By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,130 Members | 2,228 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,130 IT Pros & Developers. It's quick & easy.

Encrypt String

P: n/a
How can I encrypt and decrypt string?
Nov 16 '05 #1
Share this Question
Share on Google+
14 Replies


P: n/a

"msnews.microsoft.com" <da*********@hotmail.com> wrote in message
news:um**************@TK2MSFTNGP10.phx.gbl...
How can I encrypt
XOR it with a protection string of the same length of the string that you
are encrypting

and decrypt string?

XOR it with the exact same protection string


if you do not publish the protection string, your encrypted string in
unbreakable!

regards
roy fine
Nov 16 '05 #2

P: n/a
Hello
if you do not publish the protection string, your encrypted string in
unbreakable!


The XOR method is breakable is someone has an encrypted string and a clear
text string.
If you XOR the clear text string and the encrypted string you get the
protection string

The best way is to use the encryption methods in .NET crypto API in
System.Security.Cryptography namespace.
You can use DES, TripleDES, RC1 or Rijndael algorithms for symmetric
ecryption,
or RSA algorithm for asymmetric encryption
or SHA1 or MD5 for hashing.

Symmetric encryption has one key that is used for encryption and decryption.
Asymetric encryption has a public key and a private key. The public key is
used for encryption, and only they private key can decrypt the data.
With Hashing, which commonly used for passwords, there is no key. and the
process is irreversible, unless the password is too short, or easy to guess
(a name or dictionary word for example)
You can find more with examples on this in MSDN documentation.

Best regards,
Sherif
Nov 16 '05 #3

P: n/a

"Sherif ElMetainy" <el*************@wayout.net.NOSPAM> wrote in message
news:uA**************@TK2MSFTNGP11.phx.gbl...
Hello
if you do not publish the protection string, your encrypted string in
unbreakable!
The XOR method is breakable is someone has an encrypted string and a clear
text string.
If you XOR the clear text string and the encrypted string you get the
protection string


The following is a proven fact --
if you do not publish the protection string, your encrypted string in
unbreakable!


other methods are breakable, but not in finite time!

roy fine
Nov 16 '05 #4

P: n/a
> if you do not publish the protection string, your encrypted string in
unbreakable!
No, not quite!

If you have the facility to run your own code against the algorithm, it can
be easily broken. An example would be where you can read a password field in
a database, and see what your own (known) password "encrypts" to. Anyone
with basic cryptography knowledge should be able to glean the encryption key
within an hour. And being a symmetrical algorithm, you can run it against
all other passwords and get the plaintext.

Then you can try those passwords against other machines that the users may
have access to.... Your hacking career has begun!

Operating systems based on UNIX have been using salted encryption algorithms
for years. These are reasonably safe, although not unbreakable.

The "unbreakable" that you refer to is for one-time pads, and these are not
the norm in computer systems.

Regards

Ron
"Roy Fine" <rl****@twt.obfuscate.net> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
"Sherif ElMetainy" <el*************@wayout.net.NOSPAM> wrote in message
news:uA**************@TK2MSFTNGP11.phx.gbl...
Hello
if you do not publish the protection string, your encrypted string in
unbreakable!


The XOR method is breakable is someone has an encrypted string and a clear text string.
If you XOR the clear text string and the encrypted string you get the
protection string


The following is a proven fact --
if you do not publish the protection string, your encrypted string in
unbreakable!


other methods are breakable, but not in finite time!

roy fine

Nov 16 '05 #5

P: n/a
> if you do not publish the protection string, your encrypted string in
unbreakable!
No, not quite!

If you have the facility to run your own code against the algorithm, it can
be easily broken. An example would be where you can read a password field in
a database, and see what your own (known) password "encrypts" to. Anyone
with basic cryptography knowledge should be able to glean the encryption key
within an hour. And being a symmetrical algorithm, you can run it against
all other passwords and get the plaintext.

Then you can try those passwords against other machines that the users may
have access to.... Your hacking career has begun!

Operating systems based on UNIX have been using salted encryption algorithms
for years. These are reasonably safe, although not unbreakable.

The "unbreakable" that you refer to is for one-time pads, and these are not
the norm in computer systems.

Regards

Ron
"Roy Fine" <rl****@twt.obfuscate.net> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
"Sherif ElMetainy" <el*************@wayout.net.NOSPAM> wrote in message
news:uA**************@TK2MSFTNGP11.phx.gbl...
Hello
if you do not publish the protection string, your encrypted string in
unbreakable!


The XOR method is breakable is someone has an encrypted string and a clear text string.
If you XOR the clear text string and the encrypted string you get the
protection string


The following is a proven fact --
if you do not publish the protection string, your encrypted string in
unbreakable!


other methods are breakable, but not in finite time!

roy fine

Nov 16 '05 #6

P: n/a
Ron -- see inline

"Ron McNulty" <rm******@despam.xtra.co.nz> wrote in message
news:OM**************@tk2msftngp13.phx.gbl...
if you do not publish the protection string, your encrypted string in
unbreakable!
No, not quite!

If you have the facility to run your own code against the algorithm, it

can be easily broken. An example would be where you can read a password field in a database, and see what your own (known) password "encrypts" to. Anyone
with basic cryptography knowledge should be able to glean the encryption key within an hour. And being a symmetrical algorithm, you can run it against
all other passwords and get the plaintext.

I'll publish a file containing a stream of encrypted bytes. I'll keep the
encrypting stream hidden. I'll also tell you that the encrypting string is a
sequence of non-repeating random values (that was the basis of my first
post). I'll even publish the program/algorithm used to encrypt the data.
I'll offer you or anyone some great sum of money if you can find the message
hidden in the encrypted stream. I'll also tell you that the eleven
characters preceeding the hidden message are "HELLO WORLD". I'll give you
100 years to do the work. You get one shot at answering - i.e., you cant
make 1 million guesses.

Consider this link:
http://msdn.microsoft.com/library/de...techniques.asp

and as the length of the encrypting key approaches the length of the
original string/stream, so does the strength of the algorithm approach
"unbreakable".

Then you can try those passwords against other machines that the users may
have access to.... Your hacking career has begun!

Operating systems based on UNIX have been using salted encryption algorithms for years. These are reasonably safe, although not unbreakable.

SALT is not germain here. That is a technique used to make strong
algorithms stronger, but applies only to certain algorithms - not trivial
XOR scheme.
The "unbreakable" that you refer to is for one-time pads, and these are not the norm in computer systems.

No, the "unbreakable" that I refer to is really just simple unbreakable.
For short strings, XOR is far superior to other methods - it is faster, and
simpler to implement. The disadvantage of the XOR is that for true
unbreakable, the encoding string MUST be the same length as the original
string (i.e. no repeating patterns that could be used to break the code).
Because of the length requirement of the encoding string, the XOR method as
a general solution, it becomes unmanagable - but is is quite strong!

If I keep the encoding string private, then you can not break my encoded
string. But that in and of itself is not a limitation ofthe XOR scheme -
using any other algorithm, you either have a symetric key or a private key
that you also MUST keep private - the only difference is the size of the
required encoding key for arbitrary length input strings (or streams)...

regards
roy fine
ps - search google using this:
Xorring with a key as long as the message is the strongest encryption

here are a couple of additional links:
http://www.mit.edu:8008/bloom-picayu...edu/perl/10138

http://groups.google.com/groups?hl=e....psi.net#link6
Regards

Ron
"Roy Fine" <rl****@twt.obfuscate.net> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...

"Sherif ElMetainy" <el*************@wayout.net.NOSPAM> wrote in message
news:uA**************@TK2MSFTNGP11.phx.gbl...
Hello

> if you do not publish the protection string, your encrypted string in > unbreakable!

The XOR method is breakable is someone has an encrypted string and a clear text string.
If you XOR the clear text string and the encrypted string you get the
protection string


The following is a proven fact --
if you do not publish the protection string, your encrypted string in
unbreakable!


other methods are breakable, but not in finite time!

roy fine


Nov 16 '05 #7

P: n/a
Ron -- see inline

"Ron McNulty" <rm******@despam.xtra.co.nz> wrote in message
news:OM**************@tk2msftngp13.phx.gbl...
if you do not publish the protection string, your encrypted string in
unbreakable!
No, not quite!

If you have the facility to run your own code against the algorithm, it

can be easily broken. An example would be where you can read a password field in a database, and see what your own (known) password "encrypts" to. Anyone
with basic cryptography knowledge should be able to glean the encryption key within an hour. And being a symmetrical algorithm, you can run it against
all other passwords and get the plaintext.

I'll publish a file containing a stream of encrypted bytes. I'll keep the
encrypting stream hidden. I'll also tell you that the encrypting string is a
sequence of non-repeating random values (that was the basis of my first
post). I'll even publish the program/algorithm used to encrypt the data.
I'll offer you or anyone some great sum of money if you can find the message
hidden in the encrypted stream. I'll also tell you that the eleven
characters preceeding the hidden message are "HELLO WORLD". I'll give you
100 years to do the work. You get one shot at answering - i.e., you cant
make 1 million guesses.

Consider this link:
http://msdn.microsoft.com/library/de...techniques.asp

and as the length of the encrypting key approaches the length of the
original string/stream, so does the strength of the algorithm approach
"unbreakable".

Then you can try those passwords against other machines that the users may
have access to.... Your hacking career has begun!

Operating systems based on UNIX have been using salted encryption algorithms for years. These are reasonably safe, although not unbreakable.

SALT is not germain here. That is a technique used to make strong
algorithms stronger, but applies only to certain algorithms - not trivial
XOR scheme.
The "unbreakable" that you refer to is for one-time pads, and these are not the norm in computer systems.

No, the "unbreakable" that I refer to is really just simple unbreakable.
For short strings, XOR is far superior to other methods - it is faster, and
simpler to implement. The disadvantage of the XOR is that for true
unbreakable, the encoding string MUST be the same length as the original
string (i.e. no repeating patterns that could be used to break the code).
Because of the length requirement of the encoding string, the XOR method as
a general solution, it becomes unmanagable - but is is quite strong!

If I keep the encoding string private, then you can not break my encoded
string. But that in and of itself is not a limitation ofthe XOR scheme -
using any other algorithm, you either have a symetric key or a private key
that you also MUST keep private - the only difference is the size of the
required encoding key for arbitrary length input strings (or streams)...

regards
roy fine
ps - search google using this:
Xorring with a key as long as the message is the strongest encryption

here are a couple of additional links:
http://www.mit.edu:8008/bloom-picayu...edu/perl/10138

http://groups.google.com/groups?hl=e....psi.net#link6
Regards

Ron
"Roy Fine" <rl****@twt.obfuscate.net> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...

"Sherif ElMetainy" <el*************@wayout.net.NOSPAM> wrote in message
news:uA**************@TK2MSFTNGP11.phx.gbl...
Hello

> if you do not publish the protection string, your encrypted string in > unbreakable!

The XOR method is breakable is someone has an encrypted string and a clear text string.
If you XOR the clear text string and the encrypted string you get the
protection string


The following is a proven fact --
if you do not publish the protection string, your encrypted string in
unbreakable!


other methods are breakable, but not in finite time!

roy fine


Nov 16 '05 #8

P: n/a
Hello
XOR is breakable and below is a code to demonstrate, i am using ints, but
the same applies to strings

Random r = new Random();
int secret = r.Next(); // this is hidden
int clear = r.Next(); // i know this one
int encrypted = secret ^ clear; // i know this one too
int hacked = encrypted ^ clear; // now i know the secret
Console.WriteLine(hacked == secret);

Best regards
Sherif

"Roy Fine" <rl****@twt.obfuscate.net> wrote in message
news:#N**************@tk2msftngp13.phx.gbl...

"Sherif ElMetainy" <el*************@wayout.net.NOSPAM> wrote in message
news:uA**************@TK2MSFTNGP11.phx.gbl...
Hello
if you do not publish the protection string, your encrypted string in
unbreakable!


The XOR method is breakable is someone has an encrypted string and a clear text string.
If you XOR the clear text string and the encrypted string you get the
protection string


The following is a proven fact --
if you do not publish the protection string, your encrypted string in
unbreakable!


other methods are breakable, but not in finite time!

roy fine

Nov 16 '05 #9

P: n/a
Hello

Give me a clear text string, a string encrypted with your hidden key using
the XOR method.
Then give me another string encrypted with the same key, it will take me
less than one minute to decrypt it, because I will know the key.

Consider the following scenario.
Suppose I have a web site, where the member's passwords are stored encrypted
using XOR in a database.
Some how a hacker was able to gain access to the database (due to a security
hole, new vulnerability, unpatched server, bad administrator, etc), but he
doesn't have access to the key to decrypt the passwords.
So he registers a new account for himself in my web site (he knows the
password for this account because he created it), then he looks at his own
ecrypted password.
Now he can easily know the encryption key, and can decrypt all other
passwords.

Best regards
Sherif
Nov 16 '05 #10

P: n/a

"Sherif ElMetainy" <el*************@wayout.net.NOSPAM> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
Hello

Give me a clear text string, a string encrypted with your hidden key using
the XOR method.
OK - done!
Then give me another string encrypted with the same key, it will take me
less than one minute to decrypt it, because I will know the key.

No way - you must be crazy. I said to keep the encrypting key hidden - that
means hiding the key and all derivative forms of it! You are making up
stuff now. XOR is unbreakable, but it is a one time use, and it must be the
same size as the clear text string.

read the links i provided....

regards
roy fine

Consider the following scenario.
Suppose I have a web site, where the member's passwords are stored encrypted using XOR in a database.
Some how a hacker was able to gain access to the database (due to a security hole, new vulnerability, unpatched server, bad administrator, etc), but he
doesn't have access to the key to decrypt the passwords.
So he registers a new account for himself in my web site (he knows the
password for this account because he created it), then he looks at his own
ecrypted password.
Now he can easily know the encryption key, and can decrypt all other
passwords.

That's a good example of PSS - Pretty Stupid Security.

Please read the links I provided -- this case is clearly examined and dealt
with there!

The OP asked for one thing and one thing only - how to encrypt and decrypt a
string.

XOR works wonderfully if you can live with its restrictions - and that is
why there are many alternatives.

I never suggested using XOR as the only way, but until the OPs requirements
get a bit better defined, XOR is as good as it gets.

regards
roy fine
Best regards
Sherif

Nov 16 '05 #11

P: n/a
Sherif ElMetainy <el*************@wayout.net.NOSPAM> wrote:
XOR is breakable
No - XOR is *not* breakable if the sequence of values to XOR with is
entirely secret, genuinely random and never reused.
and below is a code to demonstrate, i am using ints, but
the same applies to strings

Random r = new Random();
int secret = r.Next(); // this is hidden
int clear = r.Next(); // i know this one
int encrypted = secret ^ clear; // i know this one too
int hacked = encrypted ^ clear; // now i know the secret
Console.WriteLine(hacked == secret);


That assumes the same secret is used twice. In a true one-time-pad
system (which is what is being hinted at) the same XOR value is never
used twice.

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too
Nov 16 '05 #12

P: n/a
Hello

I was talking about reusing the key, which is the case in most scenarios In
this case it is breakable.

Best regards,
Sherif

"Jon Skeet [C# MVP]" <sk***@pobox.com> wrote in message
news:MP************************@msnews.microsoft.c om...
Sherif ElMetainy <el*************@wayout.net.NOSPAM> wrote:
XOR is breakable


No - XOR is *not* breakable if the sequence of values to XOR with is
entirely secret, genuinely random and never reused.
and below is a code to demonstrate, i am using ints, but
the same applies to strings

Random r = new Random();
int secret = r.Next(); // this is hidden
int clear = r.Next(); // i know this one
int encrypted = secret ^ clear; // i know this one too
int hacked = encrypted ^ clear; // now i know the secret
Console.WriteLine(hacked == secret);


That assumes the same secret is used twice. In a true one-time-pad
system (which is what is being hinted at) the same XOR value is never
used twice.

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too

Nov 16 '05 #13

P: n/a
Hello

I was talking about reusing the key, which is the case in many scenarios. In
this case XOR is breakable.

Best regards,
Sherif

"Roy Fine" <rl****@twt.obfuscate.net> wrote in message
news:OO**************@TK2MSFTNGP10.phx.gbl...

"Sherif ElMetainy" <el*************@wayout.net.NOSPAM> wrote in message
news:%2****************@TK2MSFTNGP10.phx.gbl...
Hello

Give me a clear text string, a string encrypted with your hidden key using the XOR method.
OK - done!
Then give me another string encrypted with the same key, it will take me
less than one minute to decrypt it, because I will know the key.


No way - you must be crazy. I said to keep the encrypting key hidden -

that means hiding the key and all derivative forms of it! You are making up
stuff now. XOR is unbreakable, but it is a one time use, and it must be the same size as the clear text string.

read the links i provided....

regards
roy fine

Consider the following scenario.
Suppose I have a web site, where the member's passwords are stored encrypted
using XOR in a database.
Some how a hacker was able to gain access to the database (due to a

security
hole, new vulnerability, unpatched server, bad administrator, etc), but he doesn't have access to the key to decrypt the passwords.
So he registers a new account for himself in my web site (he knows the
password for this account because he created it), then he looks at his own ecrypted password.
Now he can easily know the encryption key, and can decrypt all other
passwords.


That's a good example of PSS - Pretty Stupid Security.

Please read the links I provided -- this case is clearly examined and

dealt with there!

The OP asked for one thing and one thing only - how to encrypt and decrypt a string.

XOR works wonderfully if you can live with its restrictions - and that is
why there are many alternatives.

I never suggested using XOR as the only way, but until the OPs requirements get a bit better defined, XOR is as good as it gets.

regards
roy fine
Best regards
Sherif


Nov 16 '05 #14

P: n/a
Sherif ElMetainy <el*************@wayout.net.NOSPAM> wrote:
I was talking about reusing the key, which is the case in most scenarios In
this case it is breakable.


I dare say you were - but you were the one who introduced the idea of
reusing the key. It's like saying that some other encryption scheme
isn't secure because you might publish the private key. Every
encryption scheme has something you shouldn't do, otherwise it's no
longer secure. In the case of XOR operations like this, reusing the key
(or using a non-random source for the key) is one of those things.

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too
Nov 16 '05 #15

This discussion thread is closed

Replies have been disabled for this discussion.