M
msnews.microsoft.com
How can I encrypt and decrypt string?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
R
Roy Fine
msnews.microsoft.com said:How can I encrypt
XOR it with a protection string of the same length of the string that you
are encrypting
and decrypt string?
XOR it with the exact same protection string
if you do not publish the protection string, your encrypted string in
unbreakable!
regards
roy fine
S
Sherif ElMetainy
Hello
The XOR method is breakable is someone has an encrypted string and a clear
text string.
If you XOR the clear text string and the encrypted string you get the
protection string
The best way is to use the encryption methods in .NET crypto API in
System.Security.Cryptography namespace.
You can use DES, TripleDES, RC1 or Rijndael algorithms for symmetric
ecryption,
or RSA algorithm for asymmetric encryption
or SHA1 or MD5 for hashing.
Symmetric encryption has one key that is used for encryption and decryption.
Asymetric encryption has a public key and a private key. The public key is
used for encryption, and only they private key can decrypt the data.
With Hashing, which commonly used for passwords, there is no key. and the
process is irreversible, unless the password is too short, or easy to guess
(a name or dictionary word for example)
You can find more with examples on this in MSDN documentation.
Best regards,
Sherif
if you do not publish the protection string, your encrypted string in
unbreakable!
The XOR method is breakable is someone has an encrypted string and a clear
text string.
If you XOR the clear text string and the encrypted string you get the
protection string
The best way is to use the encryption methods in .NET crypto API in
System.Security.Cryptography namespace.
You can use DES, TripleDES, RC1 or Rijndael algorithms for symmetric
ecryption,
or RSA algorithm for asymmetric encryption
or SHA1 or MD5 for hashing.
Symmetric encryption has one key that is used for encryption and decryption.
Asymetric encryption has a public key and a private key. The public key is
used for encryption, and only they private key can decrypt the data.
With Hashing, which commonly used for passwords, there is no key. and the
process is irreversible, unless the password is too short, or easy to guess
(a name or dictionary word for example)
You can find more with examples on this in MSDN documentation.
Best regards,
Sherif
R
Roy Fine
Sherif ElMetainy said:Hello
The XOR method is breakable is someone has an encrypted string and a clear
text string.
If you XOR the clear text string and the encrypted string you get the
protection string
The following is a proven fact --
if you do not publish the protection string, your encrypted string in
unbreakable!
other methods are breakable, but not in finite time!
roy fine
R
Ron McNulty
if you do not publish the protection string, your encrypted string in
No, not quite!
If you have the facility to run your own code against the algorithm, it can
be easily broken. An example would be where you can read a password field in
a database, and see what your own (known) password "encrypts" to. Anyone
with basic cryptography knowledge should be able to glean the encryption key
within an hour. And being a symmetrical algorithm, you can run it against
all other passwords and get the plaintext.
Then you can try those passwords against other machines that the users may
have access to.... Your hacking career has begun!
Operating systems based on UNIX have been using salted encryption algorithms
for years. These are reasonably safe, although not unbreakable.
The "unbreakable" that you refer to is for one-time pads, and these are not
the norm in computer systems.
Regards
Ron
unbreakable!
No, not quite!
If you have the facility to run your own code against the algorithm, it can
be easily broken. An example would be where you can read a password field in
a database, and see what your own (known) password "encrypts" to. Anyone
with basic cryptography knowledge should be able to glean the encryption key
within an hour. And being a symmetrical algorithm, you can run it against
all other passwords and get the plaintext.
Then you can try those passwords against other machines that the users may
have access to.... Your hacking career has begun!
Operating systems based on UNIX have been using salted encryption algorithms
for years. These are reasonably safe, although not unbreakable.
The "unbreakable" that you refer to is for one-time pads, and these are not
the norm in computer systems.
Regards
Ron
R
Roy Fine
Ron -- see inline
I'll publish a file containing a stream of encrypted bytes. I'll keep the
encrypting stream hidden. I'll also tell you that the encrypting string is a
sequence of non-repeating random values (that was the basis of my first
post). I'll even publish the program/algorithm used to encrypt the data.
I'll offer you or anyone some great sum of money if you can find the message
hidden in the encrypted stream. I'll also tell you that the eleven
characters preceeding the hidden message are "HELLO WORLD". I'll give you
100 years to do the work. You get one shot at answering - i.e., you cant
make 1 million guesses.
Consider this link:
http://msdn.microsoft.com/library/d...-us/dnw98bk/html/exclusiveoringtechniques.asp
and as the length of the encrypting key approaches the length of the
original string/stream, so does the strength of the algorithm approach
"unbreakable".
SALT is not germain here. That is a technique used to make strong
algorithms stronger, but applies only to certain algorithms - not trivial
XOR scheme.
No, the "unbreakable" that I refer to is really just simple unbreakable.
For short strings, XOR is far superior to other methods - it is faster, and
simpler to implement. The disadvantage of the XOR is that for true
unbreakable, the encoding string MUST be the same length as the original
string (i.e. no repeating patterns that could be used to break the code).
Because of the length requirement of the encoding string, the XOR method as
a general solution, it becomes unmanagable - but is is quite strong!
If I keep the encoding string private, then you can not break my encoded
string. But that in and of itself is not a limitation ofthe XOR scheme -
using any other algorithm, you either have a symetric key or a private key
that you also MUST keep private - the only difference is the size of the
required encoding key for arbitrary length input strings (or streams)...
regards
roy fine
ps - search google using this:
Xorring with a key as long as the message is the strongest encryption
here are a couple of additional links:
http://www.mit.edu:8008/bloom-picayune.mit.edu/perl/10138
http://groups.google.com/[email protected]#link6
Ron McNulty said:No, not quite!
If you have the facility to run your own code against the algorithm, it can
be easily broken. An example would be where you can read a password field in
a database, and see what your own (known) password "encrypts" to. Anyone
with basic cryptography knowledge should be able to glean the encryption key
within an hour. And being a symmetrical algorithm, you can run it against
all other passwords and get the plaintext.
I'll publish a file containing a stream of encrypted bytes. I'll keep the
encrypting stream hidden. I'll also tell you that the encrypting string is a
sequence of non-repeating random values (that was the basis of my first
post). I'll even publish the program/algorithm used to encrypt the data.
I'll offer you or anyone some great sum of money if you can find the message
hidden in the encrypted stream. I'll also tell you that the eleven
characters preceeding the hidden message are "HELLO WORLD". I'll give you
100 years to do the work. You get one shot at answering - i.e., you cant
make 1 million guesses.
Consider this link:
http://msdn.microsoft.com/library/d...-us/dnw98bk/html/exclusiveoringtechniques.asp
and as the length of the encrypting key approaches the length of the
original string/stream, so does the strength of the algorithm approach
"unbreakable".
Then you can try those passwords against other machines that the users may
have access to.... Your hacking career has begun!
Operating systems based on UNIX have been using salted encryption algorithms
for years. These are reasonably safe, although not unbreakable.
SALT is not germain here. That is a technique used to make strong
algorithms stronger, but applies only to certain algorithms - not trivial
XOR scheme.
The "unbreakable" that you refer to is for one-time pads, and these are not
the norm in computer systems.
No, the "unbreakable" that I refer to is really just simple unbreakable.
For short strings, XOR is far superior to other methods - it is faster, and
simpler to implement. The disadvantage of the XOR is that for true
unbreakable, the encoding string MUST be the same length as the original
string (i.e. no repeating patterns that could be used to break the code).
Because of the length requirement of the encoding string, the XOR method as
a general solution, it becomes unmanagable - but is is quite strong!
If I keep the encoding string private, then you can not break my encoded
string. But that in and of itself is not a limitation ofthe XOR scheme -
using any other algorithm, you either have a symetric key or a private key
that you also MUST keep private - the only difference is the size of the
required encoding key for arbitrary length input strings (or streams)...
regards
roy fine
ps - search google using this:
Xorring with a key as long as the message is the strongest encryption
here are a couple of additional links:
http://www.mit.edu:8008/bloom-picayune.mit.edu/perl/10138
http://groups.google.com/[email protected]#link6
S
Sherif ElMetainy
Hello
XOR is breakable and below is a code to demonstrate, i am using ints, but
the same applies to strings
Random r = new Random();
int secret = r.Next(); // this is hidden
int clear = r.Next(); // i know this one
int encrypted = secret ^ clear; // i know this one too
int hacked = encrypted ^ clear; // now i know the secret
Console.WriteLine(hacked == secret);
Best regards
Sherif
XOR is breakable and below is a code to demonstrate, i am using ints, but
the same applies to strings
Random r = new Random();
int secret = r.Next(); // this is hidden
int clear = r.Next(); // i know this one
int encrypted = secret ^ clear; // i know this one too
int hacked = encrypted ^ clear; // now i know the secret
Console.WriteLine(hacked == secret);
Best regards
Sherif
S
Sherif ElMetainy
Hello
Give me a clear text string, a string encrypted with your hidden key using
the XOR method.
Then give me another string encrypted with the same key, it will take me
less than one minute to decrypt it, because I will know the key.
Consider the following scenario.
Suppose I have a web site, where the member's passwords are stored encrypted
using XOR in a database.
Some how a hacker was able to gain access to the database (due to a security
hole, new vulnerability, unpatched server, bad administrator, etc), but he
doesn't have access to the key to decrypt the passwords.
So he registers a new account for himself in my web site (he knows the
password for this account because he created it), then he looks at his own
ecrypted password.
Now he can easily know the encryption key, and can decrypt all other
passwords.
Best regards
Sherif
Give me a clear text string, a string encrypted with your hidden key using
the XOR method.
Then give me another string encrypted with the same key, it will take me
less than one minute to decrypt it, because I will know the key.
Consider the following scenario.
Suppose I have a web site, where the member's passwords are stored encrypted
using XOR in a database.
Some how a hacker was able to gain access to the database (due to a security
hole, new vulnerability, unpatched server, bad administrator, etc), but he
doesn't have access to the key to decrypt the passwords.
So he registers a new account for himself in my web site (he knows the
password for this account because he created it), then he looks at his own
ecrypted password.
Now he can easily know the encryption key, and can decrypt all other
passwords.
Best regards
Sherif
R
Roy Fine
Sherif ElMetainy said:Hello
Give me a clear text string, a string encrypted with your hidden key using
the XOR method.
OK - done!
Then give me another string encrypted with the same key, it will take me
less than one minute to decrypt it, because I will know the key.
No way - you must be crazy. I said to keep the encrypting key hidden - that
means hiding the key and all derivative forms of it! You are making up
stuff now. XOR is unbreakable, but it is a one time use, and it must be the
same size as the clear text string.
read the links i provided....
regards
roy fine
Consider the following scenario.
Suppose I have a web site, where the member's passwords are stored encrypted
using XOR in a database.
Some how a hacker was able to gain access to the database (due to a security
hole, new vulnerability, unpatched server, bad administrator, etc), but he
doesn't have access to the key to decrypt the passwords.
So he registers a new account for himself in my web site (he knows the
password for this account because he created it), then he looks at his own
ecrypted password.
Now he can easily know the encryption key, and can decrypt all other
passwords.
That's a good example of PSS - Pretty Stupid Security.
Please read the links I provided -- this case is clearly examined and dealt
with there!
The OP asked for one thing and one thing only - how to encrypt and decrypt a
string.
XOR works wonderfully if you can live with its restrictions - and that is
why there are many alternatives.
I never suggested using XOR as the only way, but until the OPs requirements
get a bit better defined, XOR is as good as it gets.
regards
roy fine
J
Jon Skeet [C# MVP]
Sherif ElMetainy said:XOR is breakable
No - XOR is *not* breakable if the sequence of values to XOR with is
entirely secret, genuinely random and never reused.
and below is a code to demonstrate, i am using ints, but
the same applies to strings
Random r = new Random();
int secret = r.Next(); // this is hidden
int clear = r.Next(); // i know this one
int encrypted = secret ^ clear; // i know this one too
int hacked = encrypted ^ clear; // now i know the secret
Console.WriteLine(hacked == secret);
That assumes the same secret is used twice. In a true one-time-pad
system (which is what is being hinted at) the same XOR value is never
used twice.
S
Sherif ElMetainy
Hello
I was talking about reusing the key, which is the case in most scenarios In
this case it is breakable.
Best regards,
Sherif
I was talking about reusing the key, which is the case in most scenarios In
this case it is breakable.
Best regards,
Sherif
S
Sherif ElMetainy
Hello
I was talking about reusing the key, which is the case in many scenarios. In
this case XOR is breakable.
Best regards,
Sherif
I was talking about reusing the key, which is the case in many scenarios. In
this case XOR is breakable.
Best regards,
Sherif
J
Jon Skeet [C# MVP]
Sherif ElMetainy said:I was talking about reusing the key, which is the case in most scenarios In
this case it is breakable.
I dare say you were - but you were the one who introduced the idea of
reusing the key. It's like saying that some other encryption scheme
isn't secure because you might publish the private key. Every
encryption scheme has something you shouldn't do, otherwise it's no
longer secure. In the case of XOR operations like this, reusing the key
(or using a non-random source for the key) is one of those things.