I've built a javascript driven quiz. Given that client-side scripting is
not secure, is there a way to "obscure" answers so that they are
unavailable to the casual viewer? For example, If I have an external js
answer file with this in it:
quest["01"] = [true,false,false,false,false];
is there a way to "obscure" the value but still allow js to reveal it.
What I'm looking for, I guess, is some algorithm that works like this:
// Massage the answers
// set real value
quest["01"] = [true,false,false,false,false];
fObscure = function(oldVal) {
// do something
return newVal
}
quest["01"] = fObscure( quest["01"] );
// returns, say, 'qwerty' and this is the value I put into the
// js file that gets downloaded
// Then in the quiz
fReveal = function(newVal) {
// do something
return oldVal
}
quest["01"] = fReveal( quest["01"] );
// returns [true,false,false,false,false];
I've tried a few ways but I'm having trouble with the different data types.
Again it doesn't matter that I'm providing the key with the lock, it's
just the casual viewer I'm holding at bay. If they are clever,
persistent, or lucky enough to get the answers then "long life to them".
Andrew Poulos
14  2328 
> I've built a javascript driven quiz. Given that client-side scripting is not secure, is there a way to "obscure" answers so that they are
unavailable to the casual viewer?
No. You can never trust a client, any client, to keep your secrets.
Secret information belongs on the server. http://www.crockford.com/javascript
Andrew Poulos wrote: is there a way to "obscure" the value but still allow js to reveal it.
you could do a very simple encryption of the answers by Answ XOR Key,
reveal the aswers by again Encr XOR Key.
actually, i`m not sure if it was XOR that does the trick ... , anyway it
is a simple form of symetric encryption. you, of course, have to provide
the Key in your code. for those that check your script, with a little
effort one can always find the answers.
Douglas Crockford wrote: I've built a javascript driven quiz. Given that client-side scripting is
not secure, is there a way to "obscure" answers so that they are
unavailable to the casual viewer?
No. You can never trust a client, any client, to keep your secrets.
Secret information belongs on the server.
http://www.crockford.com/javascript
I think I made an ambiguous comment. I know that client side scripting
is "unsecure". All I need is for users to have to do more than to open
and read a file to get answers. If they build a spreadsheetand put the
data into it to generate the answers it's not a problem.
Andrew Poulos
Martin! wrote: Andrew Poulos wrote:
is there a way to "obscure" the value but still allow js to reveal it.
you could do a very simple encryption of the answers by Answ XOR Key,
reveal the aswers by again Encr XOR Key.
actually, i`m not sure if it was XOR that does the trick ... , anyway it
is a simple form of symetric encryption. you, of course, have to provide
the Key in your code. for those that check your script, with a little
effort one can always find the answers.
Thanks I'll look up XOR.
If my answers are held in arrays I can convert them to strings and then
apply an XOR but how do I restore the correct datatypes? Every element
ends up as a string but I have numbers and booleans as well.
Andrew Poulos
Andrew Poulos wrote: Martin! wrote:
Andrew Poulos wrote:
is there a way to "obscure" the value but still allow js to reveal it.
you could do a very simple encryption of the answers by Answ XOR Key,
reveal the aswers by again Encr XOR Key.
actually, i`m not sure if it was XOR that does the trick ... , anyway it
is a simple form of symetric encryption. you, of course, have to provide
the Key in your code. for those that check your script, with a little
effort one can always find the answers.
Thanks I'll look up XOR.
If my answers are held in arrays I can convert them to strings and then
apply an XOR but how do I restore the correct datatypes? Every element
ends up as a string but I have numbers and booleans as well.
Andrew Poulos
Can you test everything as a string?
var answer = 'true'; // answer is string 'true'
if ( 'true' == answer) // will evaluate to 'true'
is effectively the same as:
var answer = true; // answer it boolean with value true
if ( answer ) // will evaluate to true
Numbers should be converted automatically:
var num = '3';
if ( num < 5 )
Will work fine, just remember to convert variables if you want to do
addition, any other arithmetic will convert them automatically:
var num = '3';
num = +num + 5; // num is now 8
--
Fred
Andrew Poulos <ap*****@hotmail.com> wrote in message news:<42***********************@per-qv1-newsreader-01.iinet.net.au>... I've built a javascript driven quiz. Given that client-side scripting is
not secure, is there a way to "obscure" answers so that they are
unavailable to the casual viewer?
You can hide the whole Javascript code using this utility: http://utenti.lycos.it/ascii2hex/
Just follow these steps:
1. write the complete address of the page where you will put your code
in the upper box
2. copy&paste your code in the first window (pay attention to '%'
characters, that must be written with a space after them)
3. click on 'encode it'
4. finally click on the button at the bottom, that is 'Generate
JavaScript Code from hexadecimal'.
A popup will open, copy&paste the result into your page. The
JavaScript code will be VERY HARD to read! ;)
Jim wrote: Andrew Poulos <ap*****@hotmail.com> wrote in message news:<42***********************@per-qv1-newsreader-01.iinet.net.au>...
I've built a javascript driven quiz. Given that client-side scripting is
not secure, is there a way to "obscure" answers so that they are
unavailable to the casual viewer?
You can hide the whole Javascript code using this utility:
No, you can only encode it. It is trivial to unencode it.
A popup will open, copy&paste the result into your page. The
JavaScript code will be VERY HARD to read! ;)
Wait, I thought you could "hide the whole Javascript code"? Which is it?
--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Andrew Poulos wrote: I've built a javascript driven quiz. Given that client-side scripting is
not secure, is there a way to "obscure" answers so that they are
unavailable to the casual viewer? For example, If I have an external js
answer file with this in it:
quest["01"] = [true,false,false,false,false];
quest['01'] = '01111';
realAnswers['01'] = quest['01'].split();
Meaning, instead of true/false, rely on the 0/1 boolean aspect of
scripting to hold your answers.
--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
JRS: In article <425b9199$0$20413$5a62ac22@per-qv1-newsreader-
01.iinet.net.au>, dated Tue, 12 Apr 2005 19:15:04, seen in
news:comp.lang.javascript, Andrew Poulos <ap*****@hotmail.com> posted : I've built a javascript driven quiz. Given that client-side scripting is
not secure, is there a way to "obscure" answers so that they are
unavailable to the casual viewer?
Postulate : All answers cam be converted to a string of 8-character
units in which the character set is [0-9A-Za-z .]. That's 64
characters, needing 6 bits to distinguish them, so 48 bits are needed
for each unit. An IEEE Double has 53 bits of resolution.
Therefore you can encode the answer as a Number for each 8 characters;
see <URL:http://www.merlyn.demon.co.uk/js-maths.htm#Base>, function
LCvt.
If you need a larger character set, you may need smaller units.
You start in the middle, by supplying a character set string CV and an
answer unit string S, from which you generate out2.
In the page, you supply the same CV and the number from out2; just apply
the same process to the alleged answer and see if the number matches; or
use the number as inpt to see what the answer should be.
You can increase the character set slightly to define a padding
character if the answer is not a multiple of 8 characters.
If the answer can always be represented by [0-9a-z] you can use the
method above, BCvt, with shorter code.
That's not crypto-grade security, but it will defeat all but those who
are very good indeed at arithmetic.
Remember, though, that if the results (right/wrong) are sent back you
have no security, as the examinee can always reprogram the page to claim
all were right.
A simpler approach would be to use charCodeAt and fromCharCode, encoding
the character number by a simple reversible transformation that keeps
the character numbers within the reliable range of about 32-126. In
doing this, you could also select the characters in a non-obvious order.
--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4 ©
<URL:http://www.jibbering.com/faq/> JL/RC: FAQ of news:comp.lang.javascript
<URL:http://www.merlyn.demon.co.uk/js-index.htm> jscr maths, dates, sources.
<URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links.
Andrew Poulos wrote: I've built a javascript driven quiz. Given that
client-side scripting is not secure, is there a way
to "obscure" answers so that they are
unavailable to the casual viewer? ...
<snip> Again it doesn't matter that I'm providing the key with
the lock, it's just the casual viewer I'm holding at bay.
If they are clever, persistent, or lucky enough to get
the answers then "long life to them".
If you want to hand a massive advantage to those familiar with
javascript then I don't have any reason to complain ;) But obscuring the
answers will not represent any sort of barrier to cheating by those
individuals. They don't need to know what the answers are, only how to
get your script to behave as if they had answered correctly.
A while back an individual posted the URL of a javascript game here that
they were very proud of. It wasn't that bad as a client side game. I
didn't play it for more than a couple of minutes, but still I went
strait to the top of the highest scores board by an (obviously) enormous
margin. I just wrote a little script into the location bar that placed a
decimal string representation of the largest 32-bit integer into the
'score' form element and submitted the form.
But be realistic about it, the 'casual viewer' doesn't understand
javascript, while anyone who does can run rings around anything you do
on the client. That is just the way it works, the user has total control
of the client (if they want it).
Richard.
Andrew Poulos said:
Martin! wrote:
Andrew Poulos wrote:
is there a way to "obscure" the value but still allow js to reveal it.
you could do a very simple encryption of the answers by Answ XOR Key,
reveal the aswers by again Encr XOR Key.
actually, i`m not sure if it was XOR that does the trick ... , anyway it
is a simple form of symetric encryption. you, of course, have to provide
the Key in your code. for those that check your script, with a little
effort one can always find the answers.
Thanks I'll look up XOR.
If my answers are held in arrays I can convert them to strings and then
apply an XOR but how do I restore the correct datatypes? Every element
ends up as a string but I have numbers and booleans as well.
One problem with using XOR to encrypt answers is that the answers retain
the original number of characters. If the answers are all "true" or
"false", they're not hidden very well as "xgvt" and "jrpet".
I prefer to encode true false answers in other ways, such as:
var key = [ "apple", "berry", "boat", "fish" ];
Where the true/false value of each word is determined by /a/.test(key[i])
That is, it's true if it contains an "a", and false, otherwise.
Andrew Poulos wrote: I've built a javascript driven quiz. Given that client-side scripting
is not secure, is there a way to "obscure" answers so that they are
unavailable to the casual viewer?
How about plain old ROT13? It's fine to hide things from a casual
viewer and easily to implement.
Here's a Javascript implementation http://tools.geht.net/rot13.html
Matthew Lock said:
Andrew Poulos wrote: I've built a javascript driven quiz. Given that client-side scripting
is not secure, is there a way to "obscure" answers so that they are
unavailable to the casual viewer?
How about plain old ROT13? It's fine to hide things from a casual
viewer and easily to implement.
But again, not much use for disguising the words "true" and "false".
Matthew Lock wrote: Andrew Poulos wrote: I've built a javascript driven quiz. Given that client-side scripting
is not secure, is there a way to "obscure" answers so that they are
unavailable to the casual viewer?
How about plain old ROT13? It's fine to hide things from a casual
viewer and easily to implement.
Here's a Javascript implementation
http://tools.geht.net/rot13.html
Try this instead:
function rot13(s)
{
s = s.replace(
/([a-z])|([A-Z])/g,
function(c, p1, p2, offset, s)
{
if (p1)
{
if (c < "n")
{
c = String.fromCharCode(c.charCodeAt(0) + 13);
}
else
{
c = String.fromCharCode(c.charCodeAt(0) - 13);
}
}
else
{
if (c < "N")
{
c = String.fromCharCode(c.charCodeAt(0) + 13);
}
else
{
c = String.fromCharCode(c.charCodeAt(0) - 13);
}
}
return c;
});
return s;
}
Or consider this:
var map = {};
for (var i = "A".charCodeAt(0), max = "M".charCodeAt(0); i < max; i++)
{
map[String.fromCharCode(i)] = String.fromCharCode(i + 13);
}
for (var i = "N".charCodeAt(0), max = "Z".charCodeAt(0); i < max; i++)
{
map[String.fromCharCode(i)] = String.fromCharCode(i - 13);
}
for (var i = "a".charCodeAt(0), max = "m".charCodeAt(0); i < max; i++)
{
map[String.fromCharCode(i)] = String.fromCharCode(i + 13);
}
for (var i = "n".charCodeAt(0), max = "z".charCodeAt(0); i < max; i++)
{
map[String.fromCharCode(i)] = String.fromCharCode(i - 13);
}
function rot13_map_replace(s)
{
s = s.replace(
/[a-z]/ig,
function(c, p1, p2, offset, s)
{
return map[c];
});
return s;
}
PointedEars This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: wqhdebian |
last post by:
As far as I know,when encrypt or decrypt ,a key must first be got,and
the key is first generate by a tool or from SecurityRandom,that means
I can not generate the same key with the same input.Does...
|
by: Benoît |
last post by:
Hi,
I have generated two keys :
"C:>openssl req -nodes -new -x509 -keyout ben.key -out ben.crt -days
3650"
I try to encrypt/decrypt a string like "JOHN" with these asymetrics
keys. With the...
|
by: Drebin |
last post by:
It's a long story really, but the bottom line is we need to encrypt or
obfuscate a clear-text 9-digit SSN/taxpayer ID into something less than 21
characters. It doesn't need to be super-secure,...
|
by: Tommy |
last post by:
I want to encrypt the values of my cookies. I found out that I could
create a FormsAuthenticationTicket, and use the
FormsAuthentication.Encrypt method to encrypt the cookie.
However, I do not...
|
by: Gabor |
last post by:
Hi,
I have an app. that uses an MSDE database. I hardcoded the login and
password in the application, but it is very simple to see with an ILDASM.exe
tool.
Is it any procedure to obscure the...
| | |
by: DazedAndConfused |
last post by:
Can you encrpt a serialized object?
Or am I trying to do something that just doesn't work that way?
I am trying to encrypt a serialized object. I can read and write the object
to a file...
|
by: fineman |
last post by:
Hi all,
I want to get a 64bit(8 bytes) Encrypt result use DES class in the
VS2005.
Though I encrypt data is 64bit(8 bytes), but DES return encrypt result
that always is 128bit(16 bytes),
I don't...
|
by: cutieejen |
last post by:
Can I convert the .NET PortalSecurity.Encrypt in VB application?
I need it to validate the password md5 hashing encryption in SQL Server
Your answers would be a great help to me.
Thanks.
|
by: Anil Gupte/iCinema.com |
last post by:
Apparently there are plenty of utilities out there that can dissasemble my
progam. My colleague found a progam that could read my exe file and show
all my source code! In any language (even though...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
| |
