Databases
StackOverflow2013
Postsdbo
POis this xor based encryption function safe?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POis this xor based encryption function safe?
    text
    copied!<p>What I tried to do here is create a function that will encrypt the same input into completely different output every time it is called. The base of this function is xor, but to prevent easy spotting of repetitive patterns in string. I added random hashing based on time and portion of a string to self-verify on decription.</p> <p>All I ask for is if I made any kind of errors here that could reveal hidden text to experienced person without doing a brute force on the string. (I know that php has a module just for encryption but this is a poor mans version in case encryption module is not available.) Second: <strong>I do not ask you to rewrite this functions or to write something for me</strong>, what I ask is for a simple guidance what I have done wrong. I know that one possible security breach is that I use salsa by default, which is all zeros for empty string, but advantage is that this is the longest hash available in php, and second, what fool will use empty password to protect their data ?</p> <pre><code>function crapt($str,$pass,$hmac = false,$meth = 'salsa20') { $hash = pack('H*',($hmac===false) ? hash($meth,$pass) : hash_hmac($meth,$pass,$hmac)); $str = gzdeflate($str,9); $tmphash = pack('H*',sha1(sin(microtime(1)))); $str = $tmphash.((string)$str ^ (string)str_repeat($tmphash,strlen($str)/strlen($tmphash)+1)); $str .= pack('H*',sha1($str)); return (string)$str ^ (string)str_repeat($hash,strlen($str)/strlen($hash)+1); } function decrapt($str,$pass,$hmac = false,$meth = 'salsa20') { $hash = pack('H*',($hmac===false) ? hash($meth,$pass) : hash_hmac($meth,$pass,$hmac)); $str = (string)$str ^ (string)str_repeat($hash,strlen($str)/strlen($hash)+1); $check = substr($str,-20); $str = substr($str,0,strlen($str)-20); if(pack('H*',sha1($str))!==$check) return false; $tmphash = substr($str,0,20); $str = substr($str,20); return gzinflate((string)$str ^ (string)str_repeat($tmphash,strlen($str)/strlen($tmphash)+1)); } var_dump(decrapt(crapt('sometext','secretpassword'),'secretpassword')); </code></pre>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload