Comment On Functional Encryption

Umm... aren't you f***ed if the hacker gets as far as being able to look at your source code anyway?

I got nothing...but I am number 2!

frosty:

Umm... aren't you f***ed if the hacker gets as far as being able to look at your source code anyway?

Guess he didn't understand that C is not an interpreted language.

I always code in Latin....cause seriously, who still knows Latin?

The real WTF here is that they guy didn't create a wrapper function around 'fopen', 'fread', etc:

function S232523343($F923232){
   return fopen($F923232);
}

Is this Perl? Like Perl needs any more obfuscation...

It's PHP.

One of these days, writing secure code will be part of standard training/curiculumn for programmers.  Until then, we'll keep seeing idiotic "security" precautions like this.

You don't obfuscate the encryption algorithm.  Ever.

http://www.schneier.com/crypto-gram-0205.html#1

PHP actually.

just write it in Perl for that matter...

frosty:

Umm... aren't you f***ed if the hacker gets as far as being able to look at your source code anyway?

Good encryption relies on the secrecy of the keys used, not the secrecy of the algorythm - case in point, just about every encryption algo/lib in use is open source -- especially the one used here: mcrypt.

The best part is this function really isn't doing anything interesting at all.  It reads a key from a file, and runs the handful of functions you have to run to get mcrypt to do its thing.  Every app that uses mcrypt has a function just like this.

This is PHP, btw.

Anonymous:

One of these days, writing secure code will be part of standard training/curiculumn for programmers.  Until then, we'll keep seeing idiotic "security" precautions like this.

Isn't that attidue just security by obscurity?  And as pointed out above (and by the minimal effort needed to make this algorithm a bit less obfuscated), encrypting the function name and variable names really doesn't help with obscurity.  It makes it more annoying, not more secure.  After all, the language doesn't give flying hoot what you call your variables.  Call them "fred" if you want.  The names are only important from a maintenance perspective.

So not only is this bad practise, security-wise, but it's ineffective to boot.

Alex Papadimoulis:

function H88493247329($B89424235)

{ 

  //ED: Linkebreaks added

  global $a,$e,$m,$H;

  $X42342234 = $H . "." . $m . "-" . $a;

  

  $KJD234 = fopen($X42342234,"r");

  $MMNVUD884 = fread($KJD234,filesize($X42342234));

  fclose($KJD234);



  $MQUFI3 = mcrypt_module_open('','',''');

  $MMNVUD884 = substr($MMNVUD884,0,mcrypt_enc_get_key_size($MQUFI3));

  

  $JF8_size = mcrypt_enc_get_iv_size($MQUFI3);

  $JF8 = mcrypt_create_iv($JF8_size, MCRYPT_RAND);



  if (mcrypt_generic_init($MQUFI3,$MMNVUD884,$JF8)!=-1)

  {

    $KIDO83R4234FFS = mcrypt_generic($MQUFI3,$B89424235);

    mcrypt_generic_deinit($MQUFI3);

    mcrypt_module_close($MQUFI3);

  }

  return $KIDO83R4234FFS;

}

I've seend code similar to this where I work, and it doesn't even deal with encryption...

WTFLib in action:

The real WTF is that it was written in PHP.





For those who didn't read it:

http://thedailywtf.com/forums/69742/ShowPost.aspx

Anonymous:

I always code in Latin....cause seriously, who still knows Latin?

http://www.csse.monash.edu.au/~damian/papers/HTML/Perligata.html

Old and well-known, but still damn funny.

(I won't even try to make the URL into a link.  I fear this board software like none other.)

Ha!  That's nothing.

I like write all my Java code using nothing but unicode escapes.

I'd like to see somebody hack that!!!

;)

Hmm...that was exactly my point.  The precaution taken by the programmer to secure his/her code by obfuscating it hasn't helped secure the application at all.  My contention is that programmers do things like this because they have no training about writing secure programs.  If they had such training, they would know that encryption algorithms work because the key is secret, not the code.

Great link BTW

Ok, a quick run-down of the obvious:

First off, obfuscation is not encryption.  Yes, the author has made this function very hard to maintain, but he hasn't actually hidden any information (in the sense that everything needed to de-obfuscate the code is right there anyway).

Second, if the encryption scheme's "security" depends on the algorithm being secret, then it's only good for keeping your sister out of your diary. For any serious business use, encrypting the encryption routine is either unnecessary or insufficient...  Probably both, actually.

 

C doesn't have lots of dollar signs everywhere...

-------
Do other people get "Non matching quote blocks in post" error when trying to quote someone else's post, even if they don't modify the quote blocks any?

Iago:

Anonymous:

I always code in Latin....cause seriously, who still knows Latin?

http://www.csse.monash.edu.au/~damian/papers/HTML/Perligata.html

Old and well-known, but still damn funny.

(I won't even try to make the URL into a link.  I fear this board software like none other.)

Great link!

Now how do you say, "Go ahead - fire me" in Latin?

This reminds me of naming conventions taken from How to write unmaintainable code. Of course, the only security he had in mind was job security.

Decrypted for your convenience (unless the forum software decides to re-encrypt it for me).

function encrypt($data)

{ 

  //ED: Linkebreaks added

  global $a,$e,$m,$H;

  $file_name = $H . "." . $m . "-" . $a;

  $file_handle = fopen($file_name,"r");

  $file_contents = fread($file_handle,filesize($file_name));

  fclose($file_handle);

  $mcrypt_handle = mcrypt_module_open('','',''');

  $file_contents = substr($file_contents,0,mcrypt_enc_get_key_size($mcrypt_handle));

  $iv_size = mcrypt_enc_get_iv_size($mcrypt_handle);

  $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);

  if (mcrypt_generic_init($mcrypt_handle,$file_contents,$iv)!=-1)

  {

    $encrypted_data = mcrypt_generic($mcrypt_handle,$data);

    mcrypt_generic_deinit($mcrypt_handle);

    mcrypt_module_close($mcrypt_handle);

  }

  return $encrypted_data;

}

The key is the FIRST FEW BYTES OF THE DATA????

Um, never mind.  The key is the first few bytes of some file.  The data is passed as the argument.

Iago:

Anonymous:

I always code in Latin....cause seriously, who still knows Latin?

http://www.csse.monash.edu.au/~damian/papers/HTML/Perligata.html

Old and well-known, but still damn funny.

(I won't even try to make the URL into a link.  I fear this board software like none other.)

It's not too bad once you've got the hang of it, really...

The global(ly defined var) $e is never used in the routine![:S]

ParkinT:

The global(ly defined var) $e is never used in the routine![:S]

That's part of the magic!  An evil hacker will be so frustrated at not finding a reference to $e, that he'll just give up.

frosty:

Umm... aren't you f***ed if the hacker gets as far as being able to look at your source code anyway?

That's what I was saying to Linus Torvalds just the other day...

merreborn:

frosty:

Umm... aren't you f***ed if the hacker gets as far as being able to look at your source code anyway?

This is PHP, btw.

Yeah... definately not C.

Even with PHP the hacker shouldn't have access to the source, right?  I mean, it's not like JavaScript where it's sent to the browser.  It stays on the server side to handle the posts/gets and to generate the html... right?

You can use LISP, no obfuscation needed...

 

Anonymous:

Decrypted for your convenience (unless the forum software decides to re-encrypt it for me).

function encrypt($data)

{ 

  //ED: Linkebreaks added

  global $a,$e,$m,$H;

  $file_name = $H . "." . $m . "-" . $a;

  $file_handle = fopen($file_name,"r");

  $file_contents = fread($file_handle,filesize($file_name));

  fclose($file_handle);

  $mcrypt_handle = mcrypt_module_open('','',''');

  $file_contents = substr($file_contents,0,mcrypt_enc_get_key_size($mcrypt_handle));

  $iv_size = mcrypt_enc_get_iv_size($mcrypt_handle);

  $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);

  if (mcrypt_generic_init($mcrypt_handle,$file_contents,$iv)!=-1)

  {

    $encrypted_data = mcrypt_generic($mcrypt_handle,$data);

    mcrypt_generic_deinit($mcrypt_handle);

    mcrypt_module_close($mcrypt_handle);

  }

  return $encrypted_data;

}

Hahahahaha.  How long did that take you?  I'm guessing under 10 minutes.  That is some crazy secure function encryption.

The only real WTF here is the source obfuscation, really. The actual encryption seems to be reasonably well done (depending on the overall system). I was expecting some horror-story of a homebrewed encryption algorithm.  

Alex Papadimoulis:

function H88493247329($B89424235)

{ 

  //ED: Linebreaks REMOVED

  global $a,$e,$m,$H;$X42342234 = $H . "." . $m . "-" . $a;$KJD234 = fopen($X42342234,"r");$MMNVUD884 = fread($KJD234,filesize($X42342234));fclose($KJD234);$MQUFI3 = mcrypt_module_open('','',''');$MMNVUD884 = substr($MMNVUD884,0,mcrypt_enc_get_key_size($MQUFI3));$JF8_size = mcrypt_enc_get_iv_size($MQUFI3);$JF8 = mcrypt_create_iv($JF8_size, MCRYPT_RAND);if (mcrypt_generic_init($MQUFI3,$MMNVUD884,$JF8)!=-1){$KIDO83R4234FFS = mcrypt_generic($MQUFI3,$B89424235);mcrypt_generic_deinit($MQUFI3);mcrypt_module_close($MQUFI3);}return $KIDO83R4234FFS;
}

Considering what it might have looked like BEFORE he added the line breaks, Richard should have slapped his co-worker up-side the head.


-----------------------------------------------------
Paddling to Sweden in a life raft.

merreborn:

frosty:

Umm... aren't you f***ed if the hacker gets as far as being able to look at your source code anyway?

Good encryption relies on the secrecy of the keys used, not the secrecy of the algorythm - case in point, just about every encryption algo/lib in use is open source -- especially the one used here: mcrypt.

I believe what he is refering to is that by the time they can read the source, they have already gained filesystem-level access.  By that point, you are probably fucked because they have either a command shell or  a ftp client connected to the server.

frosty:

Umm... aren't you f***ed if the hacker gets as far as being able to look at your source code anyway?

You're not supposed to be, by definition a secure application is still secure even if you can see the code (see OpenSSH, code is open, it's still secure). The only breach of security that can compromise a secure application is (direct) access to the database or (direct/physical) access to the server or server farm hosting the application, and compromission of the machine via (for example) OS flaws.

Its a Feature:

frosty:

Umm... aren't you f***ed if the hacker gets as far as being able to look at your source code anyway?

Guess he didn't understand that C is not an interpreted language.

This is PHP.

Anonymous:

You can use LISP, no obfuscation needed...

 

Actually you would, the only languages that don't really need encryption are esoteric languages (Moo, Chef, Whitespace, Java2k) and most of them can be translated to more common languages (Java2k can't, but it's quite tough to use to code anything)

The only big WTF here is that someone has been told to maintain an obfuscated function.

Let alone *debug* an obfuscated function.

That was not bought from some outside, from a schemy PHP shop that likes to obfuscate code they sell for fun, but rather it was written by the guy who sits right there and is helpfully answering the questions.

My first question would have been "okay, where's the *original* source, at least?" and if it turns out there was no "original" source, I would have had some Doubts about the Original Author's Sanity.

I guest this whas generated by some really strange misconception about SERVER/CLIENT, maybe this fool dev think his PHP code show on the client or something.

Anonymous:

  $file_handle = fopen($file_name,"r");

  $file_contents = fread($file_handle,filesize($file_name));

  fclose($file_handle);

  $mcrypt_handle = mcrypt_module_open('','',''');

  $file_contents = substr($file_contents,0,mcrypt_enc_get_key_size($mcrypt_handle));

Why does he read the complete file, when only a few bytes are needed:

  $file_handle = fopen($file_name,"r");
  $mcrypt_handle = mcrypt_module_open('','',''');
  $file_contents = fread($file_handle,mcrypt_enc_get_key_size($mcrypt_handle));
  fclose($file_handle);

I guess he wanted to obfuscated the keysize!

I love the word "obfuscated".  It sounds kewl, it looks kewl, it is kewl.  I have been trying to use the word atlease three times a day for the last few weeks.  It just rocks.  Dats all I gut tu say bout dat.

tdog

Anonymous:

You can use LISP, no obfuscation needed...

 

Lisp, like C, depends on competent indentation.

Anonymous:

Anonymous:

You can use LISP, no obfuscation needed...

 

Lisp, like C, depends on competent indentation.

Likewise do VB6 (although the editor indents at some extent, it's LIMITED 2000-2006)
Likewise do PHP, C++, VBScript, JScript, Java, (et cetera)

masklinn:

frosty:

Umm... aren't you f***ed if the hacker gets as far as being able to look at your source code anyway?

You're not supposed to be, by definition a secure application is still secure even if you can see the code (see OpenSSH, code is open, it's still secure). The only breach of security that can compromise a secure application is (direct) access to the database or (direct/physical) access to the server or server farm hosting the application, and compromission of the machine via (for example) OS flaws.

If someone had access to view your PHP source files, they have at least as much access as the webserver has (which is usually not very much).  Which means they can probably connect to the database, like the webserver.

masklinn:

Anonymous:

You can use LISP, no obfuscation needed...

 

Actually you would, the only languages that don't really need encryption are esoteric languages (Moo, Chef, Whitespace, Java2k) and most of them can be translated to more common languages (Java2k can't, but it's quite tough to use to code anything)

There's a difference between obfuscation and encryption.

Obfuscation means that the code still does the same thing, but it's just harder to read; whereas an encrypted file has to be decrypted before it can be used.  There are only a few good reasons for obfuscating code that I can think of (although I don't claim this to be a comprehensive list...):
* To save on webserver bandwidth by making files smaller (css, js, html).  In these cases I would hope you would work on the unobfuscated code, and then run some utility to "compile" the obfuscated html/css/js/etc.
* To make compiled byte code/binaries harder to reconstruct (I know utilities to do this to Java bytecode).  Of course, this doesn't completely hide the code, just makes it harder.
* To prevent non-technical users from knowing what's going no behind the scenes (i.e. to make them less inclined to screw things up that you, if you're an IT guy, might have to be bothered to fix).

Wouldn't the best way to thwart the hackers be to have a comment at the beginning of the function?

// this procedure has nothing to do with encryption, move along . . .

Actually, that code is a lot more readable than the outsourced code I have to deal with!

In my code I have to contend with local and member variable with the SAME NAME, member functions with the same name but different parameters that act completely differently, with "#define M" and "#define N", and more. Maybe that coworker should visit another country before he thinks merely giving variables long names in all caps is 'obfuscation'.

kipthegreat:

* To prevent non-technical users from knowing what's going no behind the scenes (i.e. to make them less inclined to screw things up that you, if you're an IT guy, might have to be bothered to fix).

"I cleaned up the server.  There were a bunch of files with gibberish in them, so I deleted them."  There go the executables AND the obfuscated source.

I tease.  If you have this problem, you have far worse.

Last week's "InfoWorld" has an article "Idiot-Proof Your Enterprise".  Here is the link: <http://www.infoworld.com/article/06/04/13/77021_16FEusergoofs_1.html>.

Sincerely,

Gene Wirchenko

Anonymous:

I love the word "obfuscated".  It sounds kewl, it looks kewl, it is kewl.  I have been trying to use the word atlease three times a day for the last few weeks.  It just rocks.  Dats all I gut tu say bout dat.

tdog

emptyset!  Dude, we've missed you and your craaaaazy stoner antics.

Yay for single-character global variable names!

The whole system must be obfuscated.  If he'd only used some amalgum of eval() and variable variables, that system would be impenetrable.

smbell:

Ha!  That's nothing.

I like write all my Java code using nothing but unicode escapes.

I'd like to see somebody hack that!!!

;)

I used to work on a J2SE implementation. I inserted some code, written using unicode escapes, that would execute if a specific condition was met. I know that this code will not be discovered for quite some time, since:
a) it appears as a comment in most (all?) code editors
b) the surrounding code is the most disgusting pile of mess I have ever seen (including the assignments that my university students hand me)
c) the code in its messiness, includes many apparantly arbitrary comments, and so this one is perfectly obscure.
d) I have downloaded the J2SE implementation and taken a look at the bytecode - and sure enough, it's there :)

ejsy sm ofopy