Very simple string Encryption / Decryption

This is a very simple Encryption and provides very little protection. It can be reversed very easily. But its better than raw data.

-Darkmod
[lua]local function convert( chars, dist, inv )
return string.char( ( string.byte( chars ) - 32 + ( inv and -dist or dist ) ) % 95 + 32 )
end

local function crypt(str,k,inv)
local enc= “”;
for i=1,#str do
if(#str-k[5] >= i or not inv)then
for inc=0,3 do
if(i%4 == inc)then
enc = enc … convert(string.sub(str,i,i),k[inc+1],inv);
break;
end
end
end
end
if(not inv)then
for i=1,k[5] do
enc = enc … string.char(math.random(32,126));
end
end
return enc;
end

local enc1 = {29, 58, 93, 28, 27};
local str = “This is an encrypted string.”;
local crypted = crypt(str,enc1)
print("Encryption: " … crypted);
print("Decryption: " … crypt(crypted,enc1,true));

– returns:
– Encryption: /f&1Zg0=%*JbV>Z^Ik!p=B@'7cHMY<
– Decryption: This is an encrypted string.

[import]uid: 7177 topic_id: 17199 reply_id: 317199[/import]

have not tested it completely, but you will have to be careful that you do not end up with characters that break the strings.

for example

local myEncodedString = "/f&1Zg0=<l>%*JbV&gt;Z^Ik!p=B@'7cHMY<br> print(decode(myEncodedString))<br>

let’s hope that this works… without errors

cheers,

? [import]uid: 3826 topic_id: 17199 reply_id: 64861[/import]

Have you taken a look at Corona’s crypto support?

http://developer.anscamobile.com/reference/crypto [import]uid: 52430 topic_id: 17199 reply_id: 64963[/import]

Yes crypto is a one way hashing encryption that can’t be Decrypted locally.
[import]uid: 7177 topic_id: 17199 reply_id: 64973[/import]

what are you planning on encrypting with this? What is its purpose? [import]uid: 19626 topic_id: 17199 reply_id: 64974[/import]

Maybe he want to hide “secrets” placed in the app - as examples
a) solution words for riddles
b) cheat codes
c) text in book like apps with IAP
d) level data with infos for hidden treasures
…

for c) and d) you can’t use hash based encryption like MD5 because it creates something like a check sum and is only for prove of validity - so you could use it for a) and b)

On other hand I do ask myself if Apple will be disturbed by using own decryption routines. They ask if you use encryption in your app. I think that’s an relict from the cold war times when encryption technology was forbidden for export… [import]uid: 70114 topic_id: 17199 reply_id: 65007[/import]

Have you tried the Rot13 or something similar? Use crypto, then you will also have issues in selling your app outside of US to some countries.

cheers,

? [import]uid: 3826 topic_id: 17199 reply_id: 65009[/import]

Regarding using Apple’s provided encryption, from iTunes Connect:

If I use the encryption available in the iOS or Mac OS X, do I still need to obtain U.S. government approval? What should I do about the source code, since I can’t provide it to them?
You still need to submit your app to the U.S. Bureau of Industry and Security (BIS) for approval because they want to know how you are using encryption in your particular app, even though they have already approved the encryption in the iOS and Mac OS X. You are responsible for obtaining separate approval.

It is not necessary to provide Apple’s source code to the government because it has already been reviewed and approved by the U.S. Bureau of Industry and Security (BIS).

So yes, if you use the Corona SDK crypt libraries or anything provided by iOS then you need to go through the export compliance process with the government before you submit your app to Apple.

Regarding ROT13. I sent a message to Apple to ask about ROT13 and MIME’s Base64 Encode/Decode process. The purpose of ROT13 is to encrypt data so its not readable and I suspect that it will require the government’s export compliance process. I’m unsure about Base64 since its purpose really isn’t to encrypt data as much as make binary data safe for transport over text system. Hopefully Apple will find time in their busy day to answer my questions. [import]uid: 19626 topic_id: 17199 reply_id: 65042[/import]

ROT13 and Base64 are used in emails and no one really needs to get a certificate from the BIS aka Big Brothers…

cheers,

? [import]uid: 3826 topic_id: 17199 reply_id: 65048[/import]

Good code, though I’m wondering about what JayantV posted earlier… What about ending up with characters that break a string? Anyone gotten around that? [import]uid: 14018 topic_id: 17199 reply_id: 106279[/import]

Mime’s Base64’s purpose is to take any binary data and produce an ASCII safe string that can be sent over systems that react badly to binary data and control characters.

ROT13 really only deals with ASCII letters: A becomes N, B becomes O, C becomes P and is meant to obscure words only. If you have binary bytes or control characters (and even numbers and symbols) those will remain unchanged.

If you have things that will break a string I would recommend Mime’s Base64 encode. You can also use the standard URL Encode/Decode to manage the non-ASCII characters and things that break strings then apply your encryption to the now ASCII safe string. Or visa versa. Encrypt first, then URL Encode/Decode it.
[import]uid: 19626 topic_id: 17199 reply_id: 106298[/import]

I use a very similar encryption method in my current app to save the users and the game save data. Since I use in-app purchases, I don’t want them to go in and change all their details. Here is my process:

userInfo table–>Json Encode–>Proprietary key-based rotation algorithm–>Stored in a string
gameData table–>Json Encode–>Proprietary key-based rotation algorithm–>Stored in a string

userInfoString–>Base64 (Better for SQL to prevent errors)
gameDataString–>Base64

userInfoString–>SHA-384 key-hashed = userInfoHash
gameDataString–>SHA-384 key-hashed = gameDataHash
I then store the base64’d data and it’s corresponding hash into a SQL database. When the app loads, I compare the stored data to it’s hash and if it has been changed, I reset the users data. I also hash the entire database itself to prevent an injection attack. Each hash uses a different key that is based on the user, so it can’t be shared to other users but still works when playing on your iPad or one of your other devices.

This offers way more security then just hashing or just encrypting and the result is still a small, quickly created file. The final file is still incredibly small since all of my saved data is essentialy just a big json text file. The resulting DB file was less than 100kb max size.

As a side note, all types of encryption can be reversed by someone who knows what they’re doing. But what I’m doing here is making that as hard as possible while still keeping quick, efficient encryption (Not going overboard). Nobody is going to brute force the hash, what they would do is run the app through a debugger and see how to encryption is ran, then find the key used to encrypt it in the devices memory. If they’re able to get the correct encryption process and obtain the keys then you’re out of luck, but the % of people who could do that is very minimal and they wouldn’t be buying from you anyway

It’s also a good idea to store your key in a table, then overwrite it with blank/dummy data after encryption. This is because LUA strings are immutable and would make it a Lot easier for an attacker to find the correct memory location and obtain the key.
Hope that helps,
Dac [import]uid: 63320 topic_id: 17199 reply_id: 106309[/import]

Great Info dacriburdan! [import]uid: 7177 topic_id: 17199 reply_id: 106331[/import]

@dacriburdan - Thank you so much for your excellent comments!

Two questions:

1. Is there a reason you preferred storing in sqlite instead of just a flat file where you appended the signature to the end of the file? Just to make it one step harder to edit the file?

2. When you say “It’s also a good idea to store your key in a table, then overwrite it with blank/dummy data after encryption.” Can you give some quick code or explanation of how to do this? I’m not sure how keys={“abcdef”} would be better than key=“abcdef”. [import]uid: 122310 topic_id: 17199 reply_id: 119238[/import]

Hey guys. Thanks for all your replies. I’m building an app to store sensitive data like credit card info. What is the best methods you recommend I use for this? Will Dac’s methods be good enough? Like Dac mentioned, the likelihood of someone obtaining someone’s device, finding the app, working out the encryption and decrypting the data - would be very low.

Any advice would be greatly appreciated! [import]uid: 142833 topic_id: 17199 reply_id: 132205[/import]

I think if you are stored sensitive user information like passwords and credit card info you are obligated to use very strong encryption to make sure its not stolen. I don’t know if this is actually allowed, but you could consider storing all the information encrypted on your servers, and then just pulling it down as needed using https (you aren’t required to file with the government if you use https). [import]uid: 122310 topic_id: 17199 reply_id: 132236[/import]

Hey guys. Thanks for all your replies. I’m building an app to store sensitive data like credit card info. What is the best methods you recommend I use for this? Will Dac’s methods be good enough? Like Dac mentioned, the likelihood of someone obtaining someone’s device, finding the app, working out the encryption and decrypting the data - would be very low.

Any advice would be greatly appreciated! [import]uid: 142833 topic_id: 17199 reply_id: 132205[/import]

I think if you are stored sensitive user information like passwords and credit card info you are obligated to use very strong encryption to make sure its not stolen. I don’t know if this is actually allowed, but you could consider storing all the information encrypted on your servers, and then just pulling it down as needed using https (you aren’t required to file with the government if you use https). [import]uid: 122310 topic_id: 17199 reply_id: 132236[/import]

Thanks for your reply. Yeah I agree about the obligation - that’s why I’m asking and researching. I don’t think the server option is appropriate, for speed and offline access, but thanks for the idea.

Does anyone know if Corona’s crypto is a solid method of encryption? [import]uid: 142833 topic_id: 17199 reply_id: 132397[/import]

In order to avoid these sorts of export complications, Corona’s crypto library doesn’t actually do any encryption…only hashing (they discussed this in some other forum thread but I don’t know which one anymore). So you can use crypto to generate signatures, or verify that a message wasn’t tampered with using HMAC, but not actually encrypt the message. [import]uid: 122310 topic_id: 17199 reply_id: 132422[/import]