Prev: Simple Hack To Get $2000 To Your PayPal Account
Next: if you choose this bag you will ged a free loptop
From: Stefan Weiss on 12 Jul 2010 22:59
On 12/07/10 21:11, Dr J R Stockton wrote:
> Non-professionals, however, may or may not have access to code server-
> side; for those who need to do it, and cannot do it server-side, there
> is distinct advantage to doing it client-side.
....
> Has anyone yet managed to read, client-side, the message in page
> <URL:http://www.merlyn.demon.co.uk/$pw.htm> without knowing the
> password?

That's a very poor algorithm, even for non-professional use. XOR based
encryption schemes can be easily broken if the cyphertext is long
enough. In your example, you're even giving an attacker additional
information, because

1) "y" and "z" are never encrypted
2) capitalisation remains intact
3) text formatting and punctuation remain intact

Using this information alone, an attacker could assume that

Xcarc ufu e ykvag hjp adjia Zgvrfbgogo
tdl dbo d pthnq nln kjgma-wwepbv bekg;
qog uxenhs deop htqw,
Zbrqamacpc brrxia,
cjg hov ooicracf wdr sxfqb lgcgwhvuhocefb.

is probably a limerick starting with

There was a young man named Z.........
who ...

which gives us some known plain text to work with. A sufficiently
motivated attacker (which I am not) could probably decypher this in a
very short time.

That's assuming that your password is not completely random and shorter
than the cyphertext... otherwise, the only attack vector I can think of
is this: http://www.xkcd.org/538/


--
stefan
From: Stefan Weiss on 13 Jul 2010 23:07
On 13/07/10 16:57, Evertjan. wrote:
> Dr J R Stockton wrote on 12 jul 2010 in comp.lang.javascript:
>
>> Has anyone yet managed to read, client-side, the message in page
>> <URL:http://www.merlyn.demon.co.uk/$pw.htm> without knowing the
>> password?
>
> dedhfabefadaadampakibamcelc

That looks very similar to one of my earlier attempts. It's a step in
the right direction, almost enough to get all the way to Copenhagen.

> will decode the first few words, the 'a's are not jet decided, as spaces
> and y and z will produce these, methinks.
> What male name has ten letters and starts with a Z?

A friend and I eventually figured it out. I have to admit, neither of us
had heard the name before, but Z's been around for a while, and he's
even got a good-sized article on Wikipedia.

I'm not going to spoil the fun by posting the password. I'll only
confirm that yes, the text can be decrypted, and there are enough hints
on Dr Stockton's site to do so. In retrospect, I think it's more likely
that the doctor created this page as an entertaining riddle rather than
a demonstration of a safe encryption algorithm. Seen in that light, I
missed the point by criticizing it in my previous reply.


--
stefan
From: Stefan Weiss on 14 Jul 2010 20:40
On 14/07/10 20:46, Dr J R Stockton wrote:
>>On 12/07/10 21:11, Dr J R Stockton wrote:
>>> Non-professionals, however, may or may not have access to code server-
>>> side; for those who need to do it, and cannot do it server-side, there
>>> is distinct advantage to doing it client-side.
>>...
>>> Has anyone yet managed to read, client-side, the message in page
>>> <URL:http://www.merlyn.demon.co.uk/$pw.htm> without knowing the
>>> password?
....
> There is a greater problem with the encoding; it is browser-dependent,
> as I have just found. I used Firefox 3.0.19; it differs in Opera 10.10.

I think that's because Opera sees all line endings in the textarea as
CRLF sequences, while Firefox sees only one LF. Inserting characters
(even whitespace) into the encrypted text will interfere with the
decoding. It shouldn't be a big problem, however, because you can just
normalize the line breaks at the start of the DECODE() function.

> I did think of using Donaudampfschiffahrtsgesellschaft as the password,
> but could not remember it adequately. The actual password is a bit
> shorter, but bears little resemblance to Evertjans' suggestion.

For quite a while I thought that my decryption method must be flawed,
because I didn't believe you'd actually use such a long password :-)

To be fair, Evertjan's string of key characters might not look like the
password you were using to encrypt the text, on the surface, but since
you're using the characters values of the key %16 and %8, there's more
than one correct password.

For example, the first part could just as well be:
dedpfobened
Evertjan had:
dedhfabefad

This gives him over 60% of correct characters, and he also knows that
the "a"s are just placeholders. That's enough to figure out the rest.
If you hadn't been helpful enough to include the original password in
the cyphertext, I probably wouldn't have guessed it, either.


--
stefan
 | 
Pages: 1
Prev: Simple Hack To Get $2000 To Your PayPal Account
Next: if you choose this bag you will ged a free loptop