Question on encryption

[boogara]

Alrighty...I want to thank all who have helped me recently...I have another question.

This isn't a "give me code" kind of thing, but I would like to know the input of this.

Little bit of background, I'm creating a server/client chat application, and I want to go into security with it a little bit.  Now, I know this isn't the most secure way of handling this, but I'm using the XorData procedure to encrypt the data.  I wrote a test app to do some investigation as to how the encryption routine is, and it works as it should.

I would, however, like to know how feasible my procedure is in real life.

What I'm doing is getting the hWnd of the current window, and using that as the key for encrypting the data.

Here's my code that does the en/decryption...

Code Select Expand


Encrypt proc
invoke XorData,addr text,sizeof text,addr hWnd,sizeof hWnd

invoke SetDlgItemText,hWnd,IDC_ENCRES,addr text

ret

Encrypt endp

Decrypt proc
invoke XorData,addr text,sizeof text,addr hWnd,sizeof hWnd

invoke SetDlgItemText,hWnd,IDC_DECRES,addr text

ret

Decrypt endp


Now, if you were to encrypt text...say, for example, "MASM32 rules!", you'll get this:

Code Select Expand


KMy8pR?f5skP


This changes too, every time I run the application again...but, would this be an intelligent way to handle the encryption routine with a real application?

I know my client (or server) would have to send the key to the other in order to efficiently do this, but should I just consider using a different type of encryption?

(Originally, I planned on doing like a character swap type of encryption, but that failed...)

[Draakie]

FYI :
http://msdn2.microsoft.com/en-us/library/aa380251(VS.85).aspx      and related links on this page.

In real life strange and wonderfull things are coded to hoodwink the would-be hacker. Even the
simplest of encryption algorithms are mostly sufficient to hide what needs to be kept secret.
HOWEVER - please consider that advertizing your encryption scheme would make it worthless.
               -  please consider that anything made by humans can be undone by humans.
               - please consider XOR-ing is seen as the preverbial baby of encryption.
RATHER   - consider the information links as above.
OR          - a multifactor algorithm - XORing combined with transposition, stenography, substitution.

[boogara]

FYI :
http://msdn2.microsoft.com/en-us/library/aa380251(VS.85).aspx      and related links on this page.

In real life strange and wonderfull things are coded to hoodwink the would-be hacker. Even the
simplest of encryption algorithms are mostly sufficient to hide what needs to be kept secret.
HOWEVER - please consider that advertizing your encryption scheme would make it worthless.
               -  please consider that anything made by humans can be undone by humans.
               - please consider XOR-ing is seen as the preverbial baby of encryption.
RATHER   - consider the information links as above.
OR          - a multifactor algorithm - XORing combined with transposition, stenography, substitution.

Thanks for the link. :)

Generally, advertising the encryption scheme would make it worthless, but it was just a bare-bones testing of what I'm doing (more so of a "hey mom!  look at this working like it should!" kind of thing).

The encryption is only as strong as it's user...:)

I pretty much knew that xor'ing was a "newb" encryption scheme...but, it's just something for me to learn from. :)

I'll take into consideration the multifactor algorithm, and see what I can whip up. ^_^

[Draakie]

For your kind of thing....
Just swamping you with some more links : :8)
http://www.masm32.com/board/index.php?topic=7905.0
http://www.masm32.com/board/index.php?topic=5959.0
http://www.asmcommunity.net/board/index.php?topic=28438.0
http://www.asmcommunity.net/board/index.php?topic=24633.0

[Tedd]

I would strongly suggest you consider using a real encryption algorithm, rather than some strange obfuscation. Such methods aren't used in practice for the very reason that they are surprisingly easy to break for someone who knows what they're doing.

Luckily, you don't need to do that much work to get something more secure. The Cryptography API provides plenty of methods, and it's not too difficult to use :bdg
http://msdn2.microsoft.com/en-us/library/aa380256.aspx

[Eddy]

I know my client (or server) would have to send the key to the other in order to efficiently do this,

Hi Boogara,

This exactly is the big weakness in your encryption scheme. You are sending the key over an insecure channel... which is bad .. :bg

You can solve this by using a fixed key and embedding it in your client and server. That way, the keys do not have to be exchanged. Using this basic key, you can then exchange other keys .. encrypted.
An alternative is using a public key cryptosystem like RSA or Diffie-Hellman .

Regarding your encryption routine. XOR is good if your key is truly random, and different with every message you encrypt (never use the same key twice!). This makes this encryption  routine not very practical.
I suggest to use a stronger algo like AES, 3DES, TwoFish ... (A)RC4 is acceptable if you never use the same key twice.

Kind regards