Asp Forum - symetrical encryption algo's ?

d c

10/28/2006 7:52:00 PM

Hi list.

I need to encode some data with a userID and then also be able to
decode it with the same key.

This is basically a quick approach to obfuscate URLs. Its for an
environment where we know the users ID with some degree of certainty.

Are there any libraries/simple algorithms to do this in ruby? it might
be as simple as bitshiting a string around...

any other suggested alternatives to this approach?

tx

/dc
-------------------------------------------
David "DC" Collier
mailto:dc@pikkle.com
+81 (0)80 6521 9559
skype: callto://d3ntaku
-------------------------------------------
Pikkle ????
http://www....
-------------------------------------------

14 Answers

Jeff Schwab

10/28/2006 8:12:00 PM

dc wrote:
> Hi list.

Hi.

> I need to encode some data with a userID and then also be able to
> decode it with the same key.
>
> This is basically a quick approach to obfuscate URLs. Its for an
> environment where we know the users ID with some degree of certainty.
>
> Are there any libraries/simple algorithms to do this in ruby? it might
> be as simple as bitshiting a string around...

Is "bitshiting" what happens when you eat one byte at a time? :)

> any other suggested alternatives to this approach?

Let your key be an integer. XOR each byte (or set of bytes) in the
string by the integer to encode. To decode, XOR them again. Let me
know if you'd like code. (Actually, I'd be interested to see other
people's implementations. ;)

Josef 'Jupp' Schugt

10/28/2006 8:32:00 PM

dc wrote:
> I need to encode some data with a userID and then also be able to
> decode it with the same key.
> This is basically a quick approach to obfuscate URLs. Its for an
> environment where we know the users ID with some degree of
> certainty.

Simple obfuscation can be done by XORing a keyword. On a binary layer
this works as follows:

Calling Key K, Original messages O, transmitted Message T here's a
binary example:

K = 1010
V = 1001010111101001

1001010111101001
1010101010101010
0011111101000011

T = 0011111101000011

In this particular encoding is not secure because K is not random and
much shorter than V. In contrast to false rumors XOR coding is not
inherently insecure. Quite the opposite is true: When K is perfectly
random and at least as long as V the coding is the only one known to
mankind that can be mathematically proved to be unbreakable.
According to certain sources the XOR encoding with perfectly random K
is used for the launch command for nuclear SMBs (submarine based
missiles). That may be an uran legend. A fact is that many programs
that allow you to password-encode a file actually XOR the file's
content with the Password. Which means that a more random and longer
passwords results in a more secure encoding.

?????

Jupp

Jeremy Hinegardner

10/28/2006 8:40:00 PM

On Sun, Oct 29, 2006 at 04:51:59AM +0900, dc wrote:
> Hi list.
>
> I need to encode some data with a userID and then also be able to
> decode it with the same key.
>
> This is basically a quick approach to obfuscate URLs. Its for an
> environment where we know the users ID with some degree of certainty.
>
> Are there any libraries/simple algorithms to do this in ruby? it might
> be as simple as bitshiting a string around...
>
> any other suggested alternatives to this approach?

I played around with the Tiny Encryption Algorithm[1] a year or so ago
and ended up with a quick ruby implementation of it that is a snippet on
rubyforge. (http://rubyforge.org/snippet/detail.php?type=snippet&...)

enjoy,

-jeremy

[1] - http://en.wikipedia.org/wiki/Tiny_Encryption...

--
========================================================================
Jeremy Hinegardner jeremy@hinegardner.org

Jano Svitok

10/28/2006 8:46:00 PM

On 10/28/06, Josef 'Jupp' Schugt <jupp@gmx.de> wrote:
> dc wrote:
> > I need to encode some data with a userID and then also be able to
> > decode it with the same key.
> > This is basically a quick approach to obfuscate URLs. Its for an
> > environment where we know the users ID with some degree of
> > certainty.
>
> Simple obfuscation can be done by XORing a keyword. On a binary layer
> this works as follows:
>
> Calling Key K, Original messages O, transmitted Message T here's a
> binary example:
>
> K = 1010
> V = 1001010111101001
>
> 1001010111101001
> 1010101010101010
> 0011111101000011
>
> T = 0011111101000011
>
> In this particular encoding is not secure because K is not random and
> much shorter than V. In contrast to false rumors XOR coding is not
> inherently insecure. Quite the opposite is true: When K is perfectly
> random and at least as long as V the coding is the only one known to
> mankind that can be mathematically proved to be unbreakable.
> According to certain sources the XOR encoding with perfectly random K
> is used for the launch command for nuclear SMBs (submarine based
> missiles). That may be an uran legend. A fact is that many programs
> that allow you to password-encode a file actually XOR the file's
> content with the Password. Which means that a more random and longer
> passwords results in a more secure encoding.
>
> ?????
>
> Jupp

I'd say: if obfuscation is enough, do base64encode.reverse and if not,
use AES from OpenSSL

Josef 'Jupp' Schugt

10/28/2006 9:36:00 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jan Svitok wrote:
| I'd say: if obfuscation is enough, do base64encode.reverse and if
| not, use AES from OpenSSL

I wanted to provide a one-size-fits-it-all algorithm that can more or
less easily be implemented without using any external library.

Jupp
- --
Switched character encoding to sth. more common :-)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFQ81Hrhv7B2zGV08RApTmAJ9qMwAFjypLqS8BPo9wA00iy4c94wCgi2QI
1fT2I07IQHxxf4qhh+jb66Q=
=jMQ5
-----END PGP SIGNATURE-----

khaines

10/28/2006 11:11:00 PM

Timothy Goddard

10/29/2006 9:53:00 AM

Josef 'Jupp' Schugt wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jan Svitok wrote:
> | I'd say: if obfuscation is enough, do base64encode.reverse and if
> | not, use AES from OpenSSL
>
> I wanted to provide a one-size-fits-it-all algorithm that can more or
> less easily be implemented without using any external library.

OpenSSL extensions come with the Ruby standard library. Require
'openssl'.

> Jupp
> - --
> Switched character encoding to sth. more common :-)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
>
> iD8DBQFFQ81Hrhv7B2zGV08RApTmAJ9qMwAFjypLqS8BPo9wA00iy4c94wCgi2QI
> 1fT2I07IQHxxf4qhh+jb66Q=
> =jMQ5
> -----END PGP SIGNATURE-----

d c

10/29/2006 12:46:00 PM

hi -

> > any other suggested alternatives to this approach?
>
> Let your key be an integer. XOR each byte (or set of bytes) in the
> string by the integer to encode. To decode, XOR them again. Let me
> know if you'd like code. (Actually, I'd be interested to see other
> people's implementations. ;)

I googled a bit and found something in this direction, but cant get
the reverse of it
(at least not a working version!)
Would appreciate a working fragment...

def encr str
key = "ABC123abc123ABC456ABC123abc" # long enough?
result = (0..str.length-1).collect { |i|
$stderr.puts("#{i} #{str[i]}")
str[i] ^ key[i]
}
result.pack("C*")
return result
end

does the key have to be an integer for XOR ( ^ operator ) to work?

tx!

/dc

khaines

10/29/2006 1:35:00 PM

d c

10/29/2006 1:56:00 PM

hi -

> I have a feeling I'm missing something, but if all you want to do is
> generate obfuscated URLs, why not just the the SHA1-hash of a string
> consisting of the "real" url and the user's name? You can store the
> generated urls in the server-side user-session so you don't have to do any
> decrypting.

is there a way to de-sha1 these hashed results to get the original data?
and to do the shash with a specific key?
all i could find was:

res = Digest::SHA1.hexdigest(str)

whats the reverse of this,
and where is the key from?

we need to pass URLs back and forth from a ruby site to a PHP site. so
i was looking for a reasonably easy algorithm that would work for
both. I've had problems with blowfish on PHP giving different results
on different OSs. So i dont really want to risk something more obscure
given such different environments.

this is also for a mobile phone service where we reliably can get a
uniqueID per user.

we need to prevent people forwarding URLs which is why we need to key
off the uniqueID

but I need to be able to go both ways, given the key. eg:

ruby.site.com/uri=1b2347ghjhsdgf

I can then decode this + with the users ID/key + send them on their way,
and also pack up URLs to send ppl back to the php page.

other suggestions are to put all the URLs in a DB + then check against
the userID/urlID key etc but i want to avoid DB access.

tx!

comp.lang.ruby

symetrical encryption algo's ?

d c

Jeff Schwab

Josef 'Jupp' Schugt

Jeremy Hinegardner

Jano Svitok

Josef 'Jupp' Schugt

khaines

Timothy Goddard

d c

khaines

d c

x Login to ForumsZone