[Typo3-dev] OT: Encryption

[Kasper Skårhøj]

Hi Folks.

Here is a challenge to you:

	function roundTripCryptString($string)	{
		$out = '';
		$strLen = strlen($string);
		$cryptLen = strlen($this->TYPO3_CONF_VARS['SYS']['encryptionKey']);

		for ($a=0; $a < $strLen; $a++)	{
			$xorVal = $cryptLen>0 ?
ord($this->TYPO3_CONF_VARS['SYS']['encryptionKey']{($a%$cryptLen)}) :
255;
			$out.= chr(ord($string{$a}) ^ $xorVal);
		}

		return $out;
	}

This function "encrypts" the input string by traversing it for each
character, XOR the character byte value with a byte value from a
corresponding position in $this->TYPO3_CONF_VARS['SYS']['encryptionKey']

If you feed the function with the output string again the same process
runs and the string is decoded again.




Question: If you do NOT know the value of 
$this->TYPO3_CONF_VARS['SYS']['encryptionKey'] how can you decrypt the
scrambled output? Of course if
$this->TYPO3_CONF_VARS['SYS']['encryptionKey'] is short enough it could
be guessed but imagine you take the bible as the encryption key string
then you would have to use the exact character sequence of the whole
bible to decode the string again.



I basically know nothing about encryption (which is why I humbly ask the
list to educate me) but this method seems to be quite powerful to me; as
long as the sender and received uses the same character sequence to
encode/decode the string and that sequence is long enough, it must be
next to impossible to decode the string, or...?


(The function roundTripCryptString() is new in TYPO3 tslib_fe class and
is used to encrypt the email address in mail forms so spammers does not
get a hold of it)

-- 
Best regards

- kasper

--------------------
It's not a bug, it's a missing feature.