Sign in to follow this  
ehmdjii

simple encryption

Recommended Posts

hello, i am sending some data to a server by calling an url with libCURL. now in order to prevent hacking i want to encrypt this data somehow. so im looking for a way to scrample the data using a key in my application. then on the server i want to descramble it using the same key. whats an easy way to this in C++?

Share this post


Link to post
Share on other sites
Hey ehmdjii,

Have you tried a Google search ?
If I wanted to create a simple encryption mechanism, I would use a XOR.

Try taking a look here maybe.
Cheers
StratBoy61

-edit-
Note that there is at least one little problem with the XOR: If someone has access to your encrypting mechanism, passing it a binary value made with only 1's will output the coding string, allowing thus to uncrypt. So you have to protect your encrypting mechanism, not the uncrypting one :)

[Edited by - StratBoy61 on March 4, 2006 5:07:11 AM]

Share this post


Link to post
Share on other sites
Quote:
Original post by Emmanuel Deloget
There is a lot of enctryption libraries around there. One on top of my head: OpenSSL.

The advantage of using SSL is that it is going to encrypt the whole HTTP communication. So that a potential hacker has no idea about how your client and server communicate. Same with your code, you do not have to care about encryption, it will be done by your ISAPI layer and your web server. I did not know that a free version of it existed though. The only problem I can see about using it is the performance. Do some MMOs use SSL for real-time communication ?
Please let me know.
StratBoy61

Share this post


Link to post
Share on other sites
one more question about the XOR encryption

is it safe to send such data over a regular http request?

like
http://.../upload.php?s=xor-result-here

it seems it contains a lot of characters that may break an url.

Share this post


Link to post
Share on other sites
It seems that the length of an URL is limited by the web server (cf. http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2). What about a Google search about the PHP restrictions for that ? :)

I would actually recommend using a POST command with binary information in your case, rather than pasting the data into the URL.
Cheers
StratBoy61

Share this post


Link to post
Share on other sites
If the problem is just to scramble the data so that Joe User will not fake high scores on your server, then what I would do is post the data using either base-64 encoding or hexadecimal. Those encodings are about as secure as XOR scrambling the data, from a fake-it point of view, but are text-only and thus guaranteed to be compatible in the URL.

Another approach would be to compute a hash of 1) some number you hard-code into your program, 2) the score, 3) the user ID. Send this as a separate number, and verify the hash (by re-computing it) on the server side. As long as the user doesn't know the hard-coded number, they can't re-create the hash.

All of these methods suffer from the weakness that, in the end, they do trust data from the client, so a determined hacker can disassemble your program and send any score he wants. There's no way around that, except by using server-authenticated simulation, which is typically too expensive for most independent games.

Share this post


Link to post
Share on other sites
Quote:
Original post by hplus0603
All of these methods suffer from the weakness that, in the end, they do trust data from the client, so a determined hacker can disassemble your program and send any score he wants.

I am curious about that to tell you the truth. Is it *that* easy to disassemble a C++ program and understand what it does ?
I read --some time ago, that one could either write his own program to fool a hacker who would want to disassemble it, or pass his/her program into a kind of scrambler utility that would mess up the binary (for disassembly).
To me, hackers usually try to take advantage of other weaknesses and spoofing is usually the easiest way ; disassembling and trying to understand, well, I am sceptical...
StratBoy61

Share this post


Link to post
Share on other sites
Quote:
Is it *that* easy to disassemble a C++ program and understand what it does ?


That depends on who you are. If you have no experience, then no, it'll take a while. But if your day job is debugging applications, or writing device drivers, or doing embedded programming, and you have ten years of experience, then finding the spot in your application where the encryption happens should take less than an evening's worth.

There are ways to make it harder -- for example, with a non-uniform instruction cache, you can re-write the code after it's loaded in icache, and thus confuse someone disassembling memory (because it loads through D-cache), but these methods often break on new versions of the OS, and in the end only serve to slightly delay the determined attacker (say, by half an hour to an hour).

Share this post


Link to post
Share on other sites
Quote:
Original post by StratBoy61
Quote:
Original post by hplus0603
All of these methods suffer from the weakness that, in the end, they do trust data from the client, so a determined hacker can disassemble your program and send any score he wants.

I am curious about that to tell you the truth. Is it *that* easy to disassemble a C++ program and understand what it does ?[...]
If you have some experience with assembly, yes, it is *that* easy. I just started learning to reverse engineer a few weeks ago, and it only took me a few hours to find that one of the steps in a procedure was to compute the MD5 has of a password. Now that I've been doing it for a few weeks (maybe an hour a day average), I'm mapping almost every function in a program I knew nothing about that was coded in a very strange way.

Share this post


Link to post
Share on other sites
Thank you hplus0603 and Extrarius

How naive of me to think it was that hard to crack a program...
Thank you again guys ; I will definitely focus on the subjet (when coding a client program) with more consideration.
Cheers
StratBoy61

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this