How to Encrypt the password String?

apple_id7 · May 29, 2013, 11:00am

Hi All,

I would like to encrypt password string in Corona as following (We can encrypt a string in php like this),

function encrypt($sData, $secretKey){
$sResult = ‘’;

    for($i=0;$i<strlen($sData);$i++){
        $sChar    = substr($sData, $i, 1);
        $sKeyChar = substr($secretKey, ($i % strlen($secretKey)) - 1, 1);
        $sChar    = chr(ord($sChar) + ord($sKeyChar));

$sResult .= $sChar;

}
return encode_base64($sResult);
}

chr() - Returns a one-character string containing the character specified by ascii.

ord() - Returns the ASCII value of the first character of string
http://www.asciitable.com/

base64_encode() - Encodes the given data with base64.

I am sure Corona can do substring-> string.sub() and string length -> string.len().

Wonder
if Corona has functions that does the same thing for -> chr() ->
string.char() , ord() -> string.byte(), base64_encode()

My First Question is: Is it possible to encrypt a String(Password) in Corona SDK?.I found only Hashing and Message Digest in Corona SDK.I didn’t find “Encryption/Decryption” in Corona SDK. (If we cannot encrypt a string in Corona SDK,how to encrypt my password string?

My Second Question is: Is it possible to encrypt a String like the above PHP code?

Please help me…I don’t find any way to do it in Internet…

Best Regards,

John

rob · May 29, 2013, 10:23pm

I will delete your duplicate question from the other forum.

Yes, we support things like:

string.byte() http://docs.coronalabs.com/api/library/string/byte.html

string.char() http://docs.coronalabs.com/api/library/string/char.html

There is a crypto.* library too: http://docs.coronalabs.com/api/library/crypto/index.html

rob · May 29, 2013, 10:23pm

I will delete your duplicate question from the other forum.

Yes, we support things like:

string.byte() http://docs.coronalabs.com/api/library/string/byte.html

string.char() http://docs.coronalabs.com/api/library/string/char.html

There is a crypto.* library too: http://docs.coronalabs.com/api/library/crypto/index.html

edwin1222 · June 24, 2014, 4:54am

I see we can encrypt the password using crypto. But how do I decreypt it? Thanks Edwin

Glitch_Games · June 24, 2014, 9:49am

The Crypto library just performs one-way hashing functions, if you want to actually be able to encrypt and decrypt data then you’ll want to check out the OpenSSL plugin - http://docs.coronalabs.com/plugin/openssl/index.html

renato.bugge · June 24, 2014, 10:43am

Or you could check out this AES coder/decoder:

https://github.com/bighil/aeslua

You want to use the bit.plugin for the bit manipulation which reduces coding/decoding time from 250-350ms to a few ms. It works quite well.

For storing or checking the cryptographic key you either use your own server (most secure) or crypt it and store it onto the device. Use some time-dependent key to scramble it.

edwin1222 · June 24, 2014, 3:17pm

Thank you Glitch Games and Renato bugge.

I will check out both OpenSSL and AES.

Another question for Renato, when you same checking the crypto key on my own server. Do you mean just simply comparing the encrypted password user input with the encrypted password column in database on my server?

Thanks.

Edwin

renato.bugge · June 25, 2014, 9:12am

Hi Edwin,

Encrypting the same thing two times and comparing it will not work with AES. You will need the key to actually decrypt what´s inside.

My suggestion on using a server was to prevent to store the encrypted password on the device. It is more secure as it is harder to hack a password that is not stored on the device.

Anyway, the password needs to be AES encrypted once the user has typed it in. If you use a preset key to encrypt it, it will be easy for a hacker to get the AES decryption key and read the password. Another way would be to use the password as a basis for the key, but beware that you may get error messages from the aes.lua code if the user types in the wrong password. If you can modify the code to prevent this, that would probably be the best solution.

To prevent to store the AES encryption/decryption key on the device, you can store this on a server as well.

Renato

edwin1222 · June 26, 2014, 6:16pm

Thanks Renato,

For using AES, which means I need to keep my secret password on my app and also the same secret password on my server side right?

so when user enter the password i have to encrypt it (use the secret key on app side) and send to server,

then decrypt the password from database and user-input from app (use the secret password on server side) to compare if the password is correct.

Is this what you try to explain to me? I apologize I need to write out the flow as I try to understand how it works.

Appreciate your help on explaining this!

Edwin

edwin1222 · June 24, 2014, 4:54am

I see we can encrypt the password using crypto. But how do I decreypt it? Thanks Edwin

Glitch_Games · June 24, 2014, 9:49am

The Crypto library just performs one-way hashing functions, if you want to actually be able to encrypt and decrypt data then you’ll want to check out the OpenSSL plugin - http://docs.coronalabs.com/plugin/openssl/index.html

renato.bugge · June 24, 2014, 10:43am

Or you could check out this AES coder/decoder:

https://github.com/bighil/aeslua

You want to use the bit.plugin for the bit manipulation which reduces coding/decoding time from 250-350ms to a few ms. It works quite well.

For storing or checking the cryptographic key you either use your own server (most secure) or crypt it and store it onto the device. Use some time-dependent key to scramble it.

edwin1222 · June 24, 2014, 3:17pm

Thank you Glitch Games and Renato bugge.

I will check out both OpenSSL and AES.

Another question for Renato, when you same checking the crypto key on my own server. Do you mean just simply comparing the encrypted password user input with the encrypted password column in database on my server?

Thanks.

Edwin

renato.bugge · June 25, 2014, 9:12am

Hi Edwin,

Encrypting the same thing two times and comparing it will not work with AES. You will need the key to actually decrypt what´s inside.

My suggestion on using a server was to prevent to store the encrypted password on the device. It is more secure as it is harder to hack a password that is not stored on the device.

Anyway, the password needs to be AES encrypted once the user has typed it in. If you use a preset key to encrypt it, it will be easy for a hacker to get the AES decryption key and read the password. Another way would be to use the password as a basis for the key, but beware that you may get error messages from the aes.lua code if the user types in the wrong password. If you can modify the code to prevent this, that would probably be the best solution.

To prevent to store the AES encryption/decryption key on the device, you can store this on a server as well.

Renato

edwin1222 · June 26, 2014, 6:16pm

Thanks Renato,

For using AES, which means I need to keep my secret password on my app and also the same secret password on my server side right?

so when user enter the password i have to encrypt it (use the secret key on app side) and send to server,

then decrypt the password from database and user-input from app (use the secret password on server side) to compare if the password is correct.

Is this what you try to explain to me? I apologize I need to write out the flow as I try to understand how it works.

Appreciate your help on explaining this!

Edwin