Is this "encryption" any good?

Server Config
1

Today I was looking into a simple way to encrypt data without SSL, and as you’ve probably guessed, I came across JS MD5 encryption. However, I have this thing agaist using code that I don’t understand, and this is one of those instances. So I figured taking the method it uses, I’d try my own little way, I invite you to figure out the original…

Scenario:

Say you’re sniffing me (In a non-dog way :wink: ) and you get the information that at host.com I entered David.A and 16149119 as the user/password. So you go to host.com and find this JS code linked to the login.


function convert(x){
  var temp="";
  for(var i=0; i<x.length;i++){
    temp=temp+""+x.charCodeAt(i)*(x.charCodeAt(i)%8);
  }
  return temp;
}

function encrypt(pw, key){
return abs(parseInt(convert(pw))-parseInt(convert(key)));
}

PW is the password, and KEY is a random PHP generated key.
Can you crack it without using a table of some sort?

BTW, if I was really concered about hackers, I’d use JS MD5, I’m just not that concerned. :slight_smile:

2

Hi!

This is very weak encryption/hashing scheme. It has very linear structure meaning that intercepting just two different transmissions of the same password, it would be very easy to figure out the original password (or group of passwords that generate the same image). I really would suggest that in production you’d use time proven schemes (and FYI it is not recommended to use md5() for anything new any more).

If you are not some sort of Chuck Norris of Cryptology :wink: it is bad idea to use your own designed cryptographic primitives in production. That being said - cryptography is excellent for “brain workouts”, so I suggest you read this essay [url=http://www.schneier.com/crypto-gram-9910.html#SoYouWanttobeaCryptographer]So you want to be a cryptographer.

3

MD5 isn’t encryption - it is a one way Hash.

The ONLY way to encrypt data between the client and the server is using SSL. If you try to do it with JavaScript (and there are actual encryption scripts available) then you still need to be able to accept the pain text variant for anyone without JavaScript and so adding the encryption just makes it less secure rather than more because then there are two ways of sending the same data instead of one.

4

Thanks for the responses. Although I agree with you, Stephen, because this is a not-so-important system with only a few users who will even know the links that are protected, I went with a slightly modified version of the above code.

5

It is not an encryption technique. it is only hashing the elements to randomize the elements in some way.
You can use rsa algorithm for encrypting data.