A Follow-up to Encryption with ASP

Note that using a one time pad for a string, it is secure for only one use. If you were to reuse the one-time pad for multiple strings, the one-time pad could be comprimised by running the following algorithm:

CypherText1 = ClearText1 XOR Key ClearText1 = CypherText1 XOR Key

If the key is reused, we can take CypherText1 (which is really ClearText1 XOR key) and XOR it to the original known text and get the Key:

Key = (ClearText1 XOR key) XOR ClearText1 ^^^^^^^^^^^^^^^^^^ this is CypherText1 *

* algorithm provided by David Mann

Therefore, I have included some new code to create a new key everytime the code is executed. It basically writes a new key file out every time the page runs. The 'key file' consists of a randomly generated filename, and the key data is stored inside of it. The newly created key is used to encrypt/decrypt the string data on the fly. If you were not encrypting/decrypting on the fly, you would want to store the encrypted data and location of the key file that encrypted that data. Optionally, as Derrick suggests in his article, you could store all of this data in a secure database, instead of writing out text files. In seems however, you might not want key information and encrypted data stored in the same location for security purposes. That's up to you.

The code to use on the fly padding is shown below:

<% Dim g_KeyLocation, g_Key g_KeyLocation = "C:\crypt\" & BuildFileName() & ".txt" Const g_CryptThis = "4GuysFromRolla.com Rocks" Const g_KeyLen = 512 On Error Resume Next strFullKey = KeyGeN(g_KeyLen) Call WriteKeyToFile(strFullKey) if Err <> 0 Then Response.Write "ERROR GENERATING KEY" & "<P>" Response.Write Err.Number & "<BR>" Response.Write Err.Description & "<BR>" Else Response.Write "KEY SUCCESSFULLY GENERATED" End If Sub WriteKeyToFile(MyKeyString) Dim keyFile, fso, strFileName strFileName = g_KeyLocation set fso = Server.CreateObject("scripting.FileSystemObject") set keyFile = fso.CreateTextFile(strFileName, true) keyFile.WriteLine(MyKeyString) keyFile.Close End Sub Function KeyGeN(iKeyLength) Dim k, iCount, strMyKey, lowerbound, upperbound lowerbound = 35 ' 35 upperbound = 96 ' 96 Randomize ' Initialize random-number generator. for i = 1 to iKeyLength s = 255 k = Int(((upperbound - lowerbound) + 1) * Rnd + lowerbound) strMyKey = strMyKey & Chr(k) & "" next KeyGeN = strMyKey End Function Function BuildFileName() Dim k, i, strFileName, lowerbound, upperbound lowerbound = 97 upperbound = 122 Randomize for i = 1 to 24 k = Int(((upperbound - lowerbound) + 1) * Rnd + lowerbound) strFileName = strFileName & Chr(k) & "" next BuildFileName = strFileName End Function g_Key = mid(ReadKeyFromFile(g_KeyLocation),1,Len(g_CryptThis)) Response.Write "<p>ORIGINAL STRING: " & g_CryptThis & _ "<p>" Response.Write "<p>KEY VALUE: " & g_Key & "<p>" Response.Write "<p>ENCRYPTED CYPHERTEXT: " & _ EnCrypt(g_CryptThis) & "<p>" Response.Write "<p>DECRYPTED CYPHERTEXT: " & _ DeCrypt(EnCrypt(g_CryptThis)) & "<p>" Function EnCrypt(strCryptThis) Dim strChar, iKeyChar, iStringChar, i for i = 1 to Len(strCryptThis) iKeyChar = Asc(mid(g_Key,i,1)) iStringChar = Asc(mid(strCryptThis,i,1)) iCryptChar = iKeyChar Xor iStringChar strEncrypted = strEncrypted & Chr(iCryptChar) next EnCrypt = strEncrypted End Function Function DeCrypt(strEncrypted) Dim strChar, iKeyChar, iStringChar, i for i = 1 to Len(strEncrypted) iKeyChar = (Asc(mid(g_Key,i,1))) iStringChar = Asc(mid(strEncrypted,i,1)) iDeCryptChar = iKeyChar Xor iStringChar strDecrypted = strDecrypted & Chr(iDeCryptChar) next DeCrypt = strDecrypted End Function Function ReadKeyFromFile(strFileName) Dim keyFile, fso, f set fso = Server.CreateObject("Scripting.FileSystemObject") set f = fso.GetFile(strFileName) set ts = f.OpenAsTextStream(1, -2) Do While not ts.AtEndOfStream keyFile = keyFile & ts.ReadLine Loop ReadKeyFromFile = keyFile End Function %> </BODY></HTML>

Attachments: