Solved

Xor Decrypting and encrypting

Posted on 2014-02-18
9
370 Views
Last Modified: 2014-02-18
I need to hide a plain text AES key in my code, For this I think about to use a XOR decrypting or encrypting. Any ide how to do this? Or better, another idea to hide the key?
The key is a char[15]
0
Comment
Question by:Ingo Foerster
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
The problem with using XOR is that it can generate characters that are not 'acceptable' in strings.
0
 
LVL 86

Expert Comment

by:jkr
Comment Utility
Honestly - don't even bother. That will raise the difficulty to obtain that key for approx. 5 mins.

It has to be present in memory in its unscrambled readable for for the call to your AES decryprion or encryption function, and therefore is accessible that very moment to anyone who knows how to handle a debugger. 'Hiding' it therefore probably won't be worth the effort you're putting into that. But anyway, one simple way you might want to consider would be to 'hide' it in a large area of random hexadecimal text data, e.g.  like

char* pBlob = "4612D19AE6AF523F397D65301F51E060A1537C05162382BC0F937DDF7DC0BD5EB5D0281[...]806BDCE64F3518C7CD76C5999B421136C25E1FD15A";
int offset = 32; // or any arbitrary value
// place your key at offset 32 and read the 16 bytes from there:
char AESKey[17];
strncpy(AESKey,pBlob + offset, 16);
AESKey[16] = '\0'; // add NULL terminator if necessary

Open in new window


That will at least make it impossible to extract it with utilities like 'strings', i.e. without actually debugging your program.
0
 

Author Comment

by:Ingo Foerster
Comment Utility
I know finaly the key is inside the memory, that the general disadvantage of all encryption.
But the offset mehtod is really basic, a little string attack with an offset is also done in a few seconds.
0
 

Author Comment

by:Ingo Foerster
Comment Utility
So the final question is still open.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 86

Expert Comment

by:jkr
Comment Utility
Then scatter it in that blob. Place each of the 16 bytes in such a field and use a index table, e.g.

char* pBlob = "4612D19AE6AF523F397D65301F51E060A1537C05162382BC0F937DDF7DC0BD5EB5D0281[...]806BDCE64F3518C7CD76C5999B421136C25E1FD15A";
int index_table[] = { 25, 16, 137, ... , 42};
char AESKey[17];
for (int i = 0; i < 16) AESKey[i] = pBlob[i];
AESKey[16] = '\0'; // add NULL terminator if necessary
                                            

Open in new window


You could regard the index table to be your 'encryption key'.
0
 
LVL 86

Accepted Solution

by:
jkr earned 500 total points
Comment Utility
But, if you are still interested in a simple XOR encryption, you could use this one:

void	XORTransformData	(	LPBYTE	lpcbBuffer,
									WORD	wBuffer,
									LPCTSTR	lpszPassword
								)
{
	register	int	iPassword	=	strlen (lpszPassword);
	register	int	iSeed		=	1;
	register	int	i;
	register	int	j;

	/* initialize seed */
	for	(	i	=	0;	lpszPassword	[	i];	i++)
			iSeed	=	(	iSeed + lpszPassword	[	i] + i) % 254;

	++iSeed;
 
	/* encrypt string */
	j	=	0;

	for (	i	=	0;	i	<	wBuffer;	i++)
		{
			iSeed	=	((( iSeed + ( i - ( int) wBuffer)) - 1) % 254) + 1;

			lpcbBuffer	[	i] = lpcbBuffer	[	i] ^ iSeed ^ lpszPassword	[	j];

			j	=	j >= iPassword ? 0 : j++;
		}
}

Open in new window


This is used for both encryption and decryption of the data passed in in 'lpcbBuffer'
0
 
LVL 40

Expert Comment

by:evilrix
Comment Utility
XORing is not encryption - it is obfuscation and, as jkr has already pointed out, it'll take anyone with even a little knowledge about 10 seconds to crack! There is absolutely no safe way of distributing a private key with the binary. I'll say that again - there is absolutely NO SAFE WAY of distributing a private key with the binary. You could encrypt it, but then you'd need to key to decrypt the key. You are back to square one.

The way this is normally done is to generate the key on the destination machine once the binary is installed. It is normally done using some form of entropy such as capturing mouse movements or something equally random. Of course, this isn't always going to solve your problem as this method only covers use cases where you don't need to know the key up front.

For us to give you a better idea of the safest way to do what you are trying to do you need to expand on your use case. If you want more information as to why just obfucating the key is dangerous and pointless do a quick search of EE. I and other experts have answered this exact question many times!

In all cases the answer is the same... if you need to go so far as to use real encryption you absolutely must not distribute the key. If you aren't that worried if the key is compromised and/or are prepared to take the risk of it being exposed why bother with full encryption, you might as well just use a form of obfuscation (there are plenty of good algorithms for doing that too) and make your life a whole lot simpler.
0
 
LVL 40

Expert Comment

by:evilrix
Comment Utility
>> I know finaly the key is inside the memory, that the general disadvantage of all encryption.

Actually, no!

Generally, you should be using an asymmetric-key encryption when keys need distribution; you only ever distribute the public key. It doesn't matter if that can be seen because it can only be used to "lock", it can't be used to "unlock".

If you are distributing the private key (or just *the* key in the case of AES) and it is compromised, then you have just given the burglar the keys to (unlock) your house! The [private] key should NEVER be distributed.

AES is a symmetric-key encryption algorithm. Maybe it's an asymmetric-key you need to be using?

http://en.wikipedia.org/wiki/Asymmetric_key
0
 
LVL 86

Expert Comment

by:jkr
Comment Utility
I am absolutely with evilrix here, especially when it comes to asymmetric keys. Not sure why exactly you need an AES stream cipher (well, you will have good reasons), but if I have the choice, I'll go for public/private key pairs, RSA FTW - if applicable ;o)
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Article by: SunnyDark
This article's goal is to present you with an easy to use XML wrapper for C++ and also present some interesting techniques that you might use with MS C++. The reason I built this class is to ease the pain of using XML files with C++, since there is…
IntroductionThis article is the second in a three part article series on the Visual Studio 2008 Debugger.  It provides tips in setting and using breakpoints. If not familiar with this debugger, you can find a basic introduction in the EE article loc…
The goal of this video is to provide viewers with basic examples to understand opening and reading files in the C programming language.
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now