Second Life Forums Archive - Weak encryption garbling data

Patch Lamington

Blumfield SLuburban

Join date: 2 Nov 2005

Posts: 188

03-29-2006 17:14

I was using the base64xor for weak encryption (where data isnt really that important... but all the same...) without problems till recently

I've found that some (but only some) strings dont appear to decrypt correctly.

attached is a demo based on the Wiki example very closely, along with the output I get

Ill fully admit to doing silly stuff but this surely should work... shouldnt it?

CODE

default {
    state_entry() {
        string data = "gNi6AygkYJBfT0cIreJM10";
        string  crypt;  // for storing the encrypted data
        
        llSay(0,"Base 64 garble test");
        llSay(0, data);
        
        // convert both data and key to base64 and encrypt the data with the key
        // then store the encrypted data in 'crypt'
        crypt = llXorBase64Strings(llStringToBase64(data), llStringToBase64((string)llGetOwner() ));
        
        llSay(0, crypt); // this could now be used to email the data around
        // someone without the correct key wouldn't be able to (easily) get the plaintext
        
        // decrypt it again, using the same key, and convert back to plaintext
        llSay(0, llBase64ToString(llXorBase64Strings(crypt, llStringToBase64((string)llGetOwner() ))));
        // as you can see, applying the same key to encrypted data again decrypts it
    }
}

From: Output

Object: Base 64 garble test
Object: gNi6AygkYJBfT0cIreJM10
Object: AXcKB3hPX1h0KCAAZB1XfkIGZ3UBCA==
Object: gNi6AygkYJB?d?W~B?gu?

Im fed up trying to work this out, and going to bed now, for at least 4 hours before i need to get up again.

ps just noticed a comment on the wiki about possible unconfirmed padding problems
still to late to check it out.

_____________________

Blumfield - a regular everyday kind of 'burb in an irregular world.
This notice brought to you by the Blumfield Visitors and Residents Bureau.

Kyrah Abattoir

cruelty delight

Join date: 4 Jun 2004

Posts: 2,786

03-29-2006 18:38

i noticed it seems XOR is temporary fubared, i the doubt i change my encryptions to something stronger anyway

_____________________

tired of XStreetSL? try those!
apez http://tinyurl.com/yfm9d5b
metalife http://tinyurl.com/yzm3yvw
metaverse exchange http://tinyurl.com/yzh7j4a
slapt http://tinyurl.com/yfqah9u

Strife Onizuka

Moonchild

Join date: 3 Mar 2004

Posts: 5,887

03-29-2006 19:14

llXorBase64Strings is definitly borked, i beleive it's only half proforming the xor.

_____________________

Truth is a river that is always splitting up into arms that reunite. Islanded between the arms, the inhabitants argue for a lifetime as to which is the main river.
- Cyril Connolly

Without the political will to find common ground, the continual friction of tactic and counter tactic, only creates suspicion and hatred and vengeance, and perpetuates the cycle of violence.
- James Nachtwey

Toneless Tomba

(Insert Witty Title Here)

Join date: 13 Oct 2004

Posts: 241

03-29-2006 22:44

Made a repeative test for the weak encryptiong and seems to fail 99% of the time. Very troubling, I actually have some products that rely on this.

CODE

//WEAK ENCRYPTION TESTER
//
//Owner touches to start & stop script
//Randomly creates a random floating number to encrypt
//Creates a random floating number for password
//Encrypts then decrypts data and checks to see if decrypted data = original


integer count;
vector color;
integer errors;
integer ON = FALSE;
string msg;

text()
{
    llSetText("ERROR(S): " + (string)errors + "\nATTEMPT(S): " + (string)count + "\n" + msg, color, 1.0);
}


check(string data, string password)
{
    count++;                             //Adds one to number of attempts
    string crypt = llXorBase64Strings(llStringToBase64(data), llStringToBase64(password));         //Encrypts data using password
    string decrypt = llBase64ToString(llXorBase64Strings(crypt, llStringToBase64(password)));    //Decrypts data using password
    if (data != decrypt)            //Checks to see if decrypted value = data
    {
        msg = "DATA EXPECTED: " + data + "\nDATA RECEIVED: " + decrypt;  //msg to show data expected and data received
        errors++;                        // Add one to error counter
        color = <1,0,0>;                //Color Red for Error
        text();                                //Displays SetText       
    }
    else 
    {
        msg = "PASSED";            //msg to show decryption passed
        color = <0,1,0>;                //Color Green for passed
        text();                                //Displays SetText
    }
}
    
    


default 
{
    touch_start(integer num_detected)
    {
        if (llDetectedKey(0) == llGetOwner())  //Use for only owner
        {
            ON = llAbs(ON - 1);                //Toggles ON to be 1 or 0 (TRUE OR FALSE)
            if (ON)
            {
                count = 0;                            //Reseting counter for attempts & errors
                errors = 0;
                llSetTimerEvent(1.0);            //Setting timer w/ 1.0 sec intervals
            }
            else 
            {
                llSetTimerEvent(0);                //Turning off Timer
                msg = "*INACTIVE*";            //Setting message that encryption tester is off
                color = <0.5, 0.5, 0.5>;         //Gray color
                text();                                    //Displays counters of last test and show inactive greyed out
            }
        }
    }
    
    timer()
    {
        string RandomFloat = (string)llFrand(99999999);   //Random float
        string RandomPassword = (string)llFrand(99999999); //Random Password, another random float.
        check(RandomFloat, RandomPassword);  //Every Second checks to see if encrypting and decrypting 
    }    
}

Kelly Linden

Linden Developer

Join date: 29 Mar 2004

Posts: 896

03-29-2006 22:56

We are aware of this issue.

_____________________

- Kelly Linden

Patch Lamington

Blumfield SLuburban

Join date: 2 Nov 2005

Posts: 188

03-29-2006 23:54

From: Kelly Linden

We are aware of this issue.

Thanks,

Im glad it wasnt me bad.
And yes, I know I really shouldn't rely on it for anything important or valuable - and I wont

_____________________

Blumfield - a regular everyday kind of 'burb in an irregular world.
This notice brought to you by the Blumfield Visitors and Residents Bureau.

Weak encryption garbling data
Patch Lamington Blumfield SLuburban Join date: 2 Nov 2005 Posts: 188	03-29-2006 17:14 I was using the base64xor for weak encryption (where data isnt really that important... but all the same...) without problems till recently I've found that some (but only some) strings dont appear to decrypt correctly. attached is a demo based on the Wiki example very closely, along with the output I get Ill fully admit to doing silly stuff but this surely should work... shouldnt it? CODE default { state_entry() { string data = "gNi6AygkYJBfT0cIreJM10"; string crypt; // for storing the encrypted data llSay(0,"Base 64 garble test"); llSay(0, data); // convert both data and key to base64 and encrypt the data with the key // then store the encrypted data in 'crypt' crypt = llXorBase64Strings(llStringToBase64(data), llStringToBase64((string)llGetOwner() )); llSay(0, crypt); // this could now be used to email the data around // someone without the correct key wouldn't be able to (easily) get the plaintext // decrypt it again, using the same key, and convert back to plaintext llSay(0, llBase64ToString(llXorBase64Strings(crypt, llStringToBase64((string)llGetOwner() )))); // as you can see, applying the same key to encrypted data again decrypts it } } From: Output Object: Base 64 garble test Object: gNi6AygkYJBfT0cIreJM10 Object: AXcKB3hPX1h0KCAAZB1XfkIGZ3UBCA== Object: gNi6AygkYJB?d?W~B?gu? Im fed up trying to work this out, and going to bed now, for at least 4 hours before i need to get up again. ps just noticed a comment on the wiki about possible unconfirmed padding problems still to late to check it out. _____________________ Blumfield - a regular everyday kind of 'burb in an irregular world. This notice brought to you by the Blumfield Visitors and Residents Bureau.
Kyrah Abattoir cruelty delight Join date: 4 Jun 2004 Posts: 2,786	03-29-2006 18:38 i noticed it seems XOR is temporary fubared, i the doubt i change my encryptions to something stronger anyway _____________________ tired of XStreetSL? try those! apez http://tinyurl.com/yfm9d5b metalife http://tinyurl.com/yzm3yvw metaverse exchange http://tinyurl.com/yzh7j4a slapt http://tinyurl.com/yfqah9u
Strife Onizuka Moonchild Join date: 3 Mar 2004 Posts: 5,887	03-29-2006 19:14 llXorBase64Strings is definitly borked, i beleive it's only half proforming the xor. _____________________ Truth is a river that is always splitting up into arms that reunite. Islanded between the arms, the inhabitants argue for a lifetime as to which is the main river. - Cyril Connolly Without the political will to find common ground, the continual friction of tactic and counter tactic, only creates suspicion and hatred and vengeance, and perpetuates the cycle of violence. - James Nachtwey
Toneless Tomba (Insert Witty Title Here) Join date: 13 Oct 2004 Posts: 241	03-29-2006 22:44 Made a repeative test for the weak encryptiong and seems to fail 99% of the time. Very troubling, I actually have some products that rely on this. CODE //WEAK ENCRYPTION TESTER // //Owner touches to start & stop script //Randomly creates a random floating number to encrypt //Creates a random floating number for password //Encrypts then decrypts data and checks to see if decrypted data = original integer count; vector color; integer errors; integer ON = FALSE; string msg; text() { llSetText("ERROR(S): " + (string)errors + "\nATTEMPT(S): " + (string)count + "\n" + msg, color, 1.0); } check(string data, string password) { count++; //Adds one to number of attempts string crypt = llXorBase64Strings(llStringToBase64(data), llStringToBase64(password)); //Encrypts data using password string decrypt = llBase64ToString(llXorBase64Strings(crypt, llStringToBase64(password))); //Decrypts data using password if (data != decrypt) //Checks to see if decrypted value = data { msg = "DATA EXPECTED: " + data + "\nDATA RECEIVED: " + decrypt; //msg to show data expected and data received errors++; // Add one to error counter color = <1,0,0>; //Color Red for Error text(); //Displays SetText } else { msg = "PASSED"; //msg to show decryption passed color = <0,1,0>; //Color Green for passed text(); //Displays SetText } } default { touch_start(integer num_detected) { if (llDetectedKey(0) == llGetOwner()) //Use for only owner { ON = llAbs(ON - 1); //Toggles ON to be 1 or 0 (TRUE OR FALSE) if (ON) { count = 0; //Reseting counter for attempts & errors errors = 0; llSetTimerEvent(1.0); //Setting timer w/ 1.0 sec intervals } else { llSetTimerEvent(0); //Turning off Timer msg = "INACTIVE"; //Setting message that encryption tester is off color = <0.5, 0.5, 0.5>; //Gray color text(); //Displays counters of last test and show inactive greyed out } } } timer() { string RandomFloat = (string)llFrand(99999999); //Random float string RandomPassword = (string)llFrand(99999999); //Random Password, another random float. check(RandomFloat, RandomPassword); //Every Second checks to see if encrypting and decrypting } }
Kelly Linden Linden Developer Join date: 29 Mar 2004 Posts: 896	03-29-2006 22:56 We are aware of this issue. _____________________ - Kelly Linden
Patch Lamington Blumfield SLuburban Join date: 2 Nov 2005 Posts: 188	03-29-2006 23:54 From: Kelly Linden We are aware of this issue. Thanks, Im glad it wasnt me bad. And yes, I know I really shouldn't rely on it for anything important or valuable - and I wont _____________________ Blumfield - a regular everyday kind of 'burb in an irregular world. This notice brought to you by the Blumfield Visitors and Residents Bureau.

Welcome to the Second Life Forums Archive

Weak encryption garbling data