Posted by Christophe Chisogne on 01/13/05 17:50

Greg Donald a écrit :
> function encrypt( $string )
> {
> $key = '&g1@8477Fg9*';
> $result = '';
> for( $i = 1; $i <= strlen( $string ); $i++ )
> {
> $char = substr( $string, $i - 1, 1 );
> $keychar = substr( $key, ( $i % strlen( $key ) ) - 1, 1 );
> $char = chr( ord( $char ) + ord( $keychar ) );
> $result .= $char;
> }
> return $result;
> }

This is roughly equivalent to an 'xor' 'encryption', trivial to break.
Ex Read first few pages of 'Applied cryptography' of Bruce Schneier.

Imagine someone feeding 'AAAAAAAAAAAAAAAAAAAAAAAAAA' to the encoder.
By simply diffing hex codes with 'encoded' string, the key is
recovered. By encoding a string made of char(0), the 'encoded'
result is even... The key (ok, perhaps repeated a few times).

As perhaps it's not obvious for beginners, note that it can only work
with 7bits datas like ascii, not 8bits datas (latin1, ex french
accentuated chars, etc). So you cant 'encode' binary datas with it.
-- ord() + ord() is in [0-255] + [0-255], ie in [0-510], above 255.

PS I found code shorter, easier to read and maintain by using
a simple 0-based index, and by avoiding hard-coded values
-- especially passwords, keys, etc ;-)
Example of what I mean:

function encrypt($str, $key)
{
$result = '';
for ($i = 0; $i < strlen($str); $i++) {
$char = $str{$i};
$keychar = $key{$i % strlen($key)};
$result .= chr(ord($char) + ord($keychar));
}
return $result;
}

[Back to original message]