This is not a
hash function.
Is it just me or is GS3 an incredibly noisy language? Here's a cleaned-up version in GS2 with a few comments added:
PHP Code:
function onCreated() {
temp.str = "abcdefghijklmnopqrstuvwxyz";
temp.cat = this.Enc(str, "!:#$%^&*()");
echo("Encrypted: " @ cat);
temp.dog = this.Dec(cat, "!:#$%^&*()");
echo("Decrypted: " @ dog);
}
function Enc(txt, key) {
temp.str = ""; // encrypted text
// for each character in the plaintext
for (temp.i = 0; i < txt.length(); i ++) {
temp.char = getascii(txt.charat(i));
// make sure char is three characters long
// (fails on low ASCII-value characters)
if (char <= 99) char = "0" @ char;
// for each character in the ASCII value
for (temp.j = 0; j < 3; j ++) {
temp.l = char.charat(j); // number 0-9
temp.e = key.charat(l); // character at that position in the key
str @= e;
}
}
return str;
}
function Dec(txt, key) {
temp.str = "";
for (temp.i = 0; i < txt.length(); i += 3) {
temp.group = txt.substring(i, 3);
temp.dec = "";
for (temp.j = 0; j < 3; j ++) {
temp.letter = group.charat(j);
temp.num = key.pos(letter);
dec @= num;
}
str @= char(dec);
}
return str;
}
You've basically written a function which takes an array of single-digit numbers (the plaintext) and outputs a string containing the characters at each of those number positions from the key.
So, it's pretty obvious that your function is extremely vulnerable to a chosen plaintext attack which would allow me to steal your key. For example, if I feed you the ASCII character with decimal value 012 and you encrypt it, I will get back the first three characters of the key:
PHP Code:
echo(this.Enc(char(12), "!:#$%^&*()"));
Quote:
Originally Posted by RC
!:#
|
To get the next characters (indexes 3 and above), we could use the character with the decimal value 345, but none exists in the ASCII character set, so we'll use 034 instead, which is a quotation mark.
PHP Code:
echo(this.Enc(char(12) @ "\"", "!:#$%^&*()"));
Quote:
Originally Posted by RC
!:#!$%
|
The numbers we have fed your function are now 012034, so we can map those to the above output to see that the first characters are !:#$%, which indeed they are. We can continue with more characters until we have the full key (which must be exactly 10 characters long).
Additionally to limiting the key size to exactly 10 characters, all 10 characters must be unique (or lossless decryption will not be possible), which further reduces the potential key space. It would be a fairly simple matter to try every possible key given enough encrypted text and run frequency analysis on the results to narrow it down to a handful of possible results, telling you both the key and the decrypted text.
Since each character is always represented exactly the same way when encrypted, we can also do simple frequency analysis on a bunch of encrypted text to determine which three characters in the encrypted text represent which ASCII character in the plaintext. Let's say you are using this to encrypt some kind of in-game communication and I am able to capture a few days of encrypted text. I can then count how many times each pattern of three characters appear and compare the frequency of each pattern to
the known relative frequencies at which letters are used in English. The more data I have the easier it gets, but with a little guess-and-check it wouldn't take much data at all.
There are also undoubtedly even simpler attacks than the ones I mentioned. It's certainly better than your last attempt, but still in no way even remotely secure.