Solved

Xor Decrypting and encrypting

Posted on 2014-02-18
9
372 Views
Last Modified: 2014-02-18
I need to hide a plain text AES key in my code, For this I think about to use a XOR decrypting or encrypting. Any ide how to do this? Or better, another idea to hide the key?
The key is a char[15]
0
Comment
Question by:Ingo Foerster
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39868758
The problem with using XOR is that it can generate characters that are not 'acceptable' in strings.
0
 
LVL 86

Expert Comment

by:jkr
ID: 39868774
Honestly - don't even bother. That will raise the difficulty to obtain that key for approx. 5 mins.

It has to be present in memory in its unscrambled readable for for the call to your AES decryprion or encryption function, and therefore is accessible that very moment to anyone who knows how to handle a debugger. 'Hiding' it therefore probably won't be worth the effort you're putting into that. But anyway, one simple way you might want to consider would be to 'hide' it in a large area of random hexadecimal text data, e.g.  like

char* pBlob = "4612D19AE6AF523F397D65301F51E060A1537C05162382BC0F937DDF7DC0BD5EB5D0281[...]806BDCE64F3518C7CD76C5999B421136C25E1FD15A";
int offset = 32; // or any arbitrary value
// place your key at offset 32 and read the 16 bytes from there:
char AESKey[17];
strncpy(AESKey,pBlob + offset, 16);
AESKey[16] = '\0'; // add NULL terminator if necessary

Open in new window


That will at least make it impossible to extract it with utilities like 'strings', i.e. without actually debugging your program.
0
 

Author Comment

by:Ingo Foerster
ID: 39868918
I know finaly the key is inside the memory, that the general disadvantage of all encryption.
But the offset mehtod is really basic, a little string attack with an offset is also done in a few seconds.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Ingo Foerster
ID: 39868920
So the final question is still open.
0
 
LVL 86

Expert Comment

by:jkr
ID: 39868931
Then scatter it in that blob. Place each of the 16 bytes in such a field and use a index table, e.g.

char* pBlob = "4612D19AE6AF523F397D65301F51E060A1537C05162382BC0F937DDF7DC0BD5EB5D0281[...]806BDCE64F3518C7CD76C5999B421136C25E1FD15A";
int index_table[] = { 25, 16, 137, ... , 42};
char AESKey[17];
for (int i = 0; i < 16) AESKey[i] = pBlob[i];
AESKey[16] = '\0'; // add NULL terminator if necessary
                                            

Open in new window


You could regard the index table to be your 'encryption key'.
0
 
LVL 86

Accepted Solution

by:
jkr earned 500 total points
ID: 39868955
But, if you are still interested in a simple XOR encryption, you could use this one:

void	XORTransformData	(	LPBYTE	lpcbBuffer,
									WORD	wBuffer,
									LPCTSTR	lpszPassword
								)
{
	register	int	iPassword	=	strlen (lpszPassword);
	register	int	iSeed		=	1;
	register	int	i;
	register	int	j;

	/* initialize seed */
	for	(	i	=	0;	lpszPassword	[	i];	i++)
			iSeed	=	(	iSeed + lpszPassword	[	i] + i) % 254;

	++iSeed;
 
	/* encrypt string */
	j	=	0;

	for (	i	=	0;	i	<	wBuffer;	i++)
		{
			iSeed	=	((( iSeed + ( i - ( int) wBuffer)) - 1) % 254) + 1;

			lpcbBuffer	[	i] = lpcbBuffer	[	i] ^ iSeed ^ lpszPassword	[	j];

			j	=	j >= iPassword ? 0 : j++;
		}
}

Open in new window


This is used for both encryption and decryption of the data passed in in 'lpcbBuffer'
0
 
LVL 40

Expert Comment

by:evilrix
ID: 39869004
XORing is not encryption - it is obfuscation and, as jkr has already pointed out, it'll take anyone with even a little knowledge about 10 seconds to crack! There is absolutely no safe way of distributing a private key with the binary. I'll say that again - there is absolutely NO SAFE WAY of distributing a private key with the binary. You could encrypt it, but then you'd need to key to decrypt the key. You are back to square one.

The way this is normally done is to generate the key on the destination machine once the binary is installed. It is normally done using some form of entropy such as capturing mouse movements or something equally random. Of course, this isn't always going to solve your problem as this method only covers use cases where you don't need to know the key up front.

For us to give you a better idea of the safest way to do what you are trying to do you need to expand on your use case. If you want more information as to why just obfucating the key is dangerous and pointless do a quick search of EE. I and other experts have answered this exact question many times!

In all cases the answer is the same... if you need to go so far as to use real encryption you absolutely must not distribute the key. If you aren't that worried if the key is compromised and/or are prepared to take the risk of it being exposed why bother with full encryption, you might as well just use a form of obfuscation (there are plenty of good algorithms for doing that too) and make your life a whole lot simpler.
0
 
LVL 40

Expert Comment

by:evilrix
ID: 39869017
>> I know finaly the key is inside the memory, that the general disadvantage of all encryption.

Actually, no!

Generally, you should be using an asymmetric-key encryption when keys need distribution; you only ever distribute the public key. It doesn't matter if that can be seen because it can only be used to "lock", it can't be used to "unlock".

If you are distributing the private key (or just *the* key in the case of AES) and it is compromised, then you have just given the burglar the keys to (unlock) your house! The [private] key should NEVER be distributed.

AES is a symmetric-key encryption algorithm. Maybe it's an asymmetric-key you need to be using?

http://en.wikipedia.org/wiki/Asymmetric_key
0
 
LVL 86

Expert Comment

by:jkr
ID: 39869284
I am absolutely with evilrix here, especially when it comes to asymmetric keys. Not sure why exactly you need an AES stream cipher (well, you will have good reasons), but if I have the choice, I'll go for public/private key pairs, RSA FTW - if applicable ;o)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction This article is the first in a series of articles about the C/C++ Visual Studio Express debugger.  It provides a quick start guide in using the debugger. Part 2 focuses on additional topics in breakpoints.  Lastly, Part 3 focuses on th…
Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
Video by: Grant
The goal of this video is to provide viewers with basic examples to understand and use nested-loops in the C programming language.
The goal of this video is to provide viewers with basic examples to understand how to create, access, and change arrays in the C programming language.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question