Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 5 of 5 total
Thread Encrypting strings
Mon, Jan 6 2014 11:44 AMPermanent Link

Matthew Jones

To make things easier for my purposes, I've decided to stop using https/SSL and use
encryption of the JSON strings instead. To this end, I needed a simple encryptor,
and I found one on StackOverflow. I've adapted it for EWB and I am posting it below.
It passes all my basic tests. If anyone spots a flaw, let me know.

Of course you should be aware that this is not really very secure - the source and
the key are available to the person with the browser. It is my intention to pass
the key (the 223 in the examples) from the server, so each session is unique, but
of course the key is on the wire too... This will protect from basic snooping, but
the NSA will laugh at it. 8-)

Sample use:
       szTemp := EncryptStr(editEncrypt.Text, 223);
       lblEncrypt.Caption := szTemp;
       lblDecrypt.Caption := DecryptStr(szTemp, 223);
   
       lblDuffCrypt.Caption:= DecryptStr(szTemp, 107);

Unit code below.

/Matthew Jones/

unit uEncrypt;

interface

uses WebCore;
             

function EncryptStr(const S :String; Key: Integer): String;
function DecryptStr(const S: String; Key: Integer): String;

implementation

const CKEY1 = 53761;
     CKEY2 = 32618;
                   
// Original code from this answer
//http://stackoverflow.com/questions/6798188/delphi-simple-string-encryption

function EncryptStr(const S :String; Key: Integer): String;
var   
   i          :Integer;
   RStr       :String;
   szBuild : String;
   nTemp : Integer;
begin
   Result:= '';
   szBuild := '';
   RStr:= S; // UTF8Encode(S);
   //Report('Encrypting ' + S + ', len=' + IntToStr(Length(S)));
   for i := 1 to Length(RStr) do
   begin
       //    RStrB[i] := RStrB[i] xor (Key shr 8);
       nTemp :=  Ord(RStr[i]) xor (Key shr 8);
       nTemp := nTemp and $ff;
       szBuild := szBuild + Chr(nTemp);
//Report('[' + IntToStr(i) + '] ord(' + RStr[i] + ')=' +
IntToHex(Ord(RStr[i]), 2) + ' keyshr8=' + IntToStr((Key shr 8)) + ' r=' +
IntToStr((Ord(RStr[i]) xor (Key shr 8))));
       Key := (nTemp + Key) * CKEY1 + CKEY2;
       Key := Key and $ffff;
       //Report('[' + IntToStr(i) + '] key now ' + IntToStr(Key));
   end;
   for i := 1 to Length(szBuild) do
   begin
       Result:= Result + IntToHex(Ord(szBuild[i]), 2);
   end;
end;

function DecryptStr(const S: String; Key: Integer): String;
var   
   i, tmpKey  :Integer;
   RStr       :String;
   //      RStrB      :TBytes Absolute RStr;
   tmpStr     :string;
   szBuild : String;
   nTemp : Integer;
begin
   tmpStr:= UpperCase(S);
   //Report('Decrypting ' + S + ', len=' + IntToStr(Length(S)));
   RStr := '';
   szBuild := '';
   i:= 1;
   try
       while (i < Length(tmpStr)) do
       begin
           RStr := RStr + Chr(StrToInt('0x' + tmpStr[i] + tmpStr[i+1]));
//    Report('[' + IntToStr(i) + '] ' + '0x' + tmpStr[i] + tmpStr[i+1] +
' gives ' + IntToStr(StrToInt('0x' + tmpStr[i] + tmpStr[i+1])));
           Inc(i, 2);
       end;
   except
       Result:= '';
       Exit;
   end;
   for i := 1 to Length(RStr) do
   begin
       tmpKey:= Ord(RStr[i]);
//Report('[' + IntToStr(i) + '] key=' + IntToStr(Key) + ', tmpKey=' +
IntToStr(tmpKey));
       nTemp := (Ord(RStr[i]) xor (Key shr 8));
       nTemp := nTemp and $ff;
       szBuild := szBuild + Chr(nTemp);
       Key := (tmpKey + Key) * CKEY1 + CKEY2;
       Key := Key and $ffff;
   end;
   //Report('szBuild=' + szBuild);
   Result:= szBuild;
end;


end.
Tue, Jan 7 2014 8:00 AMPermanent Link

Matthew Jones

FWIW, this is the JSON string from a single letter 'F' and then 29 spaces:
"response":"4602FB50B884CCA068745C2F0568900C54B7EE14D54615139AAAE2730D84"

Satisfies my "stop basic snooping" requirement...

/Matthew Jones/
Fri, Jan 10 2014 11:43 AMPermanent Link

Ronald

Really great, Matthew, thanks!

"Matthew Jones"  schreef in bericht
news:memo.20140106164507.2016D@nothanks.nothanks.co.uk...

To make things easier for my purposes, I've decided to stop using https/SSL
and use
encryption of the JSON strings instead. To this end, I needed a simple
encryptor,
and I found one on StackOverflow. I've adapted it for EWB and I am posting
it below.
It passes all my basic tests. If anyone spots a flaw, let me know.

Of course you should be aware that this is not really very secure - the
source and
the key are available to the person with the browser. It is my intention to
pass
the key (the 223 in the examples) from the server, so each session is
unique, but
of course the key is on the wire too... This will protect from basic
snooping, but
the NSA will laugh at it. 8-)

Sample use:
       szTemp := EncryptStr(editEncrypt.Text, 223);
       lblEncrypt.Caption := szTemp;
       lblDecrypt.Caption := DecryptStr(szTemp, 223);

       lblDuffCrypt.Caption:= DecryptStr(szTemp, 107);

Unit code below.

/Matthew Jones/

unit uEncrypt;

interface

uses WebCore;


function EncryptStr(const S :String; Key: Integer): String;
function DecryptStr(const S: String; Key: Integer): String;

implementation

const CKEY1 = 53761;
     CKEY2 = 32618;

// Original code from this answer
//http://stackoverflow.com/questions/6798188/delphi-simple-string-encryption

function EncryptStr(const S :String; Key: Integer): String;
var
   i          :Integer;
   RStr       :String;
   szBuild : String;
   nTemp : Integer;
begin
   Result:= '';
   szBuild := '';
   RStr:= S; // UTF8Encode(S);
   //Report('Encrypting ' + S + ', len=' + IntToStr(Length(S)));
   for i := 1 to Length(RStr) do
   begin
       //    RStrB[i] := RStrB[i] xor (Key shr 8);
       nTemp :=  Ord(RStr[i]) xor (Key shr 8);
       nTemp := nTemp and $ff;
       szBuild := szBuild + Chr(nTemp);
//Report('[' + IntToStr(i) + '] ord(' + RStr[i] + ')=' +
IntToHex(Ord(RStr[i]), 2) + ' keyshr8=' + IntToStr((Key shr 8)) + ' r=' +
IntToStr((Ord(RStr[i]) xor (Key shr 8))));
       Key := (nTemp + Key) * CKEY1 + CKEY2;
       Key := Key and $ffff;
       //Report('[' + IntToStr(i) + '] key now ' + IntToStr(Key));
   end;
   for i := 1 to Length(szBuild) do
   begin
       Result:= Result + IntToHex(Ord(szBuild[i]), 2);
   end;
end;

function DecryptStr(const S: String; Key: Integer): String;
var
   i, tmpKey  :Integer;
   RStr       :String;
   //      RStrB      :TBytes Absolute RStr;
   tmpStr     :string;
   szBuild : String;
   nTemp : Integer;
begin
   tmpStr:= UpperCase(S);
   //Report('Decrypting ' + S + ', len=' + IntToStr(Length(S)));
   RStr := '';
   szBuild := '';
   i:= 1;
   try
       while (i < Length(tmpStr)) do
       begin
           RStr := RStr + Chr(StrToInt('0x' + tmpStr[i] + tmpStr[i+1]));
//    Report('[' + IntToStr(i) + '] ' + '0x' + tmpStr[i] + tmpStr[i+1] +
' gives ' + IntToStr(StrToInt('0x' + tmpStr[i] + tmpStr[i+1])));
           Inc(i, 2);
       end;
   except
       Result:= '';
       Exit;
   end;
   for i := 1 to Length(RStr) do
   begin
       tmpKey:= Ord(RStr[i]);
//Report('[' + IntToStr(i) + '] key=' + IntToStr(Key) + ', tmpKey=' +
IntToStr(tmpKey));
       nTemp := (Ord(RStr[i]) xor (Key shr 8));
       nTemp := nTemp and $ff;
       szBuild := szBuild + Chr(nTemp);
       Key := (tmpKey + Key) * CKEY1 + CKEY2;
       Key := Key and $ffff;
   end;
   //Report('szBuild=' + szBuild);
   Result:= szBuild;
end;


end.
Mon, Jan 13 2014 3:26 AMPermanent Link

Ronald

Hi Matthew,

Why have you decided to stop with https? Did you run into problems you did
not foresee?

Greetings,
Ronald

"Matthew Jones"  schreef in bericht
news:memo.20140106164507.2016D@nothanks.nothanks.co.uk...

To make things easier for my purposes, I've decided to stop using https/SSL
and use
encryption of the JSON strings instead. To this end, I needed a simple
encryptor,
and I found one on StackOverflow. I've adapted it for EWB and I am posting
it below.
It passes all my basic tests. If anyone spots a flaw, let me know.

Of course you should be aware that this is not really very secure - the
source and
the key are available to the person with the browser. It is my intention to
pass
the key (the 223 in the examples) from the server, so each session is
unique, but
of course the key is on the wire too... This will protect from basic
snooping, but
the NSA will laugh at it. 8-)

Sample use:
       szTemp := EncryptStr(editEncrypt.Text, 223);
       lblEncrypt.Caption := szTemp;
       lblDecrypt.Caption := DecryptStr(szTemp, 223);

       lblDuffCrypt.Caption:= DecryptStr(szTemp, 107);

Unit code below.

/Matthew Jones/

unit uEncrypt;

interface

uses WebCore;


function EncryptStr(const S :String; Key: Integer): String;
function DecryptStr(const S: String; Key: Integer): String;

implementation

const CKEY1 = 53761;
     CKEY2 = 32618;

// Original code from this answer
//http://stackoverflow.com/questions/6798188/delphi-simple-string-encryption

function EncryptStr(const S :String; Key: Integer): String;
var
   i          :Integer;
   RStr       :String;
   szBuild : String;
   nTemp : Integer;
begin
   Result:= '';
   szBuild := '';
   RStr:= S; // UTF8Encode(S);
   //Report('Encrypting ' + S + ', len=' + IntToStr(Length(S)));
   for i := 1 to Length(RStr) do
   begin
       //    RStrB[i] := RStrB[i] xor (Key shr 8);
       nTemp :=  Ord(RStr[i]) xor (Key shr 8);
       nTemp := nTemp and $ff;
       szBuild := szBuild + Chr(nTemp);
//Report('[' + IntToStr(i) + '] ord(' + RStr[i] + ')=' +
IntToHex(Ord(RStr[i]), 2) + ' keyshr8=' + IntToStr((Key shr 8)) + ' r=' +
IntToStr((Ord(RStr[i]) xor (Key shr 8))));
       Key := (nTemp + Key) * CKEY1 + CKEY2;
       Key := Key and $ffff;
       //Report('[' + IntToStr(i) + '] key now ' + IntToStr(Key));
   end;
   for i := 1 to Length(szBuild) do
   begin
       Result:= Result + IntToHex(Ord(szBuild[i]), 2);
   end;
end;

function DecryptStr(const S: String; Key: Integer): String;
var
   i, tmpKey  :Integer;
   RStr       :String;
   //      RStrB      :TBytes Absolute RStr;
   tmpStr     :string;
   szBuild : String;
   nTemp : Integer;
begin
   tmpStr:= UpperCase(S);
   //Report('Decrypting ' + S + ', len=' + IntToStr(Length(S)));
   RStr := '';
   szBuild := '';
   i:= 1;
   try
       while (i < Length(tmpStr)) do
       begin
           RStr := RStr + Chr(StrToInt('0x' + tmpStr[i] + tmpStr[i+1]));
//    Report('[' + IntToStr(i) + '] ' + '0x' + tmpStr[i] + tmpStr[i+1] +
' gives ' + IntToStr(StrToInt('0x' + tmpStr[i] + tmpStr[i+1])));
           Inc(i, 2);
       end;
   except
       Result:= '';
       Exit;
   end;
   for i := 1 to Length(RStr) do
   begin
       tmpKey:= Ord(RStr[i]);
//Report('[' + IntToStr(i) + '] key=' + IntToStr(Key) + ', tmpKey=' +
IntToStr(tmpKey));
       nTemp := (Ord(RStr[i]) xor (Key shr 8));
       nTemp := nTemp and $ff;
       szBuild := szBuild + Chr(nTemp);
       Key := (tmpKey + Key) * CKEY1 + CKEY2;
       Key := Key and $ffff;
   end;
   //Report('szBuild=' + szBuild);
   Result:= szBuild;
end;


end.
Mon, Jan 13 2014 5:10 AMPermanent Link

Matthew Jones

> Why have you decided to stop with https? Did you run into problems
> you did not foresee?

I used https for my first project (that we decided to kill for market reasons), and
it was all just fine. My new application is very different though, and does not
have a central server. Instead, you run it on a laptop, and other people will
connect to it with browsers. This then presents a load of interesting challenges
for non technical users. You have an iPhone, and you have to connect to "any"
computer on the network, one that has no DNS name set up for it. To make it easy to
connect to, either I have to run a dynamic DNS server, and they have to type in
some complex DNS name (and get it right), so that I can have a certificate that
matches, or they have to enter an IP address and get certificate warnings (which
may be denied by policy or mistake). https is therefore way more complex than plain
http for this particular purpose. Given that the data is not particularly sensitive,
the basic protection here will work for my needs. You can't see someone typing
their deepest secrets ("I like jam sandwiches") going past on the wire/air using a
sniffer. The NSA will laugh at it, but they'll already know about the sandwich
fancy as they will own the laptop too. 8-)

/Matthew Jones/
Image