IN THE DISCUSSION ON THE DEVNETWORK FORUMS. THIS NOTICE MUST REMAIN INTACT IN ALL MODIFICATIONS OF THIS SOURCE CODE OR PARTIAL USES OF IT.
 
//PARODY @ DEVNETWORK
 
?>
 
 
I have no idea what to write at the bottom to make sure people don't steal my work, so just don't.

This code has gone through a lot of modifications and so isn't as clean as it could be.

Thanks to everyone who has helped so far :D