Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
BITXOR
- Thread starter siumouse
- Start date
Mike Lewis
Programmer
siumouse,
Your code looks OK. BITXOR can take up to 26 parameters.
What problem are you seeing?
Mike
Mike Lewis
Edinburgh, Scotland
My Visual Foxpro web site: My Crystal Reports web site:
Your code looks OK. BITXOR can take up to 26 parameters.
What problem are you seeing?
Mike
Mike Lewis
Edinburgh, Scotland
My Visual Foxpro web site: My Crystal Reports web site:
- Thread starter
- #3
Mike Lewis
Programmer
Richard,
In VFP 6, it only support 2 Expression
Ah, I didn't realise that.
How about using nested calls:
BITXOR(X,BITXOR(Y,Z))
Would that do the trick?
Mike
Mike Lewis
Edinburgh, Scotland
My Visual Foxpro web site: My Crystal Reports web site:
In VFP 6, it only support 2 Expression
Ah, I didn't realise that.
How about using nested calls:
BITXOR(X,BITXOR(Y,Z))
Would that do the trick?
Mike
Mike Lewis
Edinburgh, Scotland
My Visual Foxpro web site: My Crystal Reports web site:
- Thread starter
- #5
Mike Gagnon
Programmer
SIUMOUSE
Mike Gagnon
If you want to get the best response to a question, please check out FAQ184-2483 first.
This might get you going.
Mike Gagnon
If you want to get the best response to a question, please check out FAQ184-2483 first.
Olaf Doschke
Programmer
Well, Win32 Crypto API is the way to go and that is already posted in the Wiki. But to add to the original problem:
Well, in vfp9beta I get result 1 from bitxor(1,1,1),
so it works the same as bitxor(1,bitxor(1,1)) or
bitxor(bitxor(1,1),1).
If you expect only 1 as a result from those calls, where only one argument is 1 and all others are 0, then you're bad off with such low level functions.
Bye, Olaf.
siumouse said:
Well, in vfp9beta I get result 1 from bitxor(1,1,1),
so it works the same as bitxor(1,bitxor(1,1)) or
bitxor(bitxor(1,1),1).
If you expect only 1 as a result from those calls, where only one argument is 1 and all others are 0, then you're bad off with such low level functions.
Bye, Olaf.
Mike Lewis
Programmer
Richard,
In fact, i want to write a MD5 encryption by VFP6,
So why do you need three expressions? I would've thought that you could XOR the plain text with the key to get the encrypted, and vice versa. (Of course, that also means you could XOR the plain text with the encrypted text to discover the key.)
Mike
Mike Lewis
Edinburgh, Scotland
My Visual Foxpro web site: My Crystal Reports web site:
In fact, i want to write a MD5 encryption by VFP6,
So why do you need three expressions? I would've thought that you could XOR the plain text with the key to get the encrypted, and vice versa. (Of course, that also means you could XOR the plain text with the encrypted text to discover the key.)
Mike
Mike Lewis
Edinburgh, Scotland
My Visual Foxpro web site: My Crystal Reports web site:
Olaf Doschke
Programmer
Hi Mike,
Well MD5 encryption isn't XORing plain text with a key.
XORing of three arguments is just one small step within the md5 algorithm. See
In one of the steps the algorithm computes
H(X,Y,Z) = X xor Y xor Z
And if you read the definition it says, that H() is the parity function, therefore Bitxor(1,1,1)=1 would be correct for this step in MD5, as the parity is simply 1 if an odd number of bits is 1 and 0 if an even number of bits (including none) is 1.
But as MD5 algorithms are already integrated in Windows API it's quite useless to reinvent the wheel. You may implement it to test if Windows computes the right MD5 hashes, if you'r very suspicious.
Bye, Olaf.
Well MD5 encryption isn't XORing plain text with a key.
XORing of three arguments is just one small step within the md5 algorithm. See
In one of the steps the algorithm computes
H(X,Y,Z) = X xor Y xor Z
And if you read the definition it says, that H() is the parity function, therefore Bitxor(1,1,1)=1 would be correct for this step in MD5, as the parity is simply 1 if an odd number of bits is 1 and 0 if an even number of bits (including none) is 1.
But as MD5 algorithms are already integrated in Windows API it's quite useless to reinvent the wheel. You may implement it to test if Windows computes the right MD5 hashes, if you'r very suspicious.
Bye, Olaf.
Olaf Doschke
Programmer
To add:
MD5 isn't an encryption algortihm, it's a hashing function. You can't decrypt a md5 hash to it's original message. That's not the intention of MD5.
It merely creates some kind of checksum in that way, that even quite similar original messages compute to a totally different md5 hash and therefore you can be sure, that if you get a given md5 hash from a message downloaded (which could also be an application) the original hasn't changed, there was no transfer error and nobody made any changes.
This is also suggested for storing password hashes instead of the passwords themselves. This way if someone enters a password and that computes to the hash stored, he has verified to have the correct password.
As a hacker, even if you can have a peek at the stored md5 hash and even knowing it's an md5 hash and the md5 algorithm you can't decrypt the password, which was used to result in this hash. So you're only chance would be guessing passwords and testing if they also result in the hash needed. With possible 2^128 hashes this is quite hard even on the fastest computers.
Nevertheless it's quite easy and fast to compute hashes for often used or short passwords or real word in general, so md5 is useless if the users don't choose a safe password, that has a minimum length (perhaps >=6) and some other characters besides letters.
Bye, Olaf.
MD5 isn't an encryption algortihm, it's a hashing function. You can't decrypt a md5 hash to it's original message. That's not the intention of MD5.
It merely creates some kind of checksum in that way, that even quite similar original messages compute to a totally different md5 hash and therefore you can be sure, that if you get a given md5 hash from a message downloaded (which could also be an application) the original hasn't changed, there was no transfer error and nobody made any changes.
This is also suggested for storing password hashes instead of the passwords themselves. This way if someone enters a password and that computes to the hash stored, he has verified to have the correct password.
As a hacker, even if you can have a peek at the stored md5 hash and even knowing it's an md5 hash and the md5 algorithm you can't decrypt the password, which was used to result in this hash. So you're only chance would be guessing passwords and testing if they also result in the hash needed. With possible 2^128 hashes this is quite hard even on the fastest computers.
Nevertheless it's quite easy and fast to compute hashes for often used or short passwords or real word in general, so md5 is useless if the users don't choose a safe password, that has a minimum length (perhaps >=6) and some other characters besides letters.
Bye, Olaf.
Mike Lewis
Programmer
Olaf,
Thanks for the clarification. You obviously know a lot more about this than I do.
One small point: If this is a hashing function, I wonder if it would be possible to use VFP's built-in checksum function, SYS(2007). If I'm on the wrong track, never mind ... it's just a thought.
Mike
Mike Lewis
Edinburgh, Scotland
My Visual Foxpro web site: My Crystal Reports web site:
Thanks for the clarification. You obviously know a lot more about this than I do.
One small point: If this is a hashing function, I wonder if it would be possible to use VFP's built-in checksum function, SYS(2007). If I'm on the wrong track, never mind ... it's just a thought.
Mike
Mike Lewis
Edinburgh, Scotland
My Visual Foxpro web site: My Crystal Reports web site:
Olaf Doschke
Programmer
Code:
? SYS(2007,"Test of SYS(2007)")
>3391
? SYS(2007,"test of SYS(2007)")
>12605That's not a proof, but show, results of SYS(2007) differ much if the message only changes slightly. But SYS(2007) seem to only vary from "0" to "65535", so you have a 16 Bit hash, which would be very easy to hack.
Example:
? SYS(2007,'mypa55word!453')
>47069
So the task now is, determine any password with that same hash 47069:
FOR nr = 1 TO 100000
IF SYS(2007,BINTOC(nr)) = "47069"
? nr
exit
endif
ENDFOR nr
results in 26720, which means, that chr(128)+chr(0)+chr(104)+chr(96) will also qualify as correct password.
?sys(2007,chr(128)+chr(0)+chr(104)+chr(96))
>47069
So it does not really help much, that I have choosen a secure password.
A hacker doesn't even have to know the hash, a 16 bit hash means he'll be in in about 32000 tries. Even if it's a webform and he has to send this amount of requests to a server, he doesn't have to do it manually, he can do it programmatically and he'll be in quite fast...
So, in general, yes, SYS(2007) in some respects works like MD5, but due to the "hash" being only 16 bit worth it's not
secure.
Bye, Olaf.
Mike Lewis
Programmer
Olaf,
Thanks again for the explanation. I understand that VFP 8.0 and above now support 32-bit checksums with SYS(2007), but I suppose the same general objection will apply.
Anyway, it was just a thought.
Mike
Mike Lewis
Edinburgh, Scotland
My Visual Foxpro web site: My Crystal Reports web site:
Thanks again for the explanation. I understand that VFP 8.0 and above now support 32-bit checksums with SYS(2007), but I suppose the same general objection will apply.
Anyway, it was just a thought.
Mike
Mike Lewis
Edinburgh, Scotland
My Visual Foxpro web site: My Crystal Reports web site:
- Status