PDA

View Full Version : Crypto Encryption Plug-in



rhosk
01-30-2004, 06:30 AM
OK, thinking strongly on getting this plug-in!!

One way I was thinking to use it is the rot13 method.

Question - can I say - get the users name on the computer, have them send that back to me and provide that "user" with the rot-13 decrypted sequence to activate the application via an action somewhere?

Or would there be a better/more secure way of doing it (I know, objective, but your thoughts) with the plug-in? And if I "get lost" will you guys walk me a little thru the process of setting this up? The instructions are a bit confusing to me.

I just want a quasi-solution to protect my app. Thanks!

Lorne
01-30-2004, 08:56 AM
Don't use rot13 for anything that needs to be secure. It's just a simple Ceasar cypher, e.g. abcd becomes nopq, nopq becomes abcd.

Instead, you'll want to use blowfish encryption or use a bunch of pre-set serial numbers hidden in your application using MD5.

Do a bit of research on google about how to use blowfish encryption or MD5 hashes to secure an application.

Corey
01-31-2004, 01:30 AM
Interesting, I didn't know that. here's what I found:

Rot13
/rot ther'teen/ [Usenet: from "rotate alphabet 13 places"], v. The simple Caesar-cypher encryption that replaces each English letter with the one 13 places forward or back along the alphabet, so that "The butler did it!" becomes "Gur ohgyre qvq vg!" Most Usenet news reading and posting programs include a rot13 feature. It is used to enclose the text in a sealed wrapper that the reader must choose to open - e.g. for posting things that might offend some readers, or spoilers. A major advantage of rot13 over rot(N) for other N is that it is self-inverse, so the same code can be used for encoding and decoding.


MD5
[The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.
In essence, MD5 is a way to verify data integrity, and is much more reliable than checksum and many other commonly used methods.



BASE64
<file format, algorithm> A file format using 64 ASCII characters to encode the six bit binary data values 0-63.

To convert data to base 64, the first byte is placed in the most significant eight bits of a 24-bit buffer, the next in the middle eight, and the third in the least significant eight bits. If there a fewer than three bytes to encode, the corresponding buffer bits will be zero. The buffer is then used, six bits at a time, most significant first, as indices into the string "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx yz0123456789+/" and the indicated character output. If there were only one or two input bytes, the output is padded with two or one "=" characters respectively. This prevents extra bits being added to the reconstructed data. The process then repeats on the remaining input data. Base 64 is used when transmitting binary data through text-only media such as electronic mail, though uuencode is more common.




Blowfish
Blowfish is a symmetric block cipher that can be used as a drop-in replacement for DES or IDEA. It takes a variable-length key, from 32 bits to 448 bits, making it ideal for both domestic and exportable use. Blowfish was designed in 1993 by Bruce Schneier as a fast, free alternative to existing encryption algorithms. Since then it has been analyzed considerably, and it is slowly gaining acceptance as a strong encryption algorithm. Blowfish is unpatented and license-free, and is available free for all uses.



Blowfish Sushi
http://www.blowfishsushi.com/

Yum. :)

Corey

Corey Milner
Creative Director, Indigo Rose Software (http://www.indigorose.com)

TJ_Tigger
01-31-2004, 08:50 AM
You could do rot13 with built in actions of AMS5. All you need to do is get the ascii number of the character and increase it or decrease it by 13 to get the new character. www.geocaching.com uses rot13 to encrypt hints for finding the location of a cache.

String.Asc (http://www.indigorose.com/webhelp/ams50/Program_Reference/Actions/String.Asc.htm)

and

String.Char (http://www.indigorose.com/webhelp/ams50/Program_Reference/Actions/String.Char.htm)

Corey
01-31-2004, 02:57 PM
Exactly Lorne's point I think. :) Sounds like a good basis for an Encyclopedia Brown book. :)

Corey Milner
Creative Director, Indigo Rose Software (http://www.indigorose.com)

rhosk
01-31-2004, 03:22 PM
Originally posted by TJ_Tigger
You could do rot13 with built in actions of AMS5. All you need to do is get the ascii number of the character and increase it or decrease it by 13 to get the new character. www.geocaching.com uses rot13 to encrypt hints for finding the location of a cache.

Yeah, this would be good, but what I'm going to do is get the "user name" off of the individual computer (or something exclusive to the specific user computer) and establish the code that way.

Tigg, do you have a sample code that would work? I can picture it, but I'm not good enuf to derive it.

Lorne
02-02-2004, 09:12 AM
Actually, rot13 doesn't go "back" through the alphabet at all...it just wraps the alphabet around at the end. :)

It's actually short for "rotate by 13 letters." In programming terms, "rotating" is shifting something over by a given amount and going back to the start when you go past the end.

Of course, since there are 26 letters in the alphabet, it ends up doing the same thing. :)

Can anyone guess why it's rot13 and not, say, rot12 or rot14? ;)

You can actually fit a complete rot13 program in one line of C code:


main(c){while((c=getchar())+1)putchar(isalpha(c)?t olower(c)<'n'?c+13:c-13:c);}

Lorne
02-02-2004, 09:15 AM
rhosk, to be perfectly clear: DO NOT USE ROT13 FOR ANYTHING THAT NEEDS TO BE SECURE. That's not what it's built for; it's just for temporarily hiding stuff that you don't want someone to be able to read at a glance.

What you want to accomplish is fairly advanced and you're going to need to do some research to get it done.

rhosk
02-02-2004, 09:23 AM
Originally posted by Lorne
You can actually fit a complete rot13 program in one line of C code:

main(c){while((c=getchar())+1)putchar(isalpha(c)?t olower(c)<'n'?c+13:c-13:c);}
Can this be translated into AMS5 actions? :D

No, I'm doing anything top secret or real secure. My thought is - get some unique string on the users computer. I set this in a variable to email it back to me (maybe the subject line - in rot13 of course), then give them a rot13 code based on the unique string to unlock the app. This will partially prevent a user from passing my app around. Or is there a better way to do it?

TJ_Tigger
02-02-2004, 12:53 PM
When I get a moment this afternoon I will see about putting out a function that will take care of this. I may have something from AMS4 where we did something very similar. It was envolving a garbled version of test results to be submitted via e-mail.

I will post something by tonight.

Tigg

Here is the code I used from AMS4. I had to use a default string %ABC% to be able to encrypt the letters. This was before the String.Asc and String.Char were available. I will convert to AMS5 tonight. As Lorne points out this is not secure, but is a good way to prevent people from accidently reading spoilers.


// Get the text from the edit field object, if it is blank give an error and then exit the script.
%ObjectText% = EditFieldObject[EditField1].GetText
IF (%ObjectText% = "")
%Result% = Dialog.MessageBox ("Error", "You have not entered any text!", Ok, Question)
RETURN
END IF

// Setting variables to be used for the while loop. There is a counter variable and
// a length variable for the string captured above, a blank Translated variable which will be used
// to store the translated information in the while loop and lastly the string that is used for
// encryption. The ABC string will be used to locate a character and to find a replacement character.
%Ctr% = Evaluate (0)
%Length% = String.GetLength ("%ObjectText%")
%Translated% = ""
%ABC% = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ`1234567890-=[]\;',./~!@#$%^&*()_+{}|:"<>?"

// Now that we have the variables set, it is time to put them to use in the while loop.
WHILE (%Ctr% < %Length%)
// The %Ctr% variable is used as a counter and to identify each character in the string that needs
// to be translated. Once the character is found we will then find the position of the character.
%SubString% = String.Mid ("%ObjectText%", %Ctr%, 1)
%FoundPos% = String.Find ("%ABC%", "%SubString%", 0)
// If the found position is not in the ABC variable jump to the end. This is used
// to maintain spaces and other characters that can not be encrypted by the ABC variable.
IF (%FoundPos% = "-1")
%TextLine% = "%SubString%"
GOTO ("notfound")
END IF
// The next three IF/ENDIF statements use the position of the character in the string
// to determine how to encrypt it. Either move the position ahead or back "X" number of characters
// Those are the first two then numbers and punctuation are the last group.
// The ABC variable is segmented into three areas. lower and uppercase abcs (ABCs)

// Lower and upper case alphabetic add 13 positions
IF (((%FoundPos% >= 0) AND (%FoundPos% <=12)) OR ((%FoundPos% >= 26) AND (%FoundPos% <=38)))
%FoundPos% = Evaluate (%FoundPos% + 13)
GOTO ("replace")
END IF

// Lower and upper case alphabetic subtract 13 positions
IF (((%FoundPos% >= 13) AND (%FoundPos% <=25)) OR ((%FoundPos% >= 39) AND (%FoundPos% <=51)))
%FoundPos% = Evaluate (%FoundPos% - 13)
GOTO ("replace")
END IF

// Numbers and punctuation add 21 positions
IF ((%FoundPos% >= 52) AND (%FoundPos% <=72))
%FoundPos% = Evaluate (%FoundPos% + 21)
GOTO ("replace")
END IF

// Numbers and punctuation subtract 21 positions
IF ((%FoundPos% >= 73) AND (%FoundPos% <=93))
%FoundPos% = Evaluate (%FoundPos% - 21)
GOTO ("replace")
END IF

// Once the position has been found and adjusted we then find the replacement character
// and add it to the %Translated% variable.
replace
%TextLine% = String.Mid ("%ABC%", %FoundPos%, 1)
notfound
%Translated% = "%Translated%%TextLine%"

// We then increment the counter and start the chain over again for the next character in the string
%Ctr% = Evaluate (%Ctr% + 1)
END WHILE
TextObject[Text1].SetText ("%Translated%")

Ted Sullivan
02-02-2004, 01:08 PM
Using MD5 hashes is a *much* better way to verify passwords etc. The ROT13 action was added to obfuscate rather than encrypt...

TJ_Tigger
02-02-2004, 01:36 PM
I like that word, Obfuscate. Here is an update from the AMS4 project I worked on before. The actions are not part of a function but could easily be adapted into one. Also, there are not any comments in the code. Hopefully it is self explainatory.

Tigg

Bruce
02-02-2004, 01:50 PM
I remember this one Tigg!

rhosk
02-02-2004, 01:58 PM
Originally posted by TJ_Tigger
Hopefully it is self explainatory.

It is, thanks! That should be all I need for what I'm trying to do. Nice tiny piece of code there. Appreciate you taking the time Tigg.

TJ_Tigger
02-02-2004, 02:05 PM
I guess the thing to look at is the ascii chart that is part of the help file it lists the codes that I use in the IF/ELSEIF/ELSE statement to make the conversion. If the letter is a-m or A-M then 13 is added to the code to make it n-z or N-Z and if the letter is n-z or N-Z then 13 is subracted to the code to make it a-m or A-M.

rhosk
02-02-2004, 02:07 PM
Off the top of your head, does anyone happen to know a "unique" string in each registry, besides maybe user name/registered user? I figure it could have numbers too, but letters are obviously better for what I'm trying to do here.

TJ_Tigger
02-02-2004, 02:39 PM
There is always the MAC address for a LAN card withing the computer. Every LAN card is required to have a unique MAC (or hardware) address.


laninfo = System.GetLANInfo()
Dialog.Message("MAC Address", "Your MAC address is "..laninfo.NIC, MB_OK, MB_ICONNONE, MB_DEFBUTTON1)

You can also find the MAC address in Windows by clicking on Start->Run Type cmd (or command for 98/95) into the open bar and when the command prompt opens type "ipconfig /all" withouth the "'s

Tigg

Intrigued
02-04-2004, 09:58 PM
Can anyone guess why it's rot13 and not, say, rot12 or rot14?
Lorne... without "googling"...

Is it because 13 is half of 26, which makes it possible to divide 26 by 13 to get 2 and then take 2 and multiply it by 13 to get 26?

Thus making it easy to do math calculations and then calculated string manipulations?

OR...

Because the number 13 is often associated with "ROTten things?

(eh?) (grin)

Corey
02-04-2004, 10:05 PM
FWIW Google comes to Lorne for encryption answers, he's the real McCoy when it comes to encryption, and also interior design... I can only speak for myself but I associated the 13 in ROT13 to the alphabet the very first time I glanced it, but I also associated it instantly with 1/4 of a deck of cards and 1/4 of (the weeks) a year. So that doesn't count I guess, dang it...

Speaking of encryption. One of the PHP Nuke modules I was looking at this week offers true random encryption key generation. It uses as a seed "Atmoshperic Noise". I would have grabbed it but it's for .NET users only.

Corey Milner
Creative Director, Indigo Rose Software (http://www.indigorose.com)

Lorne
02-05-2004, 09:00 AM
The key to understanding rot13 is:

rot stands for "rotate"
there are 26 letters in the alphabet
13 is half of 26


Imagine the alphabet written on the outside of a wheel, so that the letter A followed right after the letter Z. (You could sing the alphabet song all day long, going round and round the wheel...ahem.) The rot13 algorithm just means to spin the wheel 13 letters ahead.

So the letter A becomes the letter N, since N is the 13th letter after A. The letter B becomes the letter O, since O is the 13th letter after B. The letter C becomes the letter P, since P is the 13th letter after C.

Here's the cool part. Since the alphabet wraps around the wheel, the letter P becomes the letter C:



ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMN
+1234567890123

The reason it's rot13 and not rot12 is so that you can code and decode a string by using the exact same algorithm. Since there are 26 letters in the alphabet, if you skip ahead by 13 letters twice, you end up right back where you started. If it was rot12, then C would become O, and O would become A.

BTW, this is essentially how those old "secret decoder rings" worked. :)

Some info on the original Ceasar's cypher (which used 3 as the key instead of 13) (http://en.wikipedia.org/wiki/Caesar_cipher)

An online rot13 tool (http://www.rot13.com)

Intrigued
02-05-2004, 07:26 PM
Sounds like I was on the right track then.

Lorne... thank you for the easy to understand explanation. If you were not an instructor at one point... I would say you missed your calling.

Corey
02-05-2004, 08:17 PM
It was secure at the time because Caesar's enemies could often not even read plaintext, let alone ciphertext.

I didn't realize Caesar had been warring against the writers at CBC's "The National"... Cool link.

Corey Milner
Creative Director, Indigo Rose Software (http://www.indigorose.com)