2-Way Encryption

[Supra]

I recently developed a 2-way encryption method to use on my website. I ported the method over to Perl and it seems to work well, however it was my first attempt at encryption with no prior experience whatsoever, so I'm a little sketchy about using it to protect passwords of my members. The encrypted values are stored in cookies and the cookie is checked against the user/password combination in the SQL database when visiting a page. I'm not sure if this is the appropriate forum, and if not please advise, but I would like to see if anyone can crack this encryption. Here is the encrypted string (20 characters):

dhDIDHEAdhea@df-dhdh:fj*'dd-DGDF$EH@DIDEdgDGdhdedgdj?EC+DGdf.dj!DIdfDHdddgE
A@ge|DGDF.fi`dideDHdddgeaDGeadheb=BCE=DHdj~gb&-JF=-ed@ecDE!DJ@/bcg?DHdh`EF@
&ge\ECdg\eg#EBEC!FJ#ECDE'dg=|eg&DHdh$jc@:DJ!ECdg+FJ/ecdd.dh;ecDE+EC\;jg?DHd
h.bce!:gd@ECDG%DD%ECde_:JB$=EE!.jd?jb#JB-;ee;!JD#jc|jb*`ee@&JD=JD/JB?+EE?.j
d.JE\jb!.EE&|JD|IJJD'JB#\EE/\JD/IJje?JB@@ee\.JD:ijJF*jb';ee.*JD.IJJG$JB+%EE
/*jd$jaij$jb/|ee%.JD-jaJA+jb*&ee*-JD@jaJF|JB%@ee!;jd!jaJG|JB~#EE%&jd~JAjh-J
B!%ee\;jd?JBII$JB.\EE|+JD/JBIJ@JB~!ee=-JD\JBja`JB@*ee|*JD=jbjc'jb=@ee#\jd%j
bJD%jb$.EE:=JD@JBJF&JB=/ee!&JD-JBJG~JB~:EE$+jd.jbJH\JB~@ee`*JD?JCII;jb?;ee`
|jd=jcjd?jb!/EE.$JD;JCJE-jb+@EE;#JD-JGIJ!jb;.EE+$JD=jgja&JB=?ee-;JD!jgJD-jb
&\ee!.JD&JGJE

 

[jrbarnett]

Hello Supra,

I'm no cryptographer or mathematician, but there are a couple of points to note bearing in mind your comments above:

1. What happens if the web browser is set up to reject cookies?

2. A reversible encryption algorithm is always slightly suspect. One way systems are better as they don't immediately compromise every single username/password if the algorithm is discovered and the website login system compromised.
A better authentication system is to do the following:
a) User types in username and password to form
b) Form encrypts password using any given algorithm.
c) Username and encrypted password (or even encrypted username and encrypted password) are passed to authentication mechanism (thereby bypassing any possibility of packet sniffers capturing the plain text password). Consider using SSL for login pages, or even the whole site if there is a lot of sensitive information (financial, health etc).
d) Program compare encrypted password for the user to the stored value. If they match, let them in. If not, display "Incorrect Username/Password" message.

Depending upon how secure your application needs to be, this may be a better approach.

John

 

[Supra]

John,

I think you're right about that. I honestly don't know why I went with 2-way encryption, but I think I just liked the idea of being able to hide something and then uncover it. I didn't even think about the cookies aspect of this. That actually brings another problem to my attention, because I have no idea how to keep the user logged in without cookies. I mean I could send the "token" in the URL as a search string, but I think it's kind of cheesy. Ultimately, I think I will end up writing a 1-way encryption method and adding code to deny browsers that have cookies turned off. That is, unless you know of a better way Still though, I would like to see if anyone can break my encryption. I know it's extremely possible (especially given the specific and obvious patterns in the encrypted string above) but I just wonder how hard it would be.

 

[Supra]

On a side note, I strengthened the 2-way encryption. The original string is 20 characters long. Here is the encrypted string:

DGeaDGebdgeadhddDGeadhdd-eh?djDG`DD...B$~ee!;JD.jfijjh

I think that might take a bit longer to figure out

 

[Ed2020]

Supra,

I'm no expert on cryptography either, however I know a bit and I have read in several places one golden rule is:

Don't invent your own!

The likelihood of coming up with a strong, faultless algorithm first time is very remote. There are plenty of sources of encryption algorithms out there that have been heavily tested - I'd use one of those over something I have created myself every time.

Ed Metcalfe.


Please do not feed the trolls.....

 

[Supra]

Ed,

I definitely agree with that. I'm just curious as to how easily my "encryption" can be reversed. It's a very simple little method, but I'm proud of it nonetheless. But in regards to my website, I will definitely look for proven, tested encryption that is, at the very least, one-way.

 

[Ed2020]

Supra,

If you're interested in cryptography I can highly recommend the SecurityNow! podcast from

http://www.grc.com.

They did a few episodes on various cryptography techniques a while back which got me interested.

For what it's worth your algorithm is way being my abilities to crack it.

Ed Metcalfe.

Please do not feed the trolls.....

 

[Supra]

Cool I'll check that out thanks!

 

[paintballer]

Ed2020,
I second that recommendation, it's good even for us people that are in the industry because they go over the fundamentals in a slightly different way than how we learned it, and Steve Gibson is a good, enthusiastic speaker. (Also very knowledable on the topics.) I would suggest listening to ALL of the podcasts / netcasts from SecurityNow, as they kinda build on each other.

P

 

[Ed2020]

Yep, I'm a regular listener to SecurityNow! I'd recommend it to anyone with a PC, but the cryptography series was of particularly interest to me.

Ed Metcalfe.

Please do not feed the trolls.....

 

[elmurado]

Is the answer 42?

 

[Supra]

If you're asking in reference to the encrypted string (which appears to be botched the 2nd time I posted it), then no; the decrypted string is 20 characters long. But I am curious as to how you came up with that answer! It's interesting to see how people reverse-engineer things.

 

[trollacious]

That's something from The Hitchhiker's Guide to the Galaxy.

Lee

 

[Supra]

I'm not sure I follow.. I haven't seen that movie. What is that in reference to?

 

[elmurado]

Sorry mate-the answer to Life, the Universe and Everything is 42, according to a super computer in the Hitch Hiker's Guide. Had nothing to do with your encrypted string. Unfortunately, my joke now lies like a balloon made of lead at the bottom of my post. That will teach me to mess with encryption like that.

 

[trollacious]

It's a commonly known joke among many computer people and anyone else who has read Douglas Adams' set of science fiction spoof books. There are some Tek-Tips members who refer to that line in the signatures, as well.

Lee

 

[Grenage]

Steve Gibson should have been a politician, I gave up reading his work many years ago on the basis that he seemed very... up himself. He's the king of Hyperbole!


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[Ed2020]

He's certainly very adept at blowing his own trumpet.

He knows his stuff though.

Ed Metcalfe.

Please do not feed the trolls.....

 

[Lunatic]

Either I'm mistaken or your mistaking the movie and the book...

Book Spoiler
****
















They built the supercomputer that gave them the ultimate answer, which was "42" - but the supercomputer doesn't know what the ultimate question is. So "42" is the ultimate answer... now if we could just figure out the question...

 

[Grenage]

Aye, didn't they forget what the question was, and end up building a bigger computer to figure that out?


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.