?
Solved

Xor Decrypting and encrypting

Posted on 2014-02-18
9
Medium Priority
?
381 Views
Last Modified: 2014-02-18
I need to hide a plain text AES key in my code, For this I think about to use a XOR decrypting or encrypting. Any ide how to do this? Or better, another idea to hide the key?
The key is a char[15]
0
Comment
Question by:Ingo Foerster
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39868758
The problem with using XOR is that it can generate characters that are not 'acceptable' in strings.
0
 
LVL 86

Expert Comment

by:jkr
ID: 39868774
Honestly - don't even bother. That will raise the difficulty to obtain that key for approx. 5 mins.

It has to be present in memory in its unscrambled readable for for the call to your AES decryprion or encryption function, and therefore is accessible that very moment to anyone who knows how to handle a debugger. 'Hiding' it therefore probably won't be worth the effort you're putting into that. But anyway, one simple way you might want to consider would be to 'hide' it in a large area of random hexadecimal text data, e.g.  like

char* pBlob = "4612D19AE6AF523F397D65301F51E060A1537C05162382BC0F937DDF7DC0BD5EB5D0281[...]806BDCE64F3518C7CD76C5999B421136C25E1FD15A";
int offset = 32; // or any arbitrary value
// place your key at offset 32 and read the 16 bytes from there:
char AESKey[17];
strncpy(AESKey,pBlob + offset, 16);
AESKey[16] = '\0'; // add NULL terminator if necessary

Open in new window


That will at least make it impossible to extract it with utilities like 'strings', i.e. without actually debugging your program.
0
 

Author Comment

by:Ingo Foerster
ID: 39868918
I know finaly the key is inside the memory, that the general disadvantage of all encryption.
But the offset mehtod is really basic, a little string attack with an offset is also done in a few seconds.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Ingo Foerster
ID: 39868920
So the final question is still open.
0
 
LVL 86

Expert Comment

by:jkr
ID: 39868931
Then scatter it in that blob. Place each of the 16 bytes in such a field and use a index table, e.g.

char* pBlob = "4612D19AE6AF523F397D65301F51E060A1537C05162382BC0F937DDF7DC0BD5EB5D0281[...]806BDCE64F3518C7CD76C5999B421136C25E1FD15A";
int index_table[] = { 25, 16, 137, ... , 42};
char AESKey[17];
for (int i = 0; i < 16) AESKey[i] = pBlob[i];
AESKey[16] = '\0'; // add NULL terminator if necessary
                                            

Open in new window


You could regard the index table to be your 'encryption key'.
0
 
LVL 86

Accepted Solution

by:
jkr earned 2000 total points
ID: 39868955
But, if you are still interested in a simple XOR encryption, you could use this one:

void	XORTransformData	(	LPBYTE	lpcbBuffer,
									WORD	wBuffer,
									LPCTSTR	lpszPassword
								)
{
	register	int	iPassword	=	strlen (lpszPassword);
	register	int	iSeed		=	1;
	register	int	i;
	register	int	j;

	/* initialize seed */
	for	(	i	=	0;	lpszPassword	[	i];	i++)
			iSeed	=	(	iSeed + lpszPassword	[	i] + i) % 254;

	++iSeed;
 
	/* encrypt string */
	j	=	0;

	for (	i	=	0;	i	<	wBuffer;	i++)
		{
			iSeed	=	((( iSeed + ( i - ( int) wBuffer)) - 1) % 254) + 1;

			lpcbBuffer	[	i] = lpcbBuffer	[	i] ^ iSeed ^ lpszPassword	[	j];

			j	=	j >= iPassword ? 0 : j++;
		}
}

Open in new window


This is used for both encryption and decryption of the data passed in in 'lpcbBuffer'
0
 
LVL 40

Expert Comment

by:evilrix
ID: 39869004
XORing is not encryption - it is obfuscation and, as jkr has already pointed out, it'll take anyone with even a little knowledge about 10 seconds to crack! There is absolutely no safe way of distributing a private key with the binary. I'll say that again - there is absolutely NO SAFE WAY of distributing a private key with the binary. You could encrypt it, but then you'd need to key to decrypt the key. You are back to square one.

The way this is normally done is to generate the key on the destination machine once the binary is installed. It is normally done using some form of entropy such as capturing mouse movements or something equally random. Of course, this isn't always going to solve your problem as this method only covers use cases where you don't need to know the key up front.

For us to give you a better idea of the safest way to do what you are trying to do you need to expand on your use case. If you want more information as to why just obfucating the key is dangerous and pointless do a quick search of EE. I and other experts have answered this exact question many times!

In all cases the answer is the same... if you need to go so far as to use real encryption you absolutely must not distribute the key. If you aren't that worried if the key is compromised and/or are prepared to take the risk of it being exposed why bother with full encryption, you might as well just use a form of obfuscation (there are plenty of good algorithms for doing that too) and make your life a whole lot simpler.
0
 
LVL 40

Expert Comment

by:evilrix
ID: 39869017
>> I know finaly the key is inside the memory, that the general disadvantage of all encryption.

Actually, no!

Generally, you should be using an asymmetric-key encryption when keys need distribution; you only ever distribute the public key. It doesn't matter if that can be seen because it can only be used to "lock", it can't be used to "unlock".

If you are distributing the private key (or just *the* key in the case of AES) and it is compromised, then you have just given the burglar the keys to (unlock) your house! The [private] key should NEVER be distributed.

AES is a symmetric-key encryption algorithm. Maybe it's an asymmetric-key you need to be using?

http://en.wikipedia.org/wiki/Asymmetric_key
0
 
LVL 86

Expert Comment

by:jkr
ID: 39869284
I am absolutely with evilrix here, especially when it comes to asymmetric keys. Not sure why exactly you need an AES stream cipher (well, you will have good reasons), but if I have the choice, I'll go for public/private key pairs, RSA FTW - if applicable ;o)
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many modern programming languages support the concept of a property -- a class member that combines characteristics of both a data member and a method.  These are sometimes called "smart fields" because you can add logic that is applied automaticall…
This article shows you how to optimize memory allocations in C++ using placement new. Applicable especially to usecases dealing with creation of large number of objects. A brief on problem: Lets take example problem for simplicity: - I have a G…
Video by: Grant
The goal of this video is to provide viewers with basic examples to understand and use nested-loops in the C programming language.
The viewer will learn how to use the return statement in functions in C++. The video will also teach the user how to pass data to a function and have the function return data back for further processing.
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question