I'm faced with a web project currently. I've been going through most of the modules of this project, trying to get an idea of what I'm going to need in terms of objects and such.

One thing has caught my eye. I'm going to be storing a password for login in an Oracle database. Previously, I would have just stored it as plain text and not thought twice about it. Now, I'd like to implement a poor man's encryption technique. I'd like to come up with an algorithm that will take a string and change its values in a certain way, and then I can come back later and run the same algorithm backwards to get that original string. I was thinking I could take each character in the string, find a number value associated with it, and multiply it by a certain amount. Is that possible? Are there certain numbers associated with characters (i.e., a, b, c, etc.)? I don't want anybody to do this for me, or link to code they find on the Net. I'm just curious if the approach I'd like to take is possible. Thanks for any input. :D

I know Oracle will allow you to encrypt fields in the db, but I'd like to do it for the experience.

I always thought the the WWII encryption technique of using the bible was pretty cool. Pick a random verse anywhere in the bible, from there record all the characters. Offset the ascii value of the orignal text by some multiple of the ascii values of the characters of the random verse and boom, you're there. Do it backwards to get your junk back. You can record the key then as the verse number and you're good to go, without having to keep the value of the real key written down... just it's location in teh bible. Kind of cool and you could use it with your own whatever instead of the bible. textbook, etc. just make sure it's something that's not going to change or dissapear and you're good to go.

So I am correct in saying each letter and symbol has an ASCII value associated with it?

Wow, that was easier than I thought! I'm sure it isn't too safe, but it does the job. :D

Originally posted by CompiledMonkey
So I am correct in saying each letter and symbol has an ASCII value associated with it?

Yes. :)

do a search on "ascii table" or "ascii code"... you should stumble across it quickly. it's a very usefully information, sometimes invaluable.

Originally posted by CompiledMonkey
Wow, that was easier than I thought! I'm sure it isn't too safe, but it does the job. :D

mmmmbooyah kasha. respect.

:cool:

(i'm surprised some computer science major didn't ream me for that, it's okay.. but I'm sure they're taught better shit than that)

I had a hell of a time deciding on CS or CIS/IS myself. I ended up going with CIS/IS. ;)

The truth is...it almost doesnt do the job. Poor man's encryption is almost no encryption at all. You can find a variety of free encryption libraries out there that are actually quite good. PLEASEEEEEE with all the problems programmers are having lately with insecure code and lack of proper protection, just do the right thing and use an encryption library that we all know is reasonably secure. I suggest going with a TwoFish. VERY efficient and very quick block encryption.

-AntonK

AHHHHHHH just read that you are going CIS/IS!!!! Please take my above post more seriously since you are eventually some day going to be in charge of vast networks. SECURITY IS IMPORTANT!!!

-AntonK

This was more of a learning experience than anything. I will probably just use what is built into Oracle.

Also, I will not have anything to do with Operations once I finish college. I'm going to continue to be a developer. :cool:

Originally posted by CompiledMonkey
I had a hell of a time deciding on CS or CIS/IS myself. I ended up going with CIS/IS. ;)

I'm in industrial engineering myself... it's always tough to decide on a major... dat b fo sho.

Originally posted by wesmorris
I'm in industrial engineering myself... it's always tough to decide on a major... dat b fo sho.

:eek: LOL!

Actually, the homemade encryption explained by wesmorris is very secure. While most modern encryption can eventually be craked by someone with enough time and computing power, a code based on something that seems random like the bible or, even better, a list of letters and numbers that are truly random, is unbreackable.

the problem with that code is that it is simply an offset of the original text by some value. ANY decent computer can run through possible permutations with a decent dictionary to cross reference. Simple character encrpytions like that are EASILY found and deciphered. It's basically the cryptogram in your local newspaper,...people crack them every week.

-AntonK

Originally posted by AntonK
the problem with that code is that it is simply an offset of the original text by some value. ANY decent computer can run through possible permutations with a decent dictionary to cross reference. Simple character encrpytions like that are EASILY found and deciphered. It's basically the cryptogram in your local newspaper,...people crack them every week.

-AntonK

The problem isn't that its just a set of offsets, all encryption schemes that don't change the length of the message can be considered just a set of offsets. The problem is that those offsets are not random, they are english (assuming you are using an english version of the Bible). And English is easily cracked, because of known letter frequencies, etc.

BTW, does anyone know where to find letter frequency charts for other languages?

Originally posted by Redrover
Actually, the homemade encryption explained by wesmorris is very secure. While most modern encryption can eventually be craked by someone with enough time and computing power, a code based on something that seems random like the bible or, even better, a list of letters and numbers that are truly random, is unbreackable.

I think your on crack. This isnt random, not in the slightest. Languages like english have discernable pattern in most cases, and any book, such as the bible, that in such a large distribution, that its almost mindboggling that anyone could/would want to use it in a code, and call it secure. Plus, on top of all this, they would want to be changing the file often, and you could take one copy of the password file, encrypted in this simple matter, and another copy of the file, and subtract the results to get the original verse used in the bible, then decipher at will, making it completly useless. Oh, i almost forgot, just to tell you, one time pads (what you describe) used in the manner which you are saying, are completly worthless with modern cryptology techniques, use pgp or blowfish, dont reply on slapshode encryption techniques

He did say "POOR MAN'S" encryption okay? Obviously it's not really all that secure, but it hides the shit to where the average person won't be directly exposed to it. It would take someone with a modicum of knowledge about encryption blah blah to crack it. In most cases on a small scale, that's plenty secure because small stuff isn't generally of interest to somone who is going to bother to hack at it.

Hehe, you guys are tense. Oh, yeah.. it's definately not "unbreakable" by any stretch of the word and I completely agree that be any professional standard it would be considered a waste of time.. but again.. it IS a down and dirty (though not particularly secure) method for "pool man's encryption". :)

EDIT: OH, and BTW, if it is SO freakin weak.. why doesn't one of you cryptographers help the guy out... I admitted straight up that I only halfass know what I'm talking about. :)

This is the first time i've read the thread, thats just what i found wrong with it

Fafnir665, I think your wrong.

Wesmorris, I admit, would probably be better off using modern cryptology techniques like PGP or Blowfish if he wants to protect his system. But I still stand by my claim that a good One-time pad encyption system is unbreakable. If you correctly use codewords and base your encryption on keywords that are truly random, not even the NSA will be able to break your code, as opposed to the other methods you proposed.

Originally posted by Redrover
Fafnir665, I think your wrong.

Wesmorris, I admit, would probably be better off using modern cryptology techniques like PGP or Blowfish if he wants to protect his system. But I still stand by my claim that a good One-time pad encyption system is unbreakable. If you correctly use codewords and base your encryption on keywords that are truly random, not even the NSA will be able to break your code, as opposed to the other methods you proposed.

I don't really know all that much about it.. just the basics. Have no clue what blowfish or PGP is, and I'm not really interested. Cryptology is boring to me in detail.. but the general idea is pretty cool. :)

why is a 2 way function so necessary tho.

why not jsut use a one-way hash, store the hash, then compare the hashed user input with the hashed stored password.. a password should never need to be unhashed. if its lot, make new one and hash it, and tell the user.. but dont store it unhashed

Originally posted by Redrover
Fafnir665, I think your wrong.

thats funny, i think your wrong too, in ways, you can't make a general statement like that, im not completely wrong in what i said. From reading your reply, i see that you dont even know what a one time pad is, or how to correctly use one, you probably have some little source, or you read something in a fiction book, that made you abelieve you had a clue, well, you have it partially right, but you dont have the whole cookie there buddy.

Originally posted by Redrover
But I still stand by my claim that a good One-time pad encyption system is unbreakable. If you correctly use codewords and base your encryption on keywords that are truly random, not even the NSA will be able to break your code, as opposed to the other methods you proposed.

okay big guy, you made me take my shoes off *grrr*
(book shelf over bed was an error)

Originally posted by Bruce Schneier "Applied Cryptography" pg 15

Each letter is used exactly once, for only one message. (faf note :: key word, ONCE, you will see why) The sender encrypts the message and then destroys the used pages of the pad or used section of the tape. (this is the analog version, digital is much the same way) The Reciever has an identical pad and uses each key on the pad, in turn, to decrypt each letter of the ciphertext. The reciever destroys the same pad pages or tape sections after destroying the message. (okay, well, that says, you can only use the pad once, olay, you can use it once, and its secure that one time, but if we read on... )

The caveat,and this is a big one, is that the key letters have to generated randomly. Any attacks against this scheme will be against the method used to generate the key letters. Using a psuedo-random generator doesn't count, they always have non-random properties.
The other important point is that you can never use the key sequence again, ever. Even if you use a multiple-gigabyte pad, if a cryptanalyst has multiple ciphertexts whose keys over lap, he can reconstruct the plaintext.

okay, a truly random source will yield an unbreakable one time pad, true, but with encryption, you have to look at the application, and the application here is to store a password file for a website. this is a file that will require it to be changed, and in the process, have multiple different versions of the file, encrypted with your same one time pad, wow, this book also has ways to get the plaintext (the passwords), from the two different ciphertexts used witht he same one time pad, oh yea, one time pads dont use codewords, your thinking pgp, and more public encryption sources, you may be thinking "key pads" which are the random letters/numbers that you were talking about, like i said, if you want an encrytion scheme an eight year could crack, use the one time pad method, otherwise use a serious method of encryption, blowfish has source code everywhere

why cant i make that quote?

heh

"i think your wrong!"

'my wrong?'

Well, just so you guys know, I implemented the algorithm in my web application and it's working great. Thanks again for the discussion. It's been educational. ;)

I think PGP is still the cheapest and the best encryption tool

Originally posted by zira
I think PGP is still the cheapest and the best encryption tool

I have never heard a better statement about encryption