New SimpleCrypt page



  • Glad you like it!



  • Hi Andre.
    First of all, thanks for sharing your code. :-)

    I was playing with this algorithm, but I noticed a strange situation: sometimes these work well, sometimes not.

    This is the string which I have tested :
    10197016915918185882701231384169178913312058269-10750535699546572956586080750006397
    The key is: 13775729

    I tested both with string and binary data (there are several integer values).

    So if I encrypt this string, and then decrypt it, sometimes original string is equal with decrypted string, sometimes differ.



  • You'll have to provide a small testprogram that shows the problem, otherwise I can not help you debug the issue.



  • A small test is something like :

    @
    QString cryptSerialNumber;

    void testCrypt()
    {
    SimpleCrypt processSimpleCrypt(13775729);
    QString uniqueString("10197016915918185882701231384169178913312058269-10750535699546572956586080750006397");
    cryptSerialNumber = processSimpleCrypt.encryptToString(uniqueString);
    }

    void testDecrypt()
    {
    SimpleCrypt processSimpleCrypt(13775729);
    QString uniqueString = processSimpleCrypt.decryptToString(cryptSerialNumber);
    }
    @

    Sometimes decrypted "uniqueString" is the same as the original, but sometimes is :
    1019701691591818588270123138416917891691033658269-10750535699546572956586080750006397, almost the same with original, but not the same :-)



  • Strange. Very, very strange. In such cases, are the cryptSerialNumber the same, or do they differ as well?



  • After encrypt step, I write "cryptSerialNumber" into file.
    In decrypt step, I read it from file.

    I assume it is the same, the file remain unchanged. I'll do more debug to tell you if "cryptSerialNumber" is the same ...



  • Yes, the “cryptSerialNumber” is the same:
    AwNgsVZWVlYFfdbw6is6+srGtTZtFxBm1rc5z8/z1lQNfU74jOk+0bsNs2vMFNlbB5RqAZI/dgJEH79ElSotizgvmf0/xg==

    Yes, is very strange ...



  • Well, at least, that narrows down the issue to the decrypting routine... Issue is: there is nothing in there that I can think of might be influenced by something else than the input string itself. I will have to investigate, but I can not do that right now. I'll need a few days before I get around to doing that. Sorry. I would like to encourage you to try to debug it on your own as well. At the very least, insert some debug statements at strategic places in the code to see what goes on.

    Hmmmm... now that I think about it: it is actually very strange that your encrypted string stays the same. It should be different each time you do the encryption, even on the same input string. That is because a random byte is inserted at the front of the byte array to encrypt (line 115 and 116 from simplecrypt.cpp).



  • [quote author="Andre" date="1315913144"]Hmmmm... now that I think about it: it is actually very strange that your encrypted string stays the same. It should be different each time you do the encryption, even on the same input string.[/quote]

    You are right. But I do the encryption only once. This encryption string I'll write into file only once.
    Then I try to decrypt it several times. And ... sometimes decrypt string = original string, sometimes is very little different.

    [quote author="Andre" date="1315913144"]I will have to investigate, but I can not do that right now. I'll need a few days before I get around to doing that. Sorry.[/quote]
    Thanks for your time, it is not rush. Now I'm very busy with another project, but if I have more time, I'll debug longer ...



  • Hi

    I have tried to reproduce the problem using this code:
    @

    #include <QtCore/QCoreApplication>
    #include "simplecrypt.h"
    #include <QtDebug>

    bool testDecrypt()
    {
    const QString cryptString("AwNgsVZWVlYFfdbw6is6+srGtTZtFxBm1rc5z8/z1lQNfU74jOk+0bsNs2vMFNlbB5RqAZI/dgJEH79ElSotizgvmf0/xg==");
    const QString expectedResult("10197016915918185882701231384169178913312058269-10750535699546572956586080750006397");

    SimpleCrypt crypt(13775729);
    QString result = crypt.decryptToString(cryptString);
    if (result == expectedResult)
        return true;
    
    qDebug() << "Fail: " << result;
    return false;
    

    }

    int main(int argc, char *argv[])
    {
    QCoreApplication a(argc, argv);

    int pass(0), fail(0);
    for (int i(0); i<1000000; ++i) {
        if (testDecrypt()) {
            ++pass;
        } else {
            ++fail;
        }
    }
    qDebug() << "Decryption passed" << pass << "times and failed" << fail << "times.";
    
    return 0;
    //return a.exec&#40;&#41;;
    

    }
    @

    My output was:
    @
    Decryption passed 1000000 times and failed 0 times.
    @

    That is: I am not able to see any instability in the algorithm, at least not via this test. That makes it hard for me to figure out why you might be seeing a problem.



  • Hi,

    I read your article and it is very interesting !

    I am the developer of QxOrm library (Object Relational Mapping for C++/Qt) and I would like to use your class to encrypt/decrypt some datas. Indeed, QxOrm library provides QxService module to create C++/Qt application server. Here is a tutorial if you want to see QxService module : http://www.qxorm.com/qxorm_en/tutorial_2.html

    So it would be great with an option to encrypt data before transfering it over network.

    Can I use your class in QxOrm library ?
    Can I add namespace for your class ?
    Can I rename your class to add Qx prefix ?
    I will not change anything else.

    Thanks !

    PS: I´m french so sorry if my english is not perfect.



  • @Andre ... many, many apologies.
    Indeed your algorithm works well, what induced me in error was CPUID opcode, which I compared with decrypted string. I was convinced that CPUID opcode with all features was always the same. But sometimes some bits are different (maybe cache information, I'll study in a few days)
    Thanks anyway.



  • [quote author="cincirin" date="1316417041"]@Andre ... many, many apologies.
    Indeed your algorithm works well, what induced me in error was CPUID opcode, which I compared with decrypted string. I was convinced that CPUID opcode with all features was always the same. But sometimes some bits are different (maybe cache information, I'll study in a few days)
    Thanks anyway.[/quote]

    OK, glad to know that the issue is not in my code :-) Lots of luck in figuring out what is going wrong then!
    One more note: you might want to think about getting a better key. 1316417041 is only a 32 bits number (0x4E76EE11). You might want to considder generating a real 64 bit key instead.



  • [quote author="qxorm" date="1316359090"]Hi,

    I read your article and it is very interesting !
    [/quote]
    Thanks for the compliment :-)

    [quote]
    I am the developer of QxOrm library (Object Relational Mapping for C++/Qt) and I would like to use your class to encrypt/decrypt some datas. Indeed, QxOrm library provides QxService module to create C++/Qt application server. Here is a tutorial if you want to see QxService module : http://www.qxorm.com/qxorm_en/tutorial_2.html
    [/quote]
    I am very interested in ORM myself (and database drivers and the likes), and I have looked at QxORM before. Very nice effort!
    [quote]
    So it would be great with an option to encrypt data before transfering it over network.

    Can I use your class in QxOrm library ?
    Can I add namespace for your class ?
    Can I rename your class to add Qx prefix ?
    I will not change anything else.
    [/quote]
    Would the above be doable based on the current licence of the code, or would you need the code under a different licence? I do not have objections to you including this code in QxOrm in principle, so I guess we can figure something out.



  • I think it's ok for the licence : QxOrm library is under LGPL licence, so it seems compatible.

    I just want (if possible) include your class into the namespace qx and rename it from SimpleCrypt to QxSimpleCrypt (like other classes into QxOrm library).

    If I include your class into QxOrm library, I would like to set your name into the changes.txt file for the next version. Is it ok for you ?
    Something like this :
    New class qx::QxSimpleCrypt to provide encryption/decryption (thanks very much to Andre Somers) with QxService module : encrypt data before transfering it over network.



  • Seems fine to me, as long as the copyright notice & licence in the source files remains in tact (and is observed), I have no objections to your modifications. The licence explicitly allows you to modify the code for your own use, after all.

    Basically: I am fine with anybody using this code for any purpose, as long as:

    • You don't pretend you wrote it yourself, and
    • You don't make me responsible for your use of it or claim that I endorse it in some way.

    Other than that: I hope you find it useful, and have lots of success with any application you use it in :-)



  • Ok thanks, your SimpleCrypt class will be in the next version of QxOrm library ;-)



  • Nice to know it is getting some use :-)



  • QxOrm 1.1.9 just released with your SimpleCrypt class (renamed to qx::QxSimpleCrypt).
    For more details : http://www.qxorm.com/qxorm_en/download.html
    Thanks again ;o)



  • Hi Andre ,

    a very nice work ,thanks



  • Hi, Andre!

    Thanks a lot for the article! I'd be glad to use this code in my project!

    My question is also related to license. The project I'm working on is not an open-source. Is it ok if I copy/paste your code into my project (keeping copyright notice in source/header files)? Also my application doesn't have any 'About' page - is it OK that I'll not show to the end user your copyright notice (that you're the actual author of encryption)?

    I have read your message above, my question is just for confirmation for my project

    Thanks a lot in advance,
    Michael



  • Your application is bound to have some documentation or help system, right? I'd think there is enough opportunity to fullfil the licence terms that way. Licences do not get much more liberal than the one I have used...



  • [quote author="Andre" date="1317372274"]Your application is bound to have some documentation or help system, right? I'd think there is enough opportunity to fullfil the licence terms that way. Licences do not get much more liberal than the one I have used...[/quote]
    Ok, thanks, i'll add this notice to the global "copyright" file in the sources. I just needed confirmation that it is ok that this notice will not appear anywhere on the application's UI



  • The relevant part of the licence states:
    [quote]Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.[/quote]

    So, if you are providing other materials/documentation with the binairy application, then you must basically repeat the licence block in that documentation or additional materials. That can also occur in in-application help or something like that. If you distribute your application as source, then you can place it there (basically: just keep the source file as-is - at least in terms of the licence header - and you are ok.)



  • Hi,

    First, Thanks for your work.
    I'd like to use your class but i need some more help.
    The constructor of SimpleCrypt only accept a quint64 as key.
    But in my project, i have to convert a given passphrase (like "password") to this quint64 and cannot manage to do this.
    You said in your topic "you can also use other means to get to a quint64 key, such as using some hash of a password and reducing that to 64 bits."
    But i don't know how to do it.

    Is there some easy way to do this?
    Is there some existing class or wathever that do it?

    regards.



  • welcome to devnet

    Did you see already "qHash":http://developer.qt.nokia.com/doc/qt-4.8/qhash.html#qHash-22 ?



  • Well, the qHash function comes to mind, or perhaps you could use [[doc:QCryptographicHash]]. You add a bit a salt to your pass string, generate a hash, and combine the bits in the resulting hash to create a 64 bit value. If you use MD5, you get a 128bits hash. You could do something like this:

    @
    quint64 passToKey(const QString& password) {
    QByteArray hash;
    QCryptographicHash hasher(Md5);
    hasher.addData(salt); //salt is a QByteArray with some random data
    hasher.addData(password.toUtf8());
    hash = hasher.result();

    //we now have a QByteArray that is too long with a hash of the password.

    //get the contents of the byte array into two quint64's. There are other ways...
    quint64 part1, part2;
    QBuffer buffer(hash);
    QDataStream stream(&buffer);
    stream >> part1 >> part2;
    key = part1 ^ part2; //combine the two parts

    return key;
    }
    @

    Note: brain to editor, not tested.

    Edit:
    Note that qHash returns a 32 bits result, so you will have to combine two of these to get a 64 bits version. Perhaps using part of the password for hash1, and the other part for hash2, and then combining the result to get a 64 bits key.



  • Thanks for your help.
    I'm not at ease with with hashing and combining stuff :/
    How can you do that?
    How do you combine 2 unsigned int?



  • In the same way I do in the snippet I posted, for instance. I use bitshifting, but that is the same as multiplication by 2-to-the-power-of-n. Basically, what you do is:

    put the values of your ints in 64 bits variables

    shift one of the values 32 bits by either:

    multiplying by 0xFFFFFFFF, or

    bitshifting

    add the two numbers by either:

    simply adding the numbers, or

    using a binary OR operation like I did in my sample.



  • Just a note that this appears to be a Vigenere cipher scheme (see http://en.wikipedia.org/wiki/Vigenère_cipher for details) if you simply want basic scrambling of data to prevent trivial access to the plain text then this could well be sufficient, but it's not very strong. Particularly be careful of using this for long texts.



  • Thanks for the note. If I understand the page you link, I'm not sure that the class implements what qualifies as a Vigenere cipher, but I will agree that it does not provide strong cryptography.

    The small additional trick is that the code uses the value of the previous code block as part of the key for the next block. That will hinder the kinds of analysis described in the article, if I understand it correctly. The key length is known in this case: 8 bytes, but because the key is mixed with the previously generated cypher text, it does not work to just decrypt the text as eight different cesar cyphers.



  • Yes, this is the auto-key variant of vigenere cipher, and is a lot stronger than the basic one.



  • Interesting stuff. Perhaps I should try to make a new version (still: keeping it simple!) that is a bit stronger.



  • If you do, I'd be tempted to use something like RC4 which while not perfect, is very simple to implement.



  • Andre I think you did a great job, at documenting not only usage but also the algorithm. I wish all of Qt's examples were so well thought out ;)



  • Great job, easy to use. One question, I tested my app on Debian and Mint and no problem, but on Fedora 17 and Arch
    I get "Invalid version or not a cyphertext."

    @ QByteArray ba = cypher;

    char version = ba.at(0);
    if (version !=3) {  //we only work with version 3
        m_lastError = ErrorUnknownVersion;
        qWarning() << "Invalid version or not a cyphertext.";
        return QByteArray();
    }@


  • Sorry, no idea. I did not test on these sytems, but I have no clue why it would go wrong on a different linux system. That seems unlikely somehow. Perhaps the data you feed into SimpleCrypt is corrupted somehow?



  • Yes, sorry something else went wrong on those systems and indeed corrupted the settings string.
    My Bad.

    SimpleCrypt works perfectly.



  • Hi,

    [quote author="Andre" date="1300457411"]I have just added a "page":http://developer.qt.nokia.com/wiki/Simple_encryption in the Snippets category [/quote]

    Thanks for this class. I am invoking it's constructor with my predefined key (my secret) and I am wondering why qsrand() is initialized with currentTimeMillis or similar (in the constructor code)? I don't get the same encryption results on multiple invocations so I used my quint64 key to initialize qsrand (in the constructor), then it works..

    @
    SimpleCrypt c1(Q_UINT64_C(0x0c2ad4a4acb9f023)); //some random number
    SimpleCrypt c2(Q_UINT64_C(0x0c2ad4a4acb9f023)); //some random number

    qDebug() << "Crypt1 " << c1.encryptToString(QString("justatest"));
    qDebug() << "Crypt2 " << c2.encryptToString(QString("justatest"));
    @

    Output
    @
    Crypt1 "AwLLXV+ZSO+x3Ise1Aw="
    Crypt2 "AwIUgoBGlzBuA1TBC9M="
    @

    Just wondering :)



  • Why would you want to have the same cypher text when using the same clear text and key? As long as the decrypted plain text from these cypher texts is the same, what is the problem with having different cypher texts? The algorithm uses a randomization of the string on purpose. It makes it much harder to leak part of the key because analysis is much harder this way.

    An explanation is in the "details page":/wiki/SimpleCrypt_algorithm_details#2d478ba9ee3cf03e338b506b1a0292dc that has more on the idea of using a random number as a leading byte.

    You replacing that they way you did partly negates this, and thus makes the cypher weaker by a couple of bits. Note that even with your change, encrypting the same plain text using the same SimpleCrypt instance twice will result in different cypher texts.


Log in to reply