Can someone explain to me how to use Encryption like MD5?

amigoni · January 24, 2011, 3:10pm

Hi,
I am trying to use MD5 encryption between my app and the server. To verify what was sent. I don’t really understand how this works. I know that MD5 creates a checksum that I need to send to my server, but how does the server check that aswell? I got the idea from this:

"As-is, the ‘secret’ really doesn’t help at all. Anyone that wants to submit a fake score can simply copy the URL passed, change the score, and re-submit the URL.

A quick work-around to prevent this type of attack is to hash the ‘secret’ along with the data being passed. Then you just send the hashed value rather than the actual ‘secret’. On the server side, you compute the same MD5 hash to make sure the data is legit.

Pseudo code example:

hash = MD5( “secret” + username + score)

NSString *urlString = [NSString stringWithFormat:@“http://icodeblog.com/ws/put_score.php?secret=%@&udid=%@&name=%@&score=%f”,
hash,udid,username,theScore];

Note, the secret itself is never sent in plain text this way. In fact, the secret is never sent at all!

Main benefits: (A) No one else knows your secret password, and (B) if someone changes the Score or the Username, the MD5 hash will not match.

Quick and easy!

HTH
—
Dave"

On this site http://icodeblog.com/2009/10/29/iphone-coding-tutorial-creating-an-online-leaderboard-for-your-games/

Thanks for your help.
[import]uid: 8192 topic_id: 5465 reply_id: 305465[/import]

jhocking · January 24, 2011, 3:37pm

Now I’m not an encryption expert so hopefully someone else pipes up, but if you look at this documentation it shows how to use MD5 encryption:
http://developer.anscamobile.com/reference/index/cryptodigest

What your link is suggesting is that both your app and the server know a password that an attacker wouldn’t know. Then construct a message to encrypt by using that password along with the score. Now encrypt that message and send the encrypted message along with the score:

require "crypto"  
local password = "thisisverysecure"  
local name = "joe"  
local score = 123456  
local msg = crypto.digest(crypto.md5, password..name..score)  
local url = "http://www.myserver.com/put\_score.php?hash="..msg.."&name="..name.."&score="..score

When the server receives the encrypted message and the score, it’ll do the same thing to construct a message using the password along with the score and check that the encrypted message it generates matches the encrypted message the app sent. If they are the same then all is good; if they are different then a cheater had changed the score sent to the server. [import]uid: 12108 topic_id: 5465 reply_id: 18388[/import]

amigoni · January 24, 2011, 4:01pm

I think I get it you are just encrypting and matching on the server to make sure it’s the same data, you don’t actually decrypt the data in that you encrypted, you just match it on the server side. If it matches all is ok.
Am I correct? [import]uid: 8192 topic_id: 5465 reply_id: 18393[/import]

jhocking · January 25, 2011, 10:33am

yeah that’s the idea. I don’t think it is possible to decrypt MD5 hashes (but again, I’m not an encryption expert.) [import]uid: 12108 topic_id: 5465 reply_id: 18600[/import]

bedhouin · January 25, 2011, 11:02am

@Jhocking: Not an expert either but I think you’re pretty much right, it’s just for verification as far as I know.

@amigoni: not sure if it helps, but if you wanted to encrypt the data transfer it appears that the new build has https support for get/post:

http://developer.anscamobile.com/reference/asynchronous-http
[lua]network.request( “https://encrypted.google.com”, “GET”, networkListener )[/lua] [import]uid: 11393 topic_id: 5465 reply_id: 18609[/import]

seanh · January 25, 2011, 1:46pm

md5 is a hashing function, not an encryption function. There’s not way to “decrypt” md5 (look up rainbow tables).

https will only help transport security (ie some one sniffing your traffic).

The implementation that jhocking did is probably what I would do here, though i would use crypto.hmac(crypto.sha256, password, name…score). If you’re paranoid I would store the key in a weird format and convert it on the fly to something else. [import]uid: 3 topic_id: 5465 reply_id: 18665[/import]

amigoni · February 23, 2011, 1:47am

@seanh. Thanks for your input. What do you mean by weird format? I am fairly new to this. Could you type a quick example?

Thanks [import]uid: 8192 topic_id: 5465 reply_id: 24620[/import]