Graal Forums  

Go Back   Graal Forums > Development Forums > NPC Scripting
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 07-26-2013, 11:28 AM
Gunderak Gunderak is offline
Coder
Gunderak's Avatar
Join Date: Jun 2011
Location: Australia
Posts: 795
Gunderak is on a distinguished road
String encryption in GS3

My last attempts weren't very secure, so I thought of a new method.
Personally I think this is semi-secure, or at least harder to crack than my last method.
The only flaw of it, the key must be at least 10 in length and can't have any repeated characters.
From what I can tell, this method is called "hashing".
PHP Code:
//#GS3
function onCreated():void{
  var 
str:string "abcdefghijklmnopqrstuvwxyz";
  var 
cat:string this.Enc(str"!:#$%^&*()");
  echo(
"Encrypted: "@cat);
  var 
dog:string this.Dec(cat"!:#$%^&*()");
  echo(
"Decrypted: "@dog);
}
function 
Enc(txt:stringkey:string):string{
  var 
str:string "";
  var 
i:number;
  var 
j:number;
  for(
0txt.length(); ++){
    var 
letter:string txt.charat(i);
    var 
char:string getascii(letter);
    
char = (char.length()>2?char:0@char);
    var 
enc:string "";
    for(
03++){
      var 
l:string char.charat(j);
      var 
e:string key.charat(l);
      
enc @= e;
    }
    
str @= enc;
  }
  return (
str);
}
function 
Dec(txt:stringkey:string):string{
  var 
txt:string = (txt);
  var 
str:string "";
  var 
i:number;
  var 
j:number;
  for(
0txt.length(); += 3){
    var 
group:string txt.substring(i, +3);
    var 
dec:string "";
    for(
03++){
      var 
letter:string group.charat(j);
      var 
num:number key.pos(letter);
      
dec @= num;
    }
    
str @= char(dec);
  }
  return 
str;

Encrypting the alphabet using this method produces the string:
!)*!)(!)):!!:!::!#:!$:!%:!^:!&:!*:!(:!)::!:::::#:: $::%::^::&::*::(::):#!:#::##
The last method, you could crack by trying 30 or so possible combinations, where as this one would require you to try a mass amount of combinations that you wouldn't want to have to go through and try and find the one that looks like something useful.
Also I think due to the maxlooplimit, the maximum length of the string would be 3,333.
__________________

Gund for president.

Remote PM {P*}x (Graal813044) from eraiphone -> Stefan: I hav 1 qustion
*Gunderak: he hav 1
*Gunderak: qustion

Last edited by Gunderak; 07-26-2013 at 12:16 PM..
Reply With Quote
  #2  
Old 07-26-2013, 01:52 PM
cbk1994 cbk1994 is offline
the fake one
cbk1994's Avatar
Join Date: Mar 2003
Location: San Francisco
Posts: 10,718
cbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond repute
Send a message via AIM to cbk1994
This is not a hash function.

Is it just me or is GS3 an incredibly noisy language? Here's a cleaned-up version in GS2 with a few comments added:

PHP Code:
function onCreated() {
  
temp.str "abcdefghijklmnopqrstuvwxyz";
  
temp.cat this.Enc(str"!:#$%^&*()");
  echo(
"Encrypted: " cat);
  
temp.dog this.Dec(cat"!:#$%^&*()");
  echo(
"Decrypted: " dog);
}

function 
Enc(txtkey) {
  
temp.str ""// encrypted text
  
  // for each character in the plaintext
  
for (temp.0txt.length(); ++) {
    
temp.char getascii(txt.charat(i));
    
    
// make sure char is three characters long
    // (fails on low ASCII-value characters)
    
if (char <= 99char "0" char;
    
    
// for each character in the ASCII value
    
for (temp.03++) {
      
temp.char.charat(j); // number 0-9
      
temp.key.charat(l); // character at that position in the key
      
      
str @= e;
    }
  }
  
  return 
str;
}

function 
Dec(txtkey) {
  
temp.str "";

  for (
temp.0txt.length(); += 3) {
    
temp.group txt.substring(i3);
    
temp.dec "";

    for (
temp.03++) {
      
temp.letter group.charat(j);
      
temp.num key.pos(letter);
      
      
dec @= num;
    }

    
str @= char(dec);
  }

  return 
str;

You've basically written a function which takes an array of single-digit numbers (the plaintext) and outputs a string containing the characters at each of those number positions from the key.

So, it's pretty obvious that your function is extremely vulnerable to a chosen plaintext attack which would allow me to steal your key. For example, if I feed you the ASCII character with decimal value 012 and you encrypt it, I will get back the first three characters of the key:

PHP Code:
echo(this.Enc(char(12), "!:#$%^&*()")); 
Quote:
Originally Posted by RC
!:#
To get the next characters (indexes 3 and above), we could use the character with the decimal value 345, but none exists in the ASCII character set, so we'll use 034 instead, which is a quotation mark.

PHP Code:
echo(this.Enc(char(12) @ "\"""!:#$%^&*()")); 
Quote:
Originally Posted by RC
!:#!$%
The numbers we have fed your function are now 012034, so we can map those to the above output to see that the first characters are !:#$%, which indeed they are. We can continue with more characters until we have the full key (which must be exactly 10 characters long).

Additionally to limiting the key size to exactly 10 characters, all 10 characters must be unique (or lossless decryption will not be possible), which further reduces the potential key space. It would be a fairly simple matter to try every possible key given enough encrypted text and run frequency analysis on the results to narrow it down to a handful of possible results, telling you both the key and the decrypted text.

Since each character is always represented exactly the same way when encrypted, we can also do simple frequency analysis on a bunch of encrypted text to determine which three characters in the encrypted text represent which ASCII character in the plaintext. Let's say you are using this to encrypt some kind of in-game communication and I am able to capture a few days of encrypted text. I can then count how many times each pattern of three characters appear and compare the frequency of each pattern to the known relative frequencies at which letters are used in English. The more data I have the easier it gets, but with a little guess-and-check it wouldn't take much data at all.

There are also undoubtedly even simpler attacks than the ones I mentioned. It's certainly better than your last attempt, but still in no way even remotely secure.
__________________
Reply With Quote
  #3  
Old 07-26-2013, 02:38 PM
Gunderak Gunderak is offline
Coder
Gunderak's Avatar
Join Date: Jun 2011
Location: Australia
Posts: 795
Gunderak is on a distinguished road
Damn lol, each time I think iv'e got it figured, you expose the holes haha.
But it brings me to the next point, if the "hacker" didn't know how I was encrypting things or had access to the function to get the key, wouldn't that make it more secure?
Eg, if they didn't have access to the function, they wouldn't be able to test their values to get the key.
__________________

Gund for president.

Remote PM {P*}x (Graal813044) from eraiphone -> Stefan: I hav 1 qustion
*Gunderak: he hav 1
*Gunderak: qustion
Reply With Quote
  #4  
Old 07-26-2013, 02:56 PM
cbk1994 cbk1994 is offline
the fake one
cbk1994's Avatar
Join Date: Mar 2003
Location: San Francisco
Posts: 10,718
cbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond repute
Send a message via AIM to cbk1994
Quote:
Originally Posted by Gunderak View Post
Damn lol, each time I think iv'e got it figured, you expose the holes haha.
But it brings me to the next point, if the "hacker" didn't know how I was encrypting things or had access to the function to get the key, wouldn't that make it more secure?
Eg, if they didn't have access to the function, they wouldn't be able to test their values to get the key.
It will still be pretty obvious what you are doing to anybody with any experience, especially your first method. The second is a bit better, but it will still be quite simple to crack. Also note that both of your functions output strings that are vulnerable to simple frequency analysis, so there's no need to even attempt to figure out the function you use for encryption. It will be even simpler if they can force you to encrypt things (e.g. by sending an encrypted message) since they can perform a chosen plaintext attack.

What you are proposing is the definition of security through obscurity. In your case, yeah, it would probably increase security, but only because your attackers aren't very dedicated. In general though it is far better to go with a published algorithm like AES than to try to outsmart the people trying to break your encryption. The "best" encryption scheme is generally the one that has been around a long time, has received a lot of attention, and has still not been broken. You can read more about AES's history and see that some of the candidates had severe flaws which were discovered only because the algorithms were published (and of course the people writing the algorithms who missed those flaws were a lot smarter than you or me).

Also in general it's inevitable that your encryption code will be leaked eventually, so it makes sense to pick the algorithm where it doesn't matter if the code is public rather than the one that might completely crumble when the code is public.
__________________
Reply With Quote
  #5  
Old 07-26-2013, 04:27 PM
Chompy Chompy is offline
¯\(º_o)/¯
Chompy's Avatar
Join Date: Sep 2006
Location: Norway
Posts: 2,815
Chompy is just really niceChompy is just really niceChompy is just really nice
Send a message via MSN to Chompy
A great hash function to generate passwords with I made a while ago!

NPC Code:

function onCreated() {
this.hashtable = "aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWyYz Z132465798";
this.symbols = ".,/*-+!#¤%&/()=?`´}][{$£@|øæåØÆÅéáí[DèàìêâîôòóõñãöëäÖËÄÏïÂÎÛÔÊÑÕ(hÃZÁCÓÍÚÉTÌÙÒÈ<>";
}
function hash(string, key, length) {
temp.table = new[length];
temp.htl = this.hashtable.length();
for(temp.i = 0; i < length; i ++) {
temp.output = 0;
for(temp.j = 0; j < string.length(); j ++) {
for(temp.k = 0; k < key.length(); k ++) {
temp.char1 = string.charat(j>>1);
temp.char2 = key.charat(k);

temp.check = this.symbols.pos(char1);
if (check > -1) char1 = this.hashtable.charat(check)%htl;
check = this.symbols.pos(char2);
if (check > -1) char2 = this.hashtable.charat(check)%htl;

temp.pos = {
this.hashtable.pos(char1),
this.hashtable.pos(char2)
};
temp.b = pos[0] >> 16;
b = (b%length) << i;
b += (int((i*length)-k)%pos[1]) + int((length^(i+j)+k)/pos[0]);
b %= htl;
output += b xor pos[1];
}
output += length/i;
output %= htl;
}
table[i] = this.hashtable.charat(output);
}
temp.out = "";
for(temp.c : table) {
out @= c;
}
return out;
}



This is a hash function I made way back, and it's pretty effective, and length of string & key can be as long as you want (longer string lengths requires more processing though) and it allows you to specify the length of the returned hash.

You might find something in there, I would suggest to take a look at bit manipulations, xor, etc and of course, do as Chris said and check out other encryption and hash functions out there.

Example output:

PHP Code:
function onCreated() {
  echo(
hash("foo""bar"8)); // FrvUqQuU
  
echo(hash("Hi there, I'm Chompy""key"8)); // lCAP4FFy
  
echo(hash("Hi there, I'm Chompy""key"6)); // YkI6IL
  
echo(hash("baz""bar"24)); // 3hBPVspQmuKQ1PrAvuG4FmdL
  
echo(hash("foo""foo"10)); // 4KjCpuokgC

__________________
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 03:31 PM.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
Copyright (C) 1998-2019 Toonslab All Rights Reserved.