Difference between revisions of "LlXorBase64StringsCorrect"

From Second Life Wiki
Jump to navigation Jump to search
m (Typo)
(Added a java decoding example and a link to php example)
Line 56: Line 56:
* '''Plain Text''': The user captures outputs for known inputs can expose weaknesses in the key.
* '''Plain Text''': The user captures outputs for known inputs can expose weaknesses in the key.
* '''Brute force''': Attacking the key, secret and/or seed
* '''Brute force''': Attacking the key, secret and/or seed
===How to decode with php===
PHP script can be found in [http://lslwiki.net/lslwiki/wakka.php?wakka=llXorBase64StringsCorrect LSL Wiki]
===How to decode with java===
Remember to URLEncode your BASE64 hash if you transfer it vie GET...
<lsl>
      String BASE64datahash = "error";
      String passhash = "error";
      try {
        //URLDecode the URL encoded encrypted data
        BASE64datahash = java.net.URLDecoder.decode("KhoFRRYaAUMbEVU%3D", "UTF-8"); //KhoFRRYaAUMbEVU%3D
        System.out.println("BASE64datahash: " + BASE64datahash); //KhoFRRYaAUMbEVU=
        //create an array of BASE64 data
        char[] BASE64data = BASE64datahash.toCharArray();
        char[] dataUB = new String(new BASE64Decoder().decodeBuffer(new String(BASE64data))).toCharArray(); //BASE64 decode the data
        System.out.println("encrypted data (but base64 decoded) [dataUB]: " + new String(dataUB));
        //Encode the secred key/password to BASE64 (Just to show how to use BASE64Encoder)
        //String BASE64password = new String(new BASE64Encoder().encodeBuffer("supersecretpassword".getBytes()));
        //System.out.println("BASE64password: " + new String(BASE64password));
        //create array of BASE64 key/password
        //char[] key = BASE64password.toCharArray();
        //char[] keyUB = new String(new BASE64Decoder().decodeBuffer(new String(key))).toCharArray();
        char[] keyUB = "supersecretpassword".toCharArray();
        System.out.println("plaintext key/password [keyUB]: " + new String(keyUB));
        //XOR data array chars with corresponding key/password array chars
        int k=0;
        for (int i = 0; i < dataUB.length; i++) {
            dataUB[i] = (char) (dataUB[i] ^ keyUB[k]);
            k++;
            //Loop to start of the key if the key is too short
            if (k == keyUB.length)
              k=0;
}
        System.out.println("Decoded data [dataUB]: " + new String(dataUB));
       
        } catch (Exception ex) {
            System.out.println("Oops!");
        }
</lsl>     


|permission
|permission

Revision as of 03:56, 19 January 2010

Summary

Function: string llXorBase64StringsCorrect( string str1, string str2 );
0.0 Forced Delay
10.0 Energy

Correctly performs an exclusive or on two Base 64 strings.
Returns a string that is a Base64 XOR of str1 and str2.

• string str1 Base64 string
• string str2 Base64 string

str2 repeats if it is shorter than str1. If the inputs are not Base64 strings the result will be erratic.
Be sure to read the Notes before designing a cryptographic algorithm.

Examples

<lsl>default {

   state_entry(){
       
       // Use a HARD password ! with caps nocaps numbers and symbols !
       string pass = "P4s5Wo_rD";
       
       string data = "I am some ver important data.";
       
       // Enccrypting the data:
       string crypt = llXorBase64StringsCorrect(llStringToBase64(data), llStringToBase64(pass));
       
       // Say the mess you made to Owner
       llOwnerSay(crypt);
       
       // DeCrypting the data and say back to owner:
       llOwnerSay(llBase64ToString(llXorBase64StringsCorrect(crypt, llStringToBase64(pass))));
       
   }

}</lsl>

Notes

Best Practices

As a cryptographic technique, XOR is weak and there are several attacks that can be leveraged to determine the XOR inputs. Depending upon how the secrets are used cracking a single message could expose the input secrets, resulting in the derived algorithm being broken.

Keep your secrets secret. Use a seeded trap door function to shake up the bits of the secret before using with the XOR and change the seed often.

Do not XOR a value by two differing length values without knowing the implications. It may seem like a good idea but what it actually does is link the fields. While it will give you a longer key value (the Smallest Common Multiple in length), the fields will be linked such that there are really only as many fields as the Greatest Common Divisor. The number of unique fields determines the theoretical maximum number of keys an attacker has to try.

Unique_Key_Fields = Greatest_Common_Divisor(lengths_of_keys) * number_of_keys

Attack Vectors

First thing you need to know is that XOR is limited poly-alphabetic cipher.

  • Probability: In English, letters have different probabilities of occurring because of grammar and spelling rules. XOR does not hide the letter probabilities. This attack only works when the keys is many times smaller than the message.
  • UTF-8 Rules: When you convert a string to Base64, UTF-8 encoding is used first. If you assume the inputs are valid UTF-8 encodes some bits can be determined purely upon examination.
  • Plain Text: The user captures outputs for known inputs can expose weaknesses in the key.
  • Brute force: Attacking the key, secret and/or seed

How to decode with php

PHP script can be found in LSL Wiki

How to decode with java

Remember to URLEncode your BASE64 hash if you transfer it vie GET...

<lsl>

      String BASE64datahash = "error";
      String passhash = "error";
      try {
       //URLDecode the URL encoded encrypted data
       BASE64datahash = java.net.URLDecoder.decode("KhoFRRYaAUMbEVU%3D", "UTF-8"); //KhoFRRYaAUMbEVU%3D
       System.out.println("BASE64datahash: " + BASE64datahash); //KhoFRRYaAUMbEVU=
       //create an array of BASE64 data
       char[] BASE64data = BASE64datahash.toCharArray();
       char[] dataUB = new String(new BASE64Decoder().decodeBuffer(new String(BASE64data))).toCharArray(); //BASE64 decode the data
       System.out.println("encrypted data (but base64 decoded) [dataUB]: " + new String(dataUB));


       //Encode the secred key/password to BASE64 (Just to show how to use BASE64Encoder)
       //String BASE64password = new String(new BASE64Encoder().encodeBuffer("supersecretpassword".getBytes()));
       //System.out.println("BASE64password: " + new String(BASE64password));
       //create array of BASE64 key/password
       //char[] key = BASE64password.toCharArray();
       //char[] keyUB = new String(new BASE64Decoder().decodeBuffer(new String(key))).toCharArray();
       char[] keyUB = "supersecretpassword".toCharArray(); 
       System.out.println("plaintext key/password [keyUB]: " + new String(keyUB));
       //XOR data array chars with corresponding key/password array chars
       int k=0;
       for (int i = 0; i < dataUB.length; i++) {
           dataUB[i] = (char) (dataUB[i] ^ keyUB[k]);
           k++;
           //Loop to start of the key if the key is too short
           if (k == keyUB.length)
              k=0;

}

       System.out.println("Decoded data [dataUB]: " + new String(dataUB));
       
       } catch (Exception ex) {
           System.out.println("Oops!");
       }

</lsl>

Deep Notes

Signature

function string llXorBase64StringsCorrect( string str1, string str2 );