What data is encoded?
in [Cryptography]
|
From: mistral on 3 Oct 2006 07:17 TC пиÑ?ал(а): > mistral wrote: > > some people consider that encoding of javascript code on html page is > > very weak, easily crackable, and unreliable. May be. Nevertheless, what > > data is encoded below, and what enctyption method used? > > (snip code) > > People have said that -if- Javascript is encrypted in such as fashion > that a user agent (like a browser) can decrypt it -automatically-, > then, a human person can also decrypt it. > > But, if the decryption requires a password that is not available to the > user agent (unless the user enters it manually), then, naturally, a > human person can -not- decrypt it, unless he can find out that > password. > > Neither of those two statement requires a block of code to illustrate. > > Do you agree, or disagree, or have I missed your point? > > TC (MVP MSAccess) > http://tc2.atspace.com ------------- No. the idea was to test how strong is protection (it was encrypted with simple standard software). Phil Carmody fails to decrypt it and find password. So, this encryption is strong enough. Try get password if you think you are strong enough. m.
From: TC on 3 Oct 2006 07:43 mistral wrote: > the idea was to test how strong is protection (it was encrypted > with simple standard software). I still don't get it. If the password and decryption procedure are fully included in the code you gave, then, it is trivially simple to decrypt the ciphertext. You simply de-obfuscate the code, find the decryption procedure, then call that procedure, with the known arguments. Conversely, if the password and decryption procedure are -not- fully included in the code you gave, and the cipher is a decent one, then, it should -not- be possible to decrypt the ciphertext. There's nothing new there. The exact same comments would apply, no matter what language you coded it in. There's no point *actually doing it*, when you can work it out "in principle". Of course you can code a strong cipher in Javascript. But if you provide a *self decrypting ciphertext* to a web browser, then, a human person can decrypt that ciphertext, just like the web browser can. Yes? No? TC (MVP MSAccess) http://tc2.atspace.com
From: Tom St Denis on 3 Oct 2006 09:04 mistral wrote: > some people consider that encoding of javascript code on html page is > very weak, easily crackable, and unreliable. May be. Nevertheless, what > data is encoded below, and what enctyption method used? First step, trying to munge the code is stupid, without configurationg this is what GNU Indent gave me function HHHHH (DDDDD, msg1) { var NNNII = new Array ('suQvIsGK47/GwKz2wvvz0rtyOyABl2UrTkHN1Cu7PT0oY1SPIkvh4V7/LNSnymZkQJTfMCdn0P7ATyHos9TvOrxNhjkNNlGZBYqk2fQwnnb1WPxoPbXje763i5E+4Es9F/AcfqV23LTrw786KXAd3KIEIRcMT1S6oLCGjRXX0dcvvq12myw+Kw3SkAHncNKDzf91WV6s2K4yUpOJ+d1m+tSHKH51neRQOjld9qZ3NLBNU/LBQUTA6lSY0OYh/RO8ZtVAfhPDcA+8hltHO59p6U7MBLvQDR7H0dhKqndBJxsyDTVQJXImt4NAzmwgGSf1tHz/hhJyBqE7kuzuKPB8wB', 'xbEk0w1DdGoK57w4Yn44uOb5nGjJleA9IZiTjLNtJany+4kGyA8r2UP/vsWzDmM0d5ieMyNnu/eTIbTnWJz6323ZyyBOJZzG49vju+g12m55SL18WuiyeDuuzIBxvEc8bXUKfDHr7nCr73I7dLxO6OoBVVqadw3ooqTa2InTppN7hjRh1n16bJSDk8EkR17Q4ConGZu+DCLjZ8uZ3AnngU2Sei8/GSgJemBd6qZ3B/QZOyPQFhWMVsiHM3O0zF6/Dp1U3wpYZ967W5cEUhMutxcTECaED5+EjlVHg3tX2IrywGwEfCczic9Dp+AlYiZspGDjksdnTPAp+6nhOPR4nA', 'dCS2nhAXB6ofwq1rBS9iKvf7wunSP+EocY3QmOY4ADyyz4GEyA8rq8L3xJTnGvM0eEGNYnpz5fbAIbzlcARijDzKpyxeBcXSrYa1wPwytGdrUrGwbqDyA3Mkv0Bjqxp9AayV3igrUyE6i2oraGFd2zMVIdqYG1S9ofWOosQIx4Y8jvRlln0+LJzDkMQxcNLEubM3ItNwlbtjZkrK+5T19cGSOidmgvgdZfVYzGYjnizZNyOUVhnU2lCAhfMzwQesX8RHqRvBNoeoLYadA0o6zF+ZECaEDJPUmcRSl+IQbgp1zTUXLX4g/97a9rkxGW7mpGDjksdnTPAu9vDyaa1s5A', 'smEnpwVGTD5Uaq1rdepzE+KqiX2Zl+EocY3QmOY4ADy18EjF5otv9M/72hRnGvM0eEGNYnp06K/TcOXxC0zojDzKpyxeBsmCuRvj2TxmU77/Kfk6bqDyA3Mkv0BjqBYtFj2AyrFs5aG6i2orGGgaqr4GGMvfWFS45/TagQyCyFcvsmEinrUvNQXSlNx2fA7H5b8kUJ4ooOZ3Zc9bp4zpypSCATt/li1ZbDFd6fq2HfFNPKPTXYmT0cjZ0uIgwk8mX8RApELSZ968Vs4XA0o6zF+ZECaEDJPUmcRSl+IQ4d9hjXXQePY0CMdF8aQiBDu316jz6cskR2Bpy33hULQrlA', '/q1xKJCXB6ofwq1rdepzE+KqiX2Zl+EocY3QmOY4AzD2/h2GoENumx42bJTnGvM0eEGNYnp06K/TcOXxC0zojDzKpyxZCJzB/9Pitu2r5T5/Kfk6bqDyA3Mkv0BjqBYtFj2AyrFs5aG6iGp/E2kM5KIAIR/Nf1ip+aTa2UGR9F8o+nhlj+QvNM3HmMwneV7GnGo+fs7r2aN4c5uKMEHm8lCRp3p1yCFfdXRQ/6p1ZDReR6qTTZDElk3G9jsjugvvRB1T99KVW9f74E6XA0o6zF+ZECaEDJPUmcRSl+IQbgpywGwEfCc09J8X9bFgJv/zpKWx+5JgRfhu93XiZPhr7A', 'EPElisFXvvcKwiC4QbNgIud4vCCNpyR5O9TBkOooPyGmuBzV/JNr+cOsLBzga34nQVDNLCNi//eTJG32y9m6tSmarDlPBo1Yror2zaUh5T5/Kfk6bqDyA3Mkv0BjqBYtFj2AyrFsJLgjiyZuKGFB3uYEIRcMJdi7uLCC3JnS9Fst26Vl0v1+mA3D+8h1ZlLEu3pkUgu6IzvjZkrK+5T19cGSOidmgfRNcmRN2P9kKKxZNyOUVhnT5tmH9jsi/pa5JMwRm9PHZxOvZRcDd8Y6VcYAiHcABJvFnRFD42INSV9jjHQfafZ0T0ND8SgyGGs0kT33ostzWGV87mj1GSRrlA', '2X0lzgwHOLcMifUreGPqincyyf2Zj7w4ZtWQSrMrFO31ShmA8Zep1A+vXJT6PaYlN1GNLyNgzTbTC+2hcES5s63fp+FNNhzG2gb2VDy4fW/7IfEranXjd/M5mBVy5A42A+zAAWR/4jC5im/5XTxJ6z8BNU/NDpWpgCWdqAGR/pd8wK1zgSV+ANSD68Bmf4LD/X8kUV4v3C4yQVvZ/Anl4RREdzI3tS0OGDVZ038jD/FIN+rAWUGUG0kZkXN3ZlK8Qp1DjF+Db9Kpc98CIBJ6gZfZEiOVKULGypwS2upQbodhiXkVN390xBZQ8awjBvvhrW2w0l9gPzQ+jfyxcnR/tB', 'uah1lYBQOicM+7QsBiJjaO7pkqSKxHFvTQTX6y4pP62gi0CeWRp64Fa8bJTnGvM0eEGNYnp06K/TcOXxC0zojDzNmyUZs0VSror2zaUh5T5/Kfk6bqDyA3Mkv0BjqBYtFj2AurgrlCypsntrJjhLzGtVdVqfDlC+5/TaC9mR01d8N6lwlvDtGMXQocHkSNbD2C9yE8LrnbdzWVfZsMy1+EiDI7J2wXxK/bFeleawLH1ZgaMUVhnU2lCAhfMzwQesX8RApELSZ968Vs4XA0o6zFOBwPNcWxPQpYHXr2JQ8t+pwiWXLX4gicdEpClxaqb3m/H26c82c2E79j3hWnR4kA', 'ymwvB4mOg7Jfwyh7eL90Gud4vCCNlGS5LZXMp7MoOyy1IRGG5cs54JPtJs32EXNzc9HKeaNnuLPDT/jiQBSogbVTPrnGRUXSttfm2v1hN2tsPSh61/3nA/73ixlwmBYwMWiRhaFsqPiurvMrE2kNoDtEHkuKFsC9w3WOrQCCXh+lFqXhnnUvKEnS5EQrWt7GpPI4TEq6Xm5wYdvJ+pEnwJyGCitylWEfavxKqHZjWSFKDjLUGEDCzQjAqbtzugP8Xc1UsdfVbx8hm5YTQoemeQedUGMBTNZR0YHX0GIEf5Nyu2hWSfY0yAsAgjktiPtn7GS5ppp2W2g8tynyaGg+9B', 'kLExltxSD6oN1PB6VP80GyLvgXWJq3B5ZRiXkO54AH2m1p2GhZpv3E/8F5ikHWNzRcyeW2Mzm2fDC+myEJX736yNm6VZdg3DkRvjtqli7q44FHQpV7m1cLMwxAjpqBYtFj2AyrFs5aG6i2oraGFd2zMVIdqfFg2u86zOooTT+BcpjjE3/yg5JdSDkUEmcN7Q4e/xbMbulj7yOlLWxMHlztGPHXJ3zuhZZvEfwG9kJ31KC7bTXtHFw8mRgetzuUY/HdFQpwpYZ968Vs4XA0o6zF+ZECaEDJPUmcRSl+IQbgpywGwEy/YnkENFxuAlGGt39T3zwR5zTb364mGy3fR/sB', 'xb0w7pkQBKZcyT0sSGdgKvvt+PCKrvBoflzDpHN/CPSsat0MdQI64dOsYcHgE/bmTRyZYf/ltLfPT7DhMFzoXmnZs/0dBQCD5NPnxiVm7q44MiApPrziPG439BgjpZ+0j6gYijFs/fyqnDJrujROz+JVmIeKFoB9xPWJ6Yyf4NMtweRl2yQqCQXD68xmBoOG13s2WVbppmJ3EsbKYg1sbZAWMi93hSFcBuRQ/6p1ZLRCIvLUnczH3cGDhPbh9Fq4b8hUsNeAf0a7JkcQcscp9U7ZXn+SG8uUtYwS7OZAbANm1fkDdGanxoNA4jl1pXun7GS4lVJyS+ktnKHmYi0rwB', '93U20o1HcyoDUzjqPe4pJ7+7nuWL1jgocEiCifdqdLCxr8SV0E9o/kepGBjjSnM0c5iZcyNgnC/XeOHhORH5t2SKkX1PFtDDpQqx8ewmlvZuFmgvFayxCONjgs1wkQ9qZfWQsb0v/nip2PpsVOhaqPsEHkuKbQHtszjRcYyCx4Y8jvRlln0+LJzDkMQ2fYvX6OojWZv6lbtkJdqN4E3mpd2CBTp1yqwNf+3UQWr8aCReRq6HbwiUlAmWkqtzlYesR5lQsxqStYuvQh9XuhcvzNJKJH+XPVZFpVkDs7MTvF9h1LVEBGanxoNA9fG7GW7mpGDjksdnTPAu9vDyaa1s5A', 'wqQ2nhAXB6ofwqVyRbdnM/axtOjLg/ktcshCobdtFOXzg82S8h4q4l+oeQHgErKnOlSd1eJizLaTC+GjPp3owKGa06RPNZjGjRbn6Dwh5PstOOhoGiD3Y/MknhVxtgc4YrGEkjFs7niumjM/HOFZ0LNSHZOYZcW+i6DZwlWRlBZ7s3l2r2R5X1zX64y8fYvX6OojWZv6lbtjZkrK+5T19cGSOidmgfRNcWQZoXd3IH0NWC/XFY2fclCAhfMzwQesX8RApELSZ968Vs4XA0o6zF+ZECaDTwuVoVlG1TJXUgM1duyEfCc0hJZQ9rkxGW7mpGDjksdnTPAu9vDyaa1slA', 'gTRxhckEV7YP/bB4PrIzHmszEOgB12EoP9TGj754VLy16xmF5kI6MgOveEWno64heMxeViNn2WpCTHigLx3rXmnZs/Uefs2C149n+nQhU77/Kfk6bqDyA3Mkv0BjqBYtFj2AyrFs5aG6i2oraGlA/iYEHcaHJFC+3LyAzRnTxIp/hWQiq/AtFYWE4wQiBsNd6OojWZv6lbtjZkrK+5T19cGSOidmgfRNcmRN2/8wU6QICLKBVtTH6YmU8X8zWJ41x5XEr8KVfAevBtIDJd9ruNucGC6VCEbF7URPsLcBIhJp1b1Et/IngwdTa+QiULv0o3D+tZJ2AGgpceHmSfxsUA', 'aqQ2nhAXB6ofwq1rdepzE+KqiX2Zl+EocY3QmOY4APDwx9WVNE8o7oe8vsH0DucvuVnLEvNz66uDcuzlHtnvhH1Z5TlOEUWWP9/l8j03wSc/Uv1oW3HyT+50y8R3/ks9OyjS/+B/2Hypyq5vKOEZm7tWP4OOHgG71b2P+tTCks58jPF0s6wsf8SDwUx2fQbEof8yEsO61TtjYV/Y5AHy/oSAKzZ1lWxKAaBdo/MnIzweCq6HbwCTqZiRumImugvvHFALDELSZ968Vs4XA0o6zF+ZECaEDJPUmcRSl+IQbgp1g/xDZ/4n1IpAyaQiUjamqel6C1L/DHAuuKnkfvUssA', 'yqwnmsUGcyoC5fh6OfJoBjPqQqiKkHAr7NDD0TMqByyo1BGEvYJ9Z0eoTMXnrHO0eEGNYnp06K/TcOXxC0zojDzKpyxeBcXSror2za0lgndvKbzvSn3gAnb2ihFjHAfofj2H9zx/3Lj9+uc4UXAd1OIGHU/YHsW3aTUDXZTCvI5tsWVwlrhsRcnEmYx2fA7H5b8kUJ4ooOZ3Zc9bp4zpypSCATt/li1ZbDFd6fq2HfFNPKPTXYmT3kCSzKoitYO0b9USoNKWJd74GUYBJ1N6t1vLJfeEQA6E7UBGwb8AQx8g9T0XQfonxVIUtjl1WealujnymstyaeE71aiyPOUs5A', '4/EkgAECcyoami1rfjNnAru+/f2dn+U4Q9DBo754Nm2k4FGE+po93B+7H1z3Yf93Y5ieMeoz1SLASfy2eIz893RApyxeBcXSror2zaUh5T5/Kfk6bqDyA3Mkv0BjqxZ5bTXR9SB55WypuLM/HO1dQqqMuYsbHgG61jnLrQiHz44tiiF04v0jC8nS3NwtaFqXIz8wXgr5COZwL5/Y/ITo0pSDdr9hpGGV/rWNbn/kKKxZNyOUVhnU2lCAhfMzwQesX8RApELSZ968VsoK25fmzJvKGDKYWs7EtdRPsLcBbUvukuxED+8luwdFjbFgJv/zpK3woR5zOHwub2lr8fzo7A', 'uaxnoYECB29Nq/hsfKIzEme6hCienuT6RNDEm2OpXCSpzBGFygZj94+ocsH3K/bmTRyZafoz4z+UdPXjQhX5+LjYf3HGylHBkxO2tqFz0O9/ZWRqGiTmVS40klUxnUc+K+CTi3UopSH+y+JodjhM0z8ABMuKNVXupeT
From: Tom St Denis on 3 Oct 2006 09:10 mistral wrote: > some people consider that encoding of javascript code on html page is > very weak, easily crackable, and unreliable. May be. Nevertheless, what > data is encoded below, and what enctyption method used? It appears that you use MD5 to hash the password and then RC4 to decrypt the data. Assuming the password wasn't trivial why would you assume we could break this? BTW, if you use RC4 to encrypt the message you don't have to obfuscate your code since the secrecy lies in the key not the code. And your code is horrible btw ... Tom
From: mistral on 3 Oct 2006 09:21
TC пиÑ?ал(а): > mistral wrote: > > > the idea was to test how strong is protection (it was encrypted > > with simple standard software). > > I still don't get it. > > If the password and decryption procedure are fully included in the code > you gave, then, it is trivially simple to decrypt the ciphertext. You > simply de-obfuscate the code, find the decryption procedure, then call > that procedure, with the known arguments. > > Conversely, if the password and decryption procedure are -not- fully > included in the code you gave, and the cipher is a decent one, then, it > should -not- be possible to decrypt the ciphertext. > > There's nothing new there. The exact same comments would apply, no > matter what language you coded it in. There's no point *actually doing > it*, when you can work it out "in principle". > > Of course you can code a strong cipher in Javascript. But if you > provide a *self decrypting ciphertext* to a web browser, then, a human > person can decrypt that ciphertext, just like the web browser can. > > Yes? No? > > TC (MVP MSAccess) > http://tc2.atspace.com ------------ Code protection based on encoding of script and decrypting in browser with another script ('public' function) is intended for protection from robots(software) and for non tech users. |