Why do people even bother to try writing encryption algorithms?

Mark R

Diamond Member
Oct 9, 1999
8,513
16
81
I was recently reviewing an electronic medical records and telemedicine package that I was planning to buy for a small remote clinic. The vendor kindly supplied me with a demo copy of the package so that I could evaluate it.

All looked good. I enquired about security - AES 256 throughout, the CEO told me.

Anyway curiosity got the better of me and I fired up my JustDecompile and decided to take a look.

Code:
public static string encrypt(string encrypt)
{
    string str;
    string empty = string.Empty;
    try
    {
        string str1 = encrypt.TrimEnd(new char[0]);
        char[] charArray = str1.ToCharArray();
        int num = 0;
        while (true)
        {
            bool length = num < (int)charArray.Length;
            if (!length)
            {
                break;
            }
            int num1 = Convert.ToInt32(charArray[num]) + 10;
            charArray[num] = Convert.ToChar(num1);
            empty = string.Concat(empty, charArray[num].ToString());
            num++;
        }
        str = empty;
    }
    catch (Exception exception)
    {
        str = null;
    }
    return str;
}

Bwahahahah.
 

Markbnj

Elite Member <br>Moderator Emeritus
Moderator
Sep 16, 2005
15,682
14
81
www.markbetz.net
Oh man, you have to be kidding me. Are you sure that's the routine they're calling? Maybe that's old code.
 

degibson

Golden Member
Mar 21, 2008
1,389
0
0
Wow. If they're actually calling that routine... Ignorance? Incompetence? Dishonesty? Malice?
 

IronWing

No Lifer
Jul 20, 2001
70,802
30,012
136
I'm not familiar with the language but if I'm reading it correctly it is a ROT 10 routine?

Edit: Does that {str = null} at the end just empty the string no matter what?
 
Last edited:

KentState

Diamond Member
Oct 19, 2001
8,397
393
126
I'm not familiar with the language but if I'm reading it correctly it is a ROT 10 routine?

Edit: Does that {str = null} at the end just empty the string no matter what?

str = null is only if the function has an error. The try/catch statement encapsulates the logic.
 

PhatoseAlpha

Platinum Member
Apr 10, 2005
2,131
21
81
Wow. Took me a bit there to recognize that it wasn't as completely pointless as it first seemed, since str empty was not in fact empty.

And then on third glance, it is as completely pointless as it first seemed.

Sirius Cybernetics style code - the superficial flaws hide the fundamental ones.
 

tech7

Junior Member
Feb 22, 2013
7
0
0
I wouldn't even call that encryption, it's closer to basic encoding than an actual encryption algorithm, offers almost no security at all.
 

BRcr

Junior Member
Feb 14, 2013
12
0
0
This could be just a part of encryption. If that's something like an additional encryption before AES starts, it falls in place...
 

BRcr

Junior Member
Feb 14, 2013
12
0
0
Only if attacker knows of it. Anyway, pre-encryption and pre-compression are quite a different actions.
 

Ken g6

Programming Moderator, Elite Member
Moderator
Dec 11, 1999
16,419
4,187
75
It took me awhile to realize that str=empty did not assign str="".

Once I got past that, I realized this is a really bad encryption method. One might even call its result ROT-TEN encryption. ;)
 

KB

Diamond Member
Nov 8, 1999
5,404
386
126
It does amaze me because .net has hundreds of pre-written, pre-tested encryption algos already that you don't need to write any code for and probably still perform better than this one.

I would double-check to make sure that is the function they are using and that you can decrypt some data using the reverse algo. Its possible that is old code as markbnj mentions.

The big problem is that if you mention this to the CEO, he is likely to sue you under DMCA. You may need to send an anonymous letter instead.
 

Mark R

Diamond Member
Oct 9, 1999
8,513
16
81
They definitely use this function for some stuff (mainly storing some stuff on the client computer), but a more thorough inspection shows that they do indeed use AES256 for transmitting some data, with others bits of data encrypted with 3DES (mainly the software license/serial).

I didn't get a copy of the server software so don't know how it's stored on the server.

Personally, rather than encrypting bits of transmitted data manually - I'd have just used a TLS connection. Considering that the whole thing was written in .NET and used the WCF transparent client/server API, TLS support was literally a matter of changing the http:// to https:// in the service definition and attaching a self-signed certificate.
 
Last edited:

Markbnj

Elite Member <br>Moderator Emeritus
Moderator
Sep 16, 2005
15,682
14
81
www.markbetz.net
Personally, rather than encrypting bits of transmitted data manually - I'd have just used a TLS connection. Considering that the whole thing was written in .NET and used the WCF transparent client/server API, TLS support was literally a matter of changing the http:// to https:// in the service definition and attaching a self-signed certificate.

True, and that will protect the data in transit, but this algorithm may have been intended to encrypt data at the field level for storage purposes.
 

Leros

Lifer
Jul 11, 2004
21,867
7
81
People rewrite existing code all the time. One of the most useful things I've done was to quickly look at the documention for a bunch of common libraries (Google, IBM, Apache, etc). It's saved me a ton of time. Just today, I needed to generate random strings and I used RandomStringUtils from Apache commons-lang.
 
Last edited:

KB

Diamond Member
Nov 8, 1999
5,404
386
126
True, and that will protect the data in transit, but this algorithm may have been intended to encrypt data at the field level for storage purposes.

If they wanted to encrypt at the storage level they should have used database encryption, not this messy function. If the database didn't support encryption they could have still used encryption functions to encrypt the strings before putting them in the database.
 

Markbnj

Elite Member <br>Moderator Emeritus
Moderator
Sep 16, 2005
15,682
14
81
www.markbetz.net
If they wanted to encrypt at the storage level they should have used database encryption, not this messy function.

Well yeah, no kidding :). I was just pointing out that TLS doesn't cover security across the whole information domain. My implicit assumption was that the method above could not possibly be intended to secure information across the transport layer, because nobody could be that stupid.